Analysis
-
max time kernel
209s -
max time network
223s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
29-01-2023 14:36
General
-
Target
8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe
-
Size
893KB
-
MD5
fcaba1be07ff24ecbc53df4eda744298
-
SHA1
5f793f1ec29377213eb80556b8819f7f7fefefdd
-
SHA256
8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997
-
SHA512
bcde87620a2590e05ac78b9a8777d1f6c51cfdc68b5a283ca15fdf7942cb288996c9d935b883d70aaca5f887f75ad5230304b263b69ad784a2f4d089cac2c9ae
-
SSDEEP
24576:lIbVFZC10w1sepi8Hx28WdNizMMTTdcvcCJM3pEGppDrIko:lILA1T1poMx28MNizMKor6uGp
Malware Config
Signatures
-
Detects PlugX payload 3 IoCs
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 21 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe"C:\Users\Admin\AppData\Local\Temp\8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nsk61DC.tmp\OWinstaller.exe"C:\Users\Admin\AppData\Local\Temp\nsk61DC.tmp\OWinstaller.exe" Partner=33372⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe"C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe" /S "/TargetDir=C:\Program Files (x86)\Overwolf\" -ignoredotnet3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
-
C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe"C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe" /S "/TargetDir=C:\Program Files (x86)\Overwolf\" -ignoredotnet3⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe"C:\Program Files (x86)\Overwolf\\OverwolfUpdater.exe" /Register4⤵
-
-
C:\Program Files (x86)\Overwolf\0.116.2.25\OverwolfTSHelper.exe"C:\Program Files (x86)\Overwolf\\0.116.2.25\OverwolfTSHelper.exe" /RegServer4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452KB
MD50940e7945d3e5d199ca74c5c483178a3
SHA18c56b19a69c61f3b2ae24bcaa341464b7e08bc56
SHA2563a856e811bf36233f3f982fd0c71abfae44dd53111a1612421d6bdf8305645f9
SHA512814cf2c113c656a931675b19b6b422bbff83018083741425d83244108a3d799803e5ce054689301c49ec011572cb633686be7e6d20e0099137a902b8bbfa93a0
-
Filesize
244.3MB
MD5a3c7b34e775d6323ab88616580d5e1e0
SHA19bd707ef8a5107313405886fceccb659e70de3c7
SHA256d678b995cb7c6f58996d41e5bd815aadc3df4a58ab008d433c2870265816a246
SHA51287d9c85477a7eba5bb0aa00bd14960655b6bfa45182facde80ef3bcfe8dd5f705195158b3b5985a3deb74712cb0d594082109efb979d40fb5911cf0826f17fa9
-
Filesize
244.3MB
MD5a3c7b34e775d6323ab88616580d5e1e0
SHA19bd707ef8a5107313405886fceccb659e70de3c7
SHA256d678b995cb7c6f58996d41e5bd815aadc3df4a58ab008d433c2870265816a246
SHA51287d9c85477a7eba5bb0aa00bd14960655b6bfa45182facde80ef3bcfe8dd5f705195158b3b5985a3deb74712cb0d594082109efb979d40fb5911cf0826f17fa9
-
Filesize
244.3MB
MD5a3c7b34e775d6323ab88616580d5e1e0
SHA19bd707ef8a5107313405886fceccb659e70de3c7
SHA256d678b995cb7c6f58996d41e5bd815aadc3df4a58ab008d433c2870265816a246
SHA51287d9c85477a7eba5bb0aa00bd14960655b6bfa45182facde80ef3bcfe8dd5f705195158b3b5985a3deb74712cb0d594082109efb979d40fb5911cf0826f17fa9
-
Filesize
190KB
MD55c252f1bbeb9c18ec94c3697855a7ea5
SHA1dd2d259a1924baef5be20d79036e156cd82f0f72
SHA256e4ba5095daab78d5db2fd71a8fc64bef68457768f3d9cd984ae914aa2379dbfb
SHA512885ae33aecbc07aebb4628ce464b0a780370ea823dd4fbfd5d5a7a87cfbac2e91c629e0fc77a3661e610038c3b9c9eced3820932dfd2a6e3f0293ca4ea60d15c
