Analysis
-
max time kernel
12s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21/12/2021, 01:31
Static task
static1
Behavioral task
behavioral1
Sample
a224fb7e0e9febf8604d6bb34e1f3669.exe
Resource
win7-en-20211208
General
-
Target
a224fb7e0e9febf8604d6bb34e1f3669.exe
-
Size
7.2MB
-
MD5
a224fb7e0e9febf8604d6bb34e1f3669
-
SHA1
1c556d68023668f7e399cb67a211672622fb4bea
-
SHA256
4fe1cb64f16f7fa987407a906a4319520972f5a8f5749e3b071a831825559a45
-
SHA512
2eea0497ea9a18b67ed516db8afaa885b4a2f6534c5ab3fda6677db42fe5d2c86f4c4cd2bdec346031293a65fe474461c3cd1b3b92593bd2e4450ea8eb559814
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/2528-269-0x0000000000419336-mapping.dmp family_redline behavioral1/memory/2536-272-0x0000000000419336-mapping.dmp family_redline -
Socelars Payload 1 IoCs
resource yara_rule behavioral1/files/0x0006000000012665-140.dat family_socelars -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x000600000001263f-184.dat WebBrowserPassView behavioral1/files/0x000600000001263f-179.dat WebBrowserPassView behavioral1/files/0x000600000001263f-115.dat WebBrowserPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral1/files/0x000600000001263f-184.dat Nirsoft behavioral1/files/0x000600000001263f-179.dat Nirsoft behavioral1/files/0x000600000001263f-115.dat Nirsoft -
Vidar Stealer 1 IoCs
resource yara_rule behavioral1/memory/1052-242-0x0000000000400000-0x0000000000539000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x00060000000125e4-69.dat aspack_v212_v242 behavioral1/files/0x00060000000125e4-70.dat aspack_v212_v242 behavioral1/files/0x00060000000125cc-71.dat aspack_v212_v242 behavioral1/files/0x00060000000125cc-72.dat aspack_v212_v242 behavioral1/files/0x0006000000012608-75.dat aspack_v212_v242 behavioral1/files/0x0006000000012608-76.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
pid Process 1760 setup_installer.exe 1340 setup_install.exe 1476 Sat044c660c667.exe 1812 Sat047a4df7658eb8.exe 904 Sat04b37a8a0cb44e.exe 1876 Sat04b57b2b5cd240fd7.exe 1868 Sat0416a6fea2.exe 828 Sat047a4df7658eb8.tmp 1800 Sat04498b5333ea0e4d.exe 1380 Sat041ad04ef04fb.exe 1480 Sat041e2cec77924.exe 1052 Sat04e71d955f.exe 1672 wmiprvse.exe 1352 Sat043294c6d0fbd1.exe -
Loads dropped DLL 41 IoCs
pid Process 1068 a224fb7e0e9febf8604d6bb34e1f3669.exe 1760 setup_installer.exe 1760 setup_installer.exe 1760 setup_installer.exe 1760 setup_installer.exe 1760 setup_installer.exe 1760 setup_installer.exe 1340 setup_install.exe 1340 setup_install.exe 1340 setup_install.exe 1340 setup_install.exe 1340 setup_install.exe 1340 setup_install.exe 1340 setup_install.exe 1340 setup_install.exe 1696 cmd.exe 1696 cmd.exe 1688 cmd.exe 1592 cmd.exe 1592 cmd.exe 1476 Sat044c660c667.exe 1476 Sat044c660c667.exe 1812 Sat047a4df7658eb8.exe 1812 Sat047a4df7658eb8.exe 1504 cmd.exe 1964 cmd.exe 1964 cmd.exe 1960 cmd.exe 616 cmd.exe 1812 Sat047a4df7658eb8.exe 1068 cmd.exe 1068 cmd.exe 1296 cmd.exe 1728 cmd.exe 1052 Sat04e71d955f.exe 1052 Sat04e71d955f.exe 1876 Sat04b57b2b5cd240fd7.exe 1876 Sat04b57b2b5cd240fd7.exe 556 cmd.exe 804 cmd.exe 804 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2624 1352 WerFault.exe 52 -
Delays execution with timeout.exe 1 IoCs
