Overview

overview

10

Static

static

209609199e...f5.exe

windows7_x64

10

209609199e...f5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    12-04-2022 08:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    209609199e47fecdd76a96dabf1f9cf5.exe

  • Size

    372KB

  • MD5

    209609199e47fecdd76a96dabf1f9cf5

  • SHA1

    4ad578096b72f376bd012d3f3ba6a6cd7f162432

  • SHA256

    217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8

  • SHA512

    b8893d5d367afb465420e1c0671510db6b1f4603458a0bd416f5ded0f670f7ccdef37133ddf0049dccd822d6b42b0565a94f7f0530d6093d80cedc4638ae08d9

Score
10/10
loaderbotredline123discoveryinfostealerloaderminerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

123

C2

188.68.205.12:7053

Attributes
  • auth_value

    cba3087b3c1a6a9c43b3f96591452ea2

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • LoaderBot executable 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\209609199e47fecdd76a96dabf1f9cf5.exe
    "C:\Users\Admin\AppData\Local\Temp\209609199e47fecdd76a96dabf1f9cf5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\ProgramData\1.exe
      "C:\ProgramData\1.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3360
      • C:\Users\Public\M3gJNbpqWpct.exe
        "C:\Users\Public\M3gJNbpqWpct.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4972
      • C:\Users\Public\BEgHvre3gJNc.exe
        "C:\Users\Public\BEgHvre3gJNc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7627.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3252
          • C:\Windows\system32\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d "C:\ProgramData\Connector Protection v1.5.0"
            5⤵
              PID:4480
            • C:\Windows\system32\timeout.exe
              timeout 4
              5⤵
              • Delays execution with timeout.exe
              PID:4688
            • C:\ProgramData\Connector Protection v1.5.0\8d621f52.exe
              "C:\ProgramData\Connector Protection v1.5.0\8d621f52.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:648
              • C:\Users\Admin\AppData\Local\Temp\6048cae8f6c66735.exe
                "C:\Users\Admin\AppData\Local\Temp\6048cae8f6c66735.exe"
                6⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:260
                • C:\ProgramData\MinerFull.exe
                  "C:\ProgramData\MinerFull.exe"
                  7⤵
                  • Executes dropped EXE
                  • Checks computer location settings
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4796
                  • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
                    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 45XQiu9A9vmVd5Cy6X35M12NocUr2Hx69X4ZNNu2BsKJYkdksefg2gXJyvBUeEJyDWTfLD6GWmAu4Tab1w4tycfcFMqy8yH -p x -k -v=0 --donate-level=1 -t 1
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2224
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -u -p 2224 -s 764
                      9⤵
                      • Program crash
                      PID:3184
                  • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
                    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 45XQiu9A9vmVd5Cy6X35M12NocUr2Hx69X4ZNNu2BsKJYkdksefg2gXJyvBUeEJyDWTfLD6GWmAu4Tab1w4tycfcFMqy8yH -p x -k -v=0 --donate-level=1 -t 1
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4524
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 456 -p 2224 -ip 2224
      1⤵
        PID:1856

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\1.exe
        Filesize

        233KB

        MD5

        a9d9617466a30b874b80d4fd6465f46b

        SHA1

        b6e42e3a1fbc20c78e003b065440733fb1cafe84

        SHA256

        15791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57

        SHA512

        ec3d90e3c7b9427ecb9097941a37872c195cc389bf45a78b7c343d7d964fcf999266cee8bea78907cb302d318b74035948b7db760903692e4275d5016d3e1c89

        Download Submit

      • C:\ProgramData\1.exe
        Filesize

        233KB

        MD5

        a9d9617466a30b874b80d4fd6465f46b

        SHA1

        b6e42e3a1fbc20c78e003b065440733fb1cafe84

        SHA256

        15791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57

        SHA512

        ec3d90e3c7b9427ecb9097941a37872c195cc389bf45a78b7c343d7d964fcf999266cee8bea78907cb302d318b74035948b7db760903692e4275d5016d3e1c89