-
Filesize
190KB
MD55c252f1bbeb9c18ec94c3697855a7ea5
SHA1dd2d259a1924baef5be20d79036e156cd82f0f72
SHA256e4ba5095daab78d5db2fd71a8fc64bef68457768f3d9cd984ae914aa2379dbfb
SHA512885ae33aecbc07aebb4628ce464b0a780370ea823dd4fbfd5d5a7a87cfbac2e91c629e0fc77a3661e610038c3b9c9eced3820932dfd2a6e3f0293ca4ea60d15c
-
Filesize
190KB
MD55c252f1bbeb9c18ec94c3697855a7ea5
SHA1dd2d259a1924baef5be20d79036e156cd82f0f72
SHA256e4ba5095daab78d5db2fd71a8fc64bef68457768f3d9cd984ae914aa2379dbfb
SHA512885ae33aecbc07aebb4628ce464b0a780370ea823dd4fbfd5d5a7a87cfbac2e91c629e0fc77a3661e610038c3b9c9eced3820932dfd2a6e3f0293ca4ea60d15c
-
Filesize
190KB
MD55c252f1bbeb9c18ec94c3697855a7ea5
SHA1dd2d259a1924baef5be20d79036e156cd82f0f72
SHA256e4ba5095daab78d5db2fd71a8fc64bef68457768f3d9cd984ae914aa2379dbfb
SHA512885ae33aecbc07aebb4628ce464b0a780370ea823dd4fbfd5d5a7a87cfbac2e91c629e0fc77a3661e610038c3b9c9eced3820932dfd2a6e3f0293ca4ea60d15c
-
Filesize
169KB
MD5567103638bb0c81cf9bd86f727ea12ac
SHA1ddc03ea66412f11b5975092f92067a85d29d17b1
SHA25637dd96230521a91dc7eba0d0a4fe8726b4405562b1a96363a01e28334bde94fd
SHA5121d64a197489ea45e21a89ec535ca0282eed47ade40589dee31de865870ddb91ffc0921a5eacea89ddf9bc1d9b93bb7edf6f6c3148a18a9611df87be0fc369fa4
-
Filesize
169KB
MD5567103638bb0c81cf9bd86f727ea12ac
SHA1ddc03ea66412f11b5975092f92067a85d29d17b1
SHA25637dd96230521a91dc7eba0d0a4fe8726b4405562b1a96363a01e28334bde94fd
SHA5121d64a197489ea45e21a89ec535ca0282eed47ade40589dee31de865870ddb91ffc0921a5eacea89ddf9bc1d9b93bb7edf6f6c3148a18a9611df87be0fc369fa4
-
Filesize
24KB
MD5640bff73a5f8e37b202d911e4749b2e9
SHA19588dd7561ab7de3bca392b084bec91f3521c879
SHA256c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
SHA51239c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a
-
Filesize
24KB
MD5640bff73a5f8e37b202d911e4749b2e9
SHA19588dd7561ab7de3bca392b084bec91f3521c879
SHA256c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
SHA51239c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a
-
Filesize
24KB
MD5640bff73a5f8e37b202d911e4749b2e9
SHA19588dd7561ab7de3bca392b084bec91f3521c879
SHA256c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
SHA51239c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a
-
Filesize
24KB
MD5640bff73a5f8e37b202d911e4749b2e9
SHA19588dd7561ab7de3bca392b084bec91f3521c879
SHA256c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
SHA51239c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a
-
Filesize
44KB
MD50f96d9eb959ad4e8fd205e6d58cf01b8
SHA17c45512cbdb24216afd23a9e8cdce0cfeaa7660f
SHA25657ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314
SHA5129f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c
-
Filesize
44KB
MD50f96d9eb959ad4e8fd205e6d58cf01b8
SHA17c45512cbdb24216afd23a9e8cdce0cfeaa7660f
SHA25657ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314
SHA5129f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c
-
Filesize
11KB
MD57399323923e3946fe9140132ac388132
SHA1728257d06c452449b1241769b459f091aabcffc5
SHA2565a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
SHA512d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1
-
Filesize
4KB