pid Process 1916 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 1972 taskkill.exe 2336 taskkill.exe 2420 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1068 wrote to memory of 1760 1068 a224fb7e0e9febf8604d6bb34e1f3669.exe 27 PID 1068 wrote to memory of 1760 1068 a224fb7e0e9febf8604d6bb34e1f3669.exe 27 PID 1068 wrote to memory of 1760 1068 a224fb7e0e9febf8604d6bb34e1f3669.exe 27 PID 1068 wrote to memory of 1760 1068 a224fb7e0e9febf8604d6bb34e1f3669.exe 27 PID 1068 wrote to memory of 1760 1068 a224fb7e0e9febf8604d6bb34e1f3669.exe 27 PID 1068 wrote to memory of 1760 1068 a224fb7e0e9febf8604d6bb34e1f3669.exe 27 PID 1068 wrote to memory of 1760 1068 a224fb7e0e9febf8604d6bb34e1f3669.exe 27 PID 1760 wrote to memory of 1340 1760 setup_installer.exe 28 PID 1760 wrote to memory of 1340 1760 setup_installer.exe 28 PID 1760 wrote to memory of 1340 1760 setup_installer.exe 28 PID 1760 wrote to memory of 1340 1760 setup_installer.exe 28 PID 1760 wrote to memory of 1340 1760 setup_installer.exe 28 PID 1760 wrote to memory of 1340 1760 setup_installer.exe 28 PID 1760 wrote to memory of 1340 1760 setup_installer.exe 28 PID 1340 wrote to memory of 1836 1340 setup_install.exe 30 PID 1340 wrote to memory of 1836 1340 setup_install.exe 30 PID 1340 wrote to memory of 1836 1340 setup_install.exe 30 PID 1340 wrote to memory of 1836 1340 setup_install.exe 30 PID 1340 wrote to memory of 1836 1340 setup_install.exe 30 PID 1340 wrote to memory of 1836 1340 setup_install.exe 30 PID 1340 wrote to memory of 1836 1340 setup_install.exe 30 PID 1340 wrote to memory of 1932 1340 setup_install.exe 31 PID 1340 wrote to memory of 1932 1340 setup_install.exe 31 PID 1340 wrote to memory of 1932 1340 setup_install.exe 31 PID 1340 wrote to memory of 1932 1340 setup_install.exe 31 PID 1340 wrote to memory of 1932 1340 setup_install.exe 31 PID 1340 wrote to memory of 1932 1340 setup_install.exe 31 PID 1340 wrote to memory of 1932 1340 setup_install.exe 31 PID 1340 wrote to memory of 1364 1340 setup_install.exe 32 PID 1340 wrote to memory of 1364 1340 setup_install.exe 32 PID 1340 wrote to memory of 1364 1340 setup_install.exe 32 PID 1340 wrote to memory of 1364 1340 setup_install.exe 32 PID 1340 wrote to memory of 1364 1340 setup_install.exe 32 PID 1340 wrote to memory of 1364 1340 setup_install.exe 32 PID 1340 wrote to memory of 1364 1340 setup_install.exe 32 PID 1340 wrote to memory of 1696 1340 setup_install.exe 33 PID 1340 wrote to memory of 1696 1340 setup_install.exe 33 PID 1340 wrote to memory of 1696 1340 setup_install.exe 33 PID 1340 wrote to memory of 1696 1340 setup_install.exe 33 PID 1340 wrote to memory of 1696 1340 setup_install.exe 33 PID 1340 wrote to memory of 1696 1340 setup_install.exe 33 PID 1340 wrote to memory of 1696 1340 setup_install.exe 33 PID 1340 wrote to memory of 1592 1340 setup_install.exe 34 PID 1340 wrote to memory of 1592 1340 setup_install.exe 34 PID 1340 wrote to memory of 1592 1340 setup_install.exe 34 PID 1340 wrote to memory of 1592 1340 setup_install.exe 34 PID 1340 wrote to memory of 1592 1340 setup_install.exe 34 PID 1340 wrote to memory of 1592 1340 setup_install.exe 34 PID 1340 wrote to memory of 1592 1340 setup_install.exe 34 PID 1340 wrote to memory of 1688 1340 setup_install.exe 35 PID 1340 wrote to memory of 1688 1340 setup_install.exe 35 PID 1340 wrote to memory of 1688 1340 setup_install.exe 35 PID 1340 wrote to memory of 1688 1340 setup_install.exe 35 PID 1340 wrote to memory of 1688 1340 setup_install.exe 35 PID 1340 wrote to memory of 1688 1340 setup_install.exe 35 PID 1340 wrote to memory of 1688 1340 setup_install.exe 35 PID 1340 wrote to memory of 1296 1340 setup_install.exe 60 PID 1340 wrote