Overview

overview

10

Static

static

8.exe

windows7_x64

10

8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294181s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    11-04-2022 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8.exe

  • Size

    1.4MB

  • MD5

    d1a30dcdf2bc6b49b6472ca8bd35751b

  • SHA1

    874e9436d4f9fb6e752b5937f032186501bf16aa

  • SHA256

    03752193cdcfed264b430381b7634c2a27cce45e3c3fc0b85470017afbdb54d8

  • SHA512

    b3eeef39477c6776ad78ee14c08fff7173ae8ad7ca1caea77ae5602dd122dddfa02837d5d062eb687aa211ddc931b3d9d1c8c3725d30e684f84057aed5ee28aa

Score
10/10
phoenixstealerredlineinfostealerspywarestealer

Malware Config

Extracted

Family

redline

C2

104.244.76.137:4487

Attributes
  • auth_value

    67c42657a2dc51f3323efd90a04a2b03

Signatures

  • PhoenixStealer

    PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.

    stealerphoenixstealer
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8.exe
    "C:\Users\Admin\AppData\Local\Temp\8.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\Temp\s.exe
      "C:\Windows\Temp\s.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell.exe -windowstyle hidden Sleep 5
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1996
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -windowstyle hidden Sleep 5
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1600
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:324
    • C:\Windows\Temp\setup.exe
      "C:\Windows\Temp\setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:1608
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /delete /tn WindowsService /f
          3⤵
            PID:1064
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /tn WindowsService /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /sc onlogon /rl highest
            3⤵
            • Creates scheduled task(s)
            PID:1732
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn WindowsServiceUpload /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /f /rl highest
            3⤵
            • Creates scheduled task(s)
            PID:1908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Folder'
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1880
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 624 -s 1524
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:1420
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Windows\Temp\run.bat" "
          2⤵
          • Drops startup file
          PID:2000
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Windows\Temp\lol.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1048
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" https://methodmedia.biz/?p=gmzgcobuge5gi3bpgu4dkmbz
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1712
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1304
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {FA1BF699-5957-4E42-94CB-93DD7881C57B} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
        1⤵
          PID:1332

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          a1094d52470a8136c83239e8a4d36d1b

          SHA1

          fd3cc4c7d35f4d354648019b8964ef2e79ca00ec

          SHA256

          3a0c74e5fcabd5eebaacac939aca3e83299d6137f15ee8aa1f0d8efcf5323465

          SHA512

          5f8fedf9367f719cdfbafd2ac6bcc9b1b4e855d6cf974184d9f1a256b5e51e9c401284b31ad27c0b86f3c6d2e33116d4250ea3e8bb9f5a8b30d862b0adc35439

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JOYPMATB.txt
          Filesize

          604B

          MD5

          7d18a8da6bb6bf7f889a3f3968c3919d

          SHA1

          8ec528621a2141c3ba688fec2fbe9b4deb797df9

          SHA256

          b824c28bc86f9aead14325cbc7813a0452b0a95cfa4ddea227b7998c515f98eb

          SHA512

          3be783f023268376e44c575ba695134cb94224079fee9999981aa0efce8a313c97479a67c17e388f2bc186cc9efaf73eddc8d81e00b7169063d5981613e48dea

          Download Submit

        • C:\Windows\Temp\lol.bat
          Filesize

          62B

          MD5

          f95588de9545bb2369f424377a4c0289

          SHA1

          9e8e0876df2171cbca169e90965442f106cb0600

          SHA256

          70915616ff58efa0206685c04e9c3a1a02fc0a0e8a5396509552b1903d9c8097

          SHA512

          56d82f43863d181af70ce5b943ed9f23b1a18523cfc322cebce17a7f823ebf97420a2d38478fd4839bbcb1f9f659ad9bde965f7891e192b17dc4610e02b5b6f4

          Download Submit

        • C:\Windows\Temp\run.bat
          Filesize

          98B

          MD5

          731afe244b2414169a5f630d52646e56

          SHA1

          e3771ccdccd8c306ee5fc4f264cfc3310690458c

          SHA256

          6c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552

          SHA512

          84e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1

          Download Submit

        • C:\Windows\Temp\s.exe
          Filesize

          614KB

          MD5

          26e7d1de60933536b0fe88155a58724e

          SHA1

          6f2d643aa280b99fe8e40dcfb8d799c73c840256

          SHA256

          d0dc93ebcbc2f3e24319777c569ddf1bffb5fea53246d0ab89c5ae1bfc7b8372

          SHA512

          aa086b456b8c7e2f1327e25eeef11bd7af897808ed552fe02ee53bc4407c702a53a3faf2ed33541de35b4c42c0490afb5a1323c15dff32bcc845b0225c4ab1fb

          Download Submit

        • C:\Windows\Temp\setup.exe
          Filesize

          878KB

          MD5

          7ca028a19309e87b89273d2e90b07bea

          SHA1

          44d849174cd79f41dc16bd13b6c5d653d88a514d

          SHA256

          de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d

          SHA512

          f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0

          Download Submit

        • C:\Windows\Temp\setup.exe
          Filesize

          878KB

          MD5

          7ca028a19309e87b89273d2e90b07bea

          SHA1

          44d849174cd79f41dc16bd13b6c5d653d88a514d

          SHA256

          de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d

          SHA512

          f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0

          Download Submit

        • \Windows\Temp\s.exe
          Filesize

          614KB

          MD5

          26e7d1de60933536b0fe88155a58724e

          SHA1

          6f2d643aa280b99fe8e40dcfb8d799c73c840256

          SHA256

          d0dc93ebcbc2f3e24319777c569ddf1bffb5fea53246d0ab89c5ae1bfc7b8372

          SHA512

          aa086b456b8c7e2f1327e25eeef11bd7af897808ed552fe02ee53bc4407c702a53a3faf2ed33541de35b4c42c0490afb5a1323c15dff32bcc845b0225c4ab1fb