MD59301577ff4d229347fe33259b43ef3b2
SHA15e39eb4f99920005a4b2303c8089d77f589c133d
SHA256090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc
SHA51277dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79
-
Filesize
88KB
MD5bd97d86d8bd07ebdc8ec662a3f31dfd5
SHA15e2b3a1af5ee53ab6d1d6c2cb8127add39ee7e82
SHA256c31b590cba443de87f0f4a81712f0883ac3b506f3868759d918d9a81f84ea922
SHA5124575d1ea0d1b2f74df74cad94eae7fdf31c513e5dc6d945e81e0873b99f94a5d81b1c385c71ab79a19e5bb6c00fc5fffec7a3bbfd60ad7de312cbb53d8bcce9a
-
Filesize
88KB
MD5bd97d86d8bd07ebdc8ec662a3f31dfd5
SHA15e2b3a1af5ee53ab6d1d6c2cb8127add39ee7e82
SHA256c31b590cba443de87f0f4a81712f0883ac3b506f3868759d918d9a81f84ea922
SHA5124575d1ea0d1b2f74df74cad94eae7fdf31c513e5dc6d945e81e0873b99f94a5d81b1c385c71ab79a19e5bb6c00fc5fffec7a3bbfd60ad7de312cbb53d8bcce9a
-
Filesize
88KB
MD5bd97d86d8bd07ebdc8ec662a3f31dfd5
SHA15e2b3a1af5ee53ab6d1d6c2cb8127add39ee7e82
SHA256c31b590cba443de87f0f4a81712f0883ac3b506f3868759d918d9a81f84ea922
SHA5124575d1ea0d1b2f74df74cad94eae7fdf31c513e5dc6d945e81e0873b99f94a5d81b1c385c71ab79a19e5bb6c00fc5fffec7a3bbfd60ad7de312cbb53d8bcce9a
-
Filesize
88KB
MD5bd97d86d8bd07ebdc8ec662a3f31dfd5
SHA15e2b3a1af5ee53ab6d1d6c2cb8127add39ee7e82
SHA256c31b590cba443de87f0f4a81712f0883ac3b506f3868759d918d9a81f84ea922
SHA5124575d1ea0d1b2f74df74cad94eae7fdf31c513e5dc6d945e81e0873b99f94a5d81b1c385c71ab79a19e5bb6c00fc5fffec7a3bbfd60ad7de312cbb53d8bcce9a
-
Filesize
1.8MB
MD5c2f4d3e0a24f4c1aefc19ef652584020
SHA184eb726913ce4100ed7a86d2be6f290aa884bda2
SHA2568935c77b4a1abbd423b1ff36f9263a4f436356aaa338debb989cd5245d00e154
SHA5122a1271871fb08587d1f7939ffa16e994fd46dfac1fbb84bd348f227c4ff8040a3f3f3f4ea248a5f1bc7e40debddd4d140805f173a84be43c137c28436424b64e
-
Filesize
1.8MB
MD5c2f4d3e0a24f4c1aefc19ef652584020
SHA184eb726913ce4100ed7a86d2be6f290aa884bda2
SHA2568935c77b4a1abbd423b1ff36f9263a4f436356aaa338debb989cd5245d00e154
SHA5122a1271871fb08587d1f7939ffa16e994fd46dfac1fbb84bd348f227c4ff8040a3f3f3f4ea248a5f1bc7e40debddd4d140805f173a84be43c137c28436424b64e
-
Filesize
190B
MD54bf2a039cd2cf37cf37c19f2912996e0
SHA113d480c222d586a70fe568f45b499e6039e63cdb
SHA256ec7c6bc4205712a0a78c68f7f0f762ac7e62276720a61a6877a94f6a573f0aa7
SHA5120d69fa9238aad43d205926f92706bfa566eeab96ca213a22d8bdac8e414484b10c4a507a4f4deef058afa9c170e6a3be6c3b0196b290f5809da456860770e22c
-
Filesize
11KB
MD57399323923e3946fe9140132ac388132
SHA1728257d06c452449b1241769b459f091aabcffc5
SHA2565a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
SHA512d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1
-
Filesize
4KB
MD59301577ff4d229347fe33259b43ef3b2
SHA15e39eb4f99920005a4b2303c8089d77f589c133d
SHA256090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc
SHA51277dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79
-
Filesize
63KB
MD520863859dad63ca0638db7eed4ea6b80
SHA140e894a8bd5b58c162b52117ddde0fa785bcbfd3
SHA256ec51e07941dc87526b7056204a679a9a88459d040704a44bf394a49d73c19aa4
SHA512e06e8f40ea73d108cf7826a88fa349e34109fda96e5d3f9c7f16a35d7457f83cc103a94da6d4141c2c6ff3fef9f0b4555e0702267018dfbb1036f502a4b15998
-
Filesize
196KB
-
Filesize
5.7MB
-
Filesize
48KB
-
Filesize
116KB
-
Filesize
16KB