to memory of 1296 1340 setup_install.exe 60 PID 1340 wrote to memory of 1296 1340 setup_install.exe 60 PID 1340 wrote to memory of 1296 1340 setup_install.exe 60 PID 1340 wrote to memory of 1296 1340 setup_install.exe 60 PID 1340 wrote to memory of 1296 1340 setup_install.exe 60 PID 1340 wrote to memory of 1296 1340 setup_install.exe 60 PID 1932 wrote to memory of 1628 1932 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\a224fb7e0e9febf8604d6bb34e1f3669.exe"C:\Users\Admin\AppData\Local\Temp\a224fb7e0e9febf8604d6bb34e1f3669.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1836
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0494d09aa7775.exe4⤵PID:1364
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat044c660c667.exe4⤵
- Loads dropped DLL
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat044c660c667.exeSat044c660c667.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat044c660c667.exeC:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat044c660c667.exe6⤵PID:2528
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04b37a8a0cb44e.exe4⤵
- Loads dropped DLL
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat04b37a8a0cb44e.exeSat04b37a8a0cb44e.exe5⤵
- Executes dropped EXE
PID:904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat047a4df7658eb8.exe4⤵
- Loads dropped DLL
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat047a4df7658eb8.exeSat047a4df7658eb8.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0416a6fea2.exe4⤵
- Loads dropped DLL
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat0416a6fea2.exeSat0416a6fea2.exe5⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\1S3Y.CPl",6⤵PID:2080
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\1S3Y.CPl",7⤵PID:2148
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04b57b2b5cd240fd7.exe4⤵
- Loads dropped DLL
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat04b57b2b5cd240fd7.exeSat04b57b2b5cd240fd7.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat045c167897c8ece.exe4⤵
- Loads dropped DLL
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat045c167897c8ece.exeSat045c167897c8ece.exe5⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\is-S3MGA.tmp\Sat045c167897c8ece.tmp"C:\Users\Admin\AppData\Local\Temp\is-S3MGA.tmp\Sat045c167897c8ece.tmp" /SL5="$101C8,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat045c167897c8ece.exe"6⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat045c167897c8ece.exe"C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat045c167897c8ece.exe" /SILENT7⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\is-GFO4N.tmp\Sat045c167897c8ece.tmp"C:\Users\Admin\AppData\Local\Temp\is-GFO4N.tmp\Sat045c167897c8ece.tmp" /SL5="$201D0,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat045c167897c8ece.exe" /SILENT8⤵PID:2172
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04e71d955f.exe4⤵
- Loads dropped DLL
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat04e71d955f.exeSat04e71d955f.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sat04e71d955f.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat04e71d955f.exe" & del C:\ProgramData\*.dll & exit6⤵PID:3016
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sat04e71d955f.exe /f7⤵
- Kills process with taskkill
PID:2420
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:1916
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04a852dfcb0.exe /mixtwo4⤵
- Loads dropped DLL
