Resubmissions
27-07-2021 16:00
210727-9znbap7676 1027-07-2021 15:56
210727-7ddscz711n 927-07-2021 15:53
210727-s128rt44rx 9Analysis
-
max time kernel
294s -
max time network
296s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 16:00
Static task
static1
General
-
Target
FrkarR.exe
-
Size
6.8MB
-
MD5
f86cfbbb6316becace4efae11cdfd424
-
SHA1
9a27c693283aa2c9d91cb3a40e1bf392c3d42d51
-
SHA256
d54358095f37e6a9786a5a8997a5d591a015934acefb9da85f79705d81ccdc6f
-
SHA512
f0b27d490f5a9ee19a055c62995de035a81754d1201912c4e18a3e1b8a96b98df7395f4a12e7c3654cdade406480a51c3dd08cb2a8ee067a67655b017b0f187c
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
@kitukrit_protected.sfx.exe@kitukrit_protected.exepid process 2472 @kitukrit_protected.sfx.exe 4000 @kitukrit_protected.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
@kitukrit_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion @kitukrit_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion @kitukrit_protected.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe themida C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe themida behavioral1/memory/4000-126-0x00000000008B0000-0x00000000008B1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
@kitukrit_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA @kitukrit_protected.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
@kitukrit_protected.exepid process 4000 @kitukrit_protected.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
@kitukrit_protected.exepid process 4000 @kitukrit_protected.exe 4000 @kitukrit_protected.exe 4000 @kitukrit_protected.exe 4000 @kitukrit_protected.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
@kitukrit_protected.exedescription pid process Token: SeDebugPrivilege 4000 @kitukrit_protected.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
FrkarR.exe@kitukrit_protected.sfx.exedescription pid process target process PID 2388 wrote to memory of 2472 2388 FrkarR.exe @kitukrit_protected.sfx.exe PID 2388 wrote to memory of 2472 2388 FrkarR.exe @kitukrit_protected.sfx.exe PID 2388 wrote to memory of 2472 2388 FrkarR.exe @kitukrit_protected.sfx.exe PID 2472 wrote to memory of 4000 2472 @kitukrit_protected.sfx.exe @kitukrit_protected.exe PID 2472 wrote to memory of 4000 2472 @kitukrit_protected.sfx.exe @kitukrit_protected.exe PID 2472 wrote to memory of 4000 2472 @kitukrit_protected.sfx.exe @kitukrit_protected.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FrkarR.exe"C:\Users\Admin\AppData\Local\Temp\FrkarR.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.sfx.exe"C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.sfx.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe"C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exeMD5
bdded61f4e676bf27febc09492b55108
SHA168cabc1095a7f94e6fcbdf04bbe78e61bad097c2
SHA256790fb2ce697a68c7ac3734f345b2779b84100f3613954c5cf1b063bc21c67ab4
SHA512dd81f40e3182ec45f276456655924700f9ff9c81679b8a5a42641b4fca1965d495ef3be50a94e0b6e291e08cbff452d6e18dedceff395e5e04bbd9692253a1fc
-
C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exeMD5
bdded61f4e676bf27febc09492b55108
SHA168cabc1095a7f94e6fcbdf04bbe78e61bad097c2
SHA256790fb2ce697a68c7ac3734f345b2779b84100f3613954c5cf1b063bc21c67ab4
SHA512dd81f40e3182ec45f276456655924700f9ff9c81679b8a5a42641b4fca1965d495ef3be50a94e0b6e291e08cbff452d6e18dedceff395e5e04bbd9692253a1fc
-
C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.sfx.exeMD5
e726f22e50e622b2ca5612e05a247525
SHA1d11541d1f08fb6212ee60a30cb446821d2e36690
SHA2562304084f7a8d97be4c6ae6e5cbac75478a04c4f63093f18bcf713f912a3da5d7
SHA512aafed566df0333f783bc52f19951679a973e3c8396b68cc3dc5acc9f8f95684ceafcf113a27e0376f8531a9ccda3fb601080725109cfcb067b40151049336fad
-
C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.sfx.exeMD5
e726f22e50e622b2ca5612e05a247525
SHA1d11541d1f08fb6212ee60a30cb446821d2e36690
SHA2562304084f7a8d97be4c6ae6e5cbac75478a04c4f63093f18bcf713f912a3da5d7
SHA512aafed566df0333f783bc52f19951679a973e3c8396b68cc3dc5acc9f8f95684ceafcf113a27e0376f8531a9ccda3fb601080725109cfcb067b40151049336fad
-
memory/2472-116-0x0000000000000000-mapping.dmp
-
memory/4000-130-0x0000000003D20000-0x0000000003D21000-memory.dmpFilesize
4KB
-
memory/4000-132-0x0000000003E00000-0x0000000003E01000-memory.dmpFilesize
4KB
-
memory/4000-126-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/4000-128-0x0000000006BC0000-0x0000000006BC1000-memory.dmpFilesize
4KB
-
memory/4000-129-0x00000000076D0000-0x00000000076D1000-memory.dmpFilesize
4KB
-
memory/4000-121-0x0000000000000000-mapping.dmp
-
memory/4000-131-0x0000000003CE0000-0x0000000003CE1000-memory.dmpFilesize
4KB
-
memory/4000-125-0x0000000077D70000-0x0000000077EFE000-memory.dmpFilesize
1.6MB
-
memory/4000-133-0x00000000043D0000-0x00000000043D1000-memory.dmpFilesize
4KB
-
memory/4000-134-0x00000000072D0000-0x00000000072D1000-memory.dmpFilesize
4KB
-
memory/4000-135-0x00000000066C0000-0x0000000006BBE000-memory.dmpFilesize
5.0MB
-
memory/4000-136-0x00000000093F0000-0x00000000093F1000-memory.dmpFilesize
4KB
-
memory/4000-137-0x0000000009AF0000-0x0000000009AF1000-memory.dmpFilesize
4KB
-
memory/4000-138-0x0000000009290000-0x0000000009291000-memory.dmpFilesize
4KB
-
memory/4000-139-0x00000000096C0000-0x00000000096C1000-memory.dmpFilesize
4KB
-
memory/4000-140-0x0000000009760000-0x0000000009761000-memory.dmpFilesize
4KB