          Download Submit

        • \Windows\Temp\s.exe
          Filesize

          614KB

          MD5

          26e7d1de60933536b0fe88155a58724e

          SHA1

          6f2d643aa280b99fe8e40dcfb8d799c73c840256

          SHA256

          d0dc93ebcbc2f3e24319777c569ddf1bffb5fea53246d0ab89c5ae1bfc7b8372

          SHA512

          aa086b456b8c7e2f1327e25eeef11bd7af897808ed552fe02ee53bc4407c702a53a3faf2ed33541de35b4c42c0490afb5a1323c15dff32bcc845b0225c4ab1fb

          Download Submit

        • \Windows\Temp\s.exe
          Filesize

          614KB

          MD5

          26e7d1de60933536b0fe88155a58724e

          SHA1

          6f2d643aa280b99fe8e40dcfb8d799c73c840256

          SHA256

          d0dc93ebcbc2f3e24319777c569ddf1bffb5fea53246d0ab89c5ae1bfc7b8372

          SHA512

          aa086b456b8c7e2f1327e25eeef11bd7af897808ed552fe02ee53bc4407c702a53a3faf2ed33541de35b4c42c0490afb5a1323c15dff32bcc845b0225c4ab1fb

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          878KB

          MD5

          7ca028a19309e87b89273d2e90b07bea

          SHA1

          44d849174cd79f41dc16bd13b6c5d653d88a514d

          SHA256

          de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d

          SHA512

          f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          878KB

          MD5

          7ca028a19309e87b89273d2e90b07bea

          SHA1

          44d849174cd79f41dc16bd13b6c5d653d88a514d

          SHA256

          de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d

          SHA512

          f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          878KB

          MD5

          7ca028a19309e87b89273d2e90b07bea

          SHA1

          44d849174cd79f41dc16bd13b6c5d653d88a514d

          SHA256

          de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d

          SHA512

          f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          878KB

          MD5

          7ca028a19309e87b89273d2e90b07bea

          SHA1

          44d849174cd79f41dc16bd13b6c5d653d88a514d

          SHA256

          de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d

          SHA512

          f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          878KB

          MD5

          7ca028a19309e87b89273d2e90b07bea

          SHA1

          44d849174cd79f41dc16bd13b6c5d653d88a514d

          SHA256

          de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d

          SHA512

          f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          878KB

          MD5

          7ca028a19309e87b89273d2e90b07bea

          SHA1

          44d849174cd79f41dc16bd13b6c5d653d88a514d

          SHA256

          de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d

          SHA512

          f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          878KB

          MD5

          7ca028a19309e87b89273d2e90b07bea

          SHA1

          44d849174cd79f41dc16bd13b6c5d653d88a514d

          SHA256

          de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d

          SHA512

          f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          878KB

          MD5

          7ca028a19309e87b89273d2e90b07bea

          SHA1

          44d849174cd79f41dc16bd13b6c5d653d88a514d

          SHA256

          de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d

          SHA512

          f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0

          Download Submit

        • memory/324-128-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/324-137-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/324-136-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/324-135-0x000000000041BCAE-mapping.dmp

          Download

        • memory/324-130-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/624-72-0x000000013FE40000-0x000000013FE48000-memory.dmp

          Filesize

          32KB

          Download

        • memory/624-113-0x0000000000A20000-0x0000000000A4C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/624-120-0x000000001BA96000-0x000000001BAB5000-memory.dmp

          Filesize

          124KB

          Download

        • memory/624-61-0x0000000000000000-mapping.dmp

          Download

        • memory/624-99-0x000000001BA90000-0x000000001BA92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/624-96-0x0000000000140000-0x0000000000148000-memory.dmp

          Filesize

          32KB

          Download

        • memory/624-95-0x00000000009C0000-0x0000000000A26000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1048-65-0x0000000000000000-mapping.dmp

          Download

        • memory/1064-117-0x0000000000000000-mapping.dmp

          Download

        • memory/1420-139-0x0000000000000000-mapping.dmp

          Download

        • memory/1428-94-0x0000000003210000-0x0000000003310000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1428-93-0x0000000001D70000-0x0000000001DD0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1428-58-0x0000000000000000-mapping.dmp

          Download

        • memory/1600-69-0x0000000000000000-mapping.dmp

          Download

        • memory/1600-97-0x0000000073C50000-0x00000000741FB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1600-98-0x00000000023C0000-0x000000000300A000-memory.dmp

          Filesize

          12.3MB

          Download

        • memory/1608-115-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/1608-107-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/1608-105-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/1608-108-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/1608-101-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/1608-111-0x0000000000453B8C-mapping.dmp

          Download

        • memory/1608-110-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/1608-119-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/1608-100-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/1608-103-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/1732-118-0x0000000000000000-mapping.dmp

          Download

        • memory/1808-54-0x0000000074FF1000-0x0000000074FF3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1880-123-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1880-122-0x0000000000000000-mapping.dmp

          Download

        • memory/1880-127-0x0000000002754000-0x0000000002757000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1880-124-0x000007FEEC330000-0x000007FEECE8D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1880-146-0x000000001B710000-0x000000001BA0F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1880-147-0x000000000275B000-0x000000000277A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1880-126-0x0000000002752000-0x0000000002754000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1880-125-0x0000000002750000-0x0000000002752000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1908-121-0x0000000000000000-mapping.dmp

          Download

        • memory/1996-66-0x0000000000000000-mapping.dmp

          Download

        • memory/2000-64-0x0000000000000000-mapping.dmp

          Download