Overview

overview

10

Static

static

33815ECF51...36.exe

windows7_x64

10

33815ECF51...36.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    186s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-06-2021 05:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33815ECF51B4A2F18811FBA9ED999D36.exe

  • Size

    2.5MB

  • MD5

    33815ecf51b4a2f18811fba9ed999d36

  • SHA1

    709cde4326af52f644cf00d260af65bdd0cbf5e1

  • SHA256

    2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301

  • SHA512

    d3e1669d4e60d180a9bcd6b87f2c376be69bb7bebf6a73f0503ab65e4770354b71adcfc0688444ccf9a4d57fff32542f29bbcf12bc9686f347fa8ae8eaac82f5

Score
10/10
diamondfoxredlinetaurus002botnetdiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

002

C2

piporopopo.com:54367

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

    trojanstealertaurus
  • Taurus Stealer Payload 1 IoCs
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • Executes dropped EXE 15 IoCs
  • Loads dropped DLL 34 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\33815ECF51B4A2F18811FBA9ED999D36.exe
      "C:\Users\Admin\AppData\Local\Temp\33815ECF51B4A2F18811FBA9ED999D36.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/2E9wY5
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1628 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:840
      • C:\Users\Admin\AppData\Roaming\Control.dll
        "C:\Users\Admin\AppData\Roaming\Control.dll" -s -psfgvedfsbetdfhgbefsdtgretgdhdgersfhbetfsgrsfhasgsdg
        3⤵
        • Executes dropped EXE
        PID:1596
      • C:\Users\Admin\AppData\Roaming\curl.dll
        "C:\Users\Admin\AppData\Roaming\curl.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
        3⤵
        • Executes dropped EXE
        PID:1808
      • C:\Users\Admin\AppData\Roaming\autorun.dll
        "C:\Users\Admin\AppData\Roaming\autorun.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Users\Admin\AppData\Roaming\autorun.exe
          "C:\Users\Admin\AppData\Roaming\autorun.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of UnmapMainImage
          PID:1440
      • C:\Users\Admin\AppData\Roaming\sistemes.dll
        "C:\Users\Admin\AppData\Roaming\sistemes.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Users\Admin\AppData\Roaming\sistemes.exe
          "C:\Users\Admin\AppData\Roaming\sistemes.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1616
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /tn Windows\MicrosoftVisualStudio /tr "C:\ProgramData\Microsoft Visual Studio\getmac.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
            5⤵
            • Creates scheduled task(s)
            PID:1944
      • C:\Users\Admin\AppData\Roaming\laun.dll
        "C:\Users\Admin\AppData\Roaming\laun.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Users\Admin\AppData\Roaming\laun.exe
          "C:\Users\Admin\AppData\Roaming\laun.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1316
      • C:\Users\Admin\AppData\Roaming\der.dll
        "C:\Users\Admin\AppData\Roaming\der.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:828
        • C:\Users\Admin\AppData\Roaming\der.exe
          "C:\Users\Admin\AppData\Roaming\der.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of UnmapMainImage
          PID:1948
          • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
            "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of UnmapMainImage
            PID:1236
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2120
      • C:\Users\Admin\AppData\Roaming\Tausuus.dll
        "C:\Users\Admin\AppData\Roaming\Tausuus.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:968
        • C:\Users\Admin\AppData\Roaming\Tausuus.exe
          "C:\Users\Admin\AppData\Roaming\Tausuus.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of UnmapMainImage
          PID:868
          • C:\Windows\SysWOW64\cmd.exe
            /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\Tausuus.exe
            5⤵
              PID:2596
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 3
                6⤵
                • Delays execution with timeout.exe
                PID:2628
        • C:\Users\Admin\AppData\Roaming\red.dll
          "C:\Users\Admin\AppData\Roaming\red.dll" -s -pfhnrstya4rfhjnterast24wrhetfygr
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2024
          • C:\Users\Admin\AppData\Roaming\red.exe
            "C:\Users\Admin\AppData\Roaming\red.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            PID:1428
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {15586C17-690A-4E9A-BAC9-EAFFAE73F82D} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
      1⤵
        PID:2768

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/564-59-0x00000000757C1000-0x00000000757C3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/868-159-0x0000000000400000-0x0000000000646000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1200-124-0x0000000003980000-0x0000000003995000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1236-174-0x0000000000400000-0x0000000000641000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1316-122-0x0000000000400000-0x0000000000635000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1316-123-0x0000000000170000-0x0000000000171000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1428-182-0x0000000004B44000-0x0000000004B46000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1428-165-0x0000000004B42000-0x0000000004B43000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1428-167-0x00000000009D0000-0x00000000009E7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1428-161-0x0000000000400000-0x000000000063B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1428-166-0x0000000004B43000-0x0000000004B44000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1428-163-0x00000000005D0000-0x00000000005E9000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1428-164-0x0000000004B41000-0x0000000004B42000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1440-90-0x00000000001A0000-0x00000000001A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1440-91-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/1616-107-0x0000000000400000-0x0000000000628000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1948-138-0x0000000000400000-0x0000000000641000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2120-201-0x0000000006240000-0x0000000006241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-179-0x0000000004790000-0x0000000004791000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-183-0x00000000010C0000-0x00000000010C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-184-0x0000000005290000-0x0000000005291000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-185-0x000000007EF30000-0x000000007EF31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-188-0x0000000006070000-0x0000000006071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-193-0x0000000006000000-0x0000000006001000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-194-0x00000000060E0000-0x00000000060E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-180-0x0000000001152000-0x0000000001153000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-202-0x00000000062B0000-0x00000000062B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-216-0x00000000065C0000-0x00000000065C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-217-0x00000000065D0000-0x00000000065D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-177-0x0000000001150000-0x0000000001151000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2120-178-0x0000000000910000-0x0000000000911000-memory.dmp

        Filesize

        4KB

        Download