PID:804 -
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat04a852dfcb0.exeSat04a852dfcb0.exe /mixtwo5⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat04a852dfcb0.exeSat04a852dfcb0.exe /mixtwo6⤵PID:836
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat04a852dfcb0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat04a852dfcb0.exe" & exit7⤵PID:2436
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat04a852dfcb0.exe" /f8⤵
- Kills process with taskkill
PID:2336
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04c66f5aa6456.exe4⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat04c66f5aa6456.exeSat04c66f5aa6456.exe5⤵PID:1564
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\JQOzcH.CPL",6⤵PID:1388
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\JQOzcH.CPL",7⤵PID:440
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat043294c6d0fbd1.exe4⤵
- Loads dropped DLL
PID:556
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04498b5333ea0e4d.exe4⤵
- Loads dropped DLL
PID:1964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat041e2cec77924.exe4⤵
- Loads dropped DLL
PID:616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat041ad04ef04fb.exe4⤵
- Loads dropped DLL
PID:1296
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat041ad04ef04fb.exeSat041ad04ef04fb.exe1⤵
- Executes dropped EXE
PID:1380
-
C:\Users\Admin\AppData\Local\Temp\is-D263N.tmp\Sat047a4df7658eb8.tmp"C:\Users\Admin\AppData\Local\Temp\is-D263N.tmp\Sat047a4df7658eb8.tmp" /SL5="$40120,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat047a4df7658eb8.exe"1⤵
- Executes dropped EXE
PID:828
-
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat041e2cec77924.exeSat041e2cec77924.exe1⤵
- Executes dropped EXE
PID:1480 -
C:\Users\Admin\AppData\Local\6905ea8e-1d8a-4cdb-9d41-e382e8e96c44.exe"C:\Users\Admin\AppData\Local\6905ea8e-1d8a-4cdb-9d41-e382e8e96c44.exe"2⤵PID:2752
-
-
C:\Users\Admin\AppData\Local\2e6bab40-a145-4b8e-a459-78a26a0dfb1e.exe"C:\Users\Admin\AppData\Local\2e6bab40-a145-4b8e-a459-78a26a0dfb1e.exe"2⤵PID:2796
-
C:\Users\Admin\AppData\Roaming\63317954\8939070044789726.exe"C:\Users\Admin\AppData\Roaming\63317954\8939070044789726.exe"3⤵PID:2660
-
-
-
C:\Users\Admin\AppData\Local\71c4b25c-0cad-4870-a2ee-79a7847a87c8.exe"C:\Users\Admin\AppData\Local\71c4b25c-0cad-4870-a2ee-79a7847a87c8.exe"2⤵PID:2856
-
-
C:\Users\Admin\AppData\Local\66c58d56-c29d-449b-a067-212f2d193069.exe"C:\Users\Admin\AppData\Local\66c58d56-c29d-449b-a067-212f2d193069.exe"2⤵PID:2908
-
-
C:\Users\Admin\AppData\Local\eebe79a8-5a6b-4f88-afb2-34cfe9874152.exe"C:\Users\Admin\AppData\Local\eebe79a8-5a6b-4f88-afb2-34cfe9874152.exe"2⤵PID:2328
-
C:\Users\Admin\AppData\Roaming\8808046.exe"C:\Users\Admin\AppData\Roaming\8808046.exe"3⤵PID:2692
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat04498b5333ea0e4d.exeSat04498b5333ea0e4d.exe1⤵
- Executes dropped EXE
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat04498b5333ea0e4d.exeC:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat04498b5333ea0e4d.exe2⤵PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0E6ADDC5\Sat043294c6d0fbd1.exeSat043294c6d0fbd1.exe1⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵PID:2580
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
PID:1972
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 15322⤵
- Program crash
PID:2624
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Executes dropped EXE
PID:1672