        Download Submit

      • C:\ProgramData\Connector Protection v1.5.0\8d621f52.exe
        Filesize

        11.6MB

        MD5

        17bdbfbcf4b2124366b95fab60a80ea8

        SHA1

        abc45dd46b17618a3b9b2fb8929b5f0f5f9b0857

        SHA256

        645b60fca727defd28a810959061cde49043e7e7b6de8c4e4fbeb5340d54f99f

        SHA512

        b5cb2dd77aac8da49db0d3eeef9a78327a69b8dead7de4cc6c84773ead9a9d4efdd652e8a53514ca1f3869057180c36c51501f507b84735e10acdda0c0b9257f

        Download Submit

      • C:\ProgramData\Connector Protection v1.5.0\8d621f52.exe
        Filesize

        11.6MB

        MD5

        17bdbfbcf4b2124366b95fab60a80ea8

        SHA1

        abc45dd46b17618a3b9b2fb8929b5f0f5f9b0857

        SHA256

        645b60fca727defd28a810959061cde49043e7e7b6de8c4e4fbeb5340d54f99f

        SHA512

        b5cb2dd77aac8da49db0d3eeef9a78327a69b8dead7de4cc6c84773ead9a9d4efdd652e8a53514ca1f3869057180c36c51501f507b84735e10acdda0c0b9257f

        Download Submit

      • C:\ProgramData\MinerFull.exe
        Filesize

        4.0MB

        MD5

        5c7bc4cc56f6e6acb801210bc6eda798

        SHA1

        541b6f50091fdc17c2bc8d596c0e202b854fb991

        SHA256

        48f66e13c00038bb2ec12a58bd34cb79f2cf616230c25224c68b81d6c3d7ebf9

        SHA512

        66558bf8679c264c507a1fb8da2fd81347b339d3786487895f902330d63bf9b44be5a136061b0848801b768fea3e525b934d1b04c2cef959cc878b421c6cbd5d

        Download Submit

      • C:\ProgramData\MinerFull.exe
        Filesize

        4.0MB

        MD5

        5c7bc4cc56f6e6acb801210bc6eda798

        SHA1

        541b6f50091fdc17c2bc8d596c0e202b854fb991

        SHA256

        48f66e13c00038bb2ec12a58bd34cb79f2cf616230c25224c68b81d6c3d7ebf9

        SHA512

        66558bf8679c264c507a1fb8da2fd81347b339d3786487895f902330d63bf9b44be5a136061b0848801b768fea3e525b934d1b04c2cef959cc878b421c6cbd5d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\6048cae8f6c66735.exe
        Filesize

        4.8MB

        MD5

        9489434a8fab31dd79424d21a2b2cda3

        SHA1

        3128cf0dc400a3f044973903b4fbb769680a7962

        SHA256

        3b39beabbff1182740563c3d122dd88e243ab21cb18d6ff4be06f13aff8d98fe

        SHA512

        2302dcbe013c12bd473eaa62567a12134d26f5dd006625483ce2f2f2efdc36fbe68761fc9f4d32075a0cb6d78c2697b07ccfb692ce8073139c158d42810f1707

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\6048cae8f6c66735.exe
        Filesize

        4.8MB

        MD5

        9489434a8fab31dd79424d21a2b2cda3

        SHA1

        3128cf0dc400a3f044973903b4fbb769680a7962

        SHA256

        3b39beabbff1182740563c3d122dd88e243ab21cb18d6ff4be06f13aff8d98fe

        SHA512

        2302dcbe013c12bd473eaa62567a12134d26f5dd006625483ce2f2f2efdc36fbe68761fc9f4d32075a0cb6d78c2697b07ccfb692ce8073139c158d42810f1707

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp7627.tmp.bat
        Filesize

        356B

        MD5

        5fa3e132aef485e84f3474c6e9521197

        SHA1

        d12126e5976ab38740166031e26a07003cc8f46c

        SHA256

        fe8aacd4d7079edae4e91f74d746ab44ee7ea6ed40ab7031d2cfda9078882417

        SHA512

        3b58c939f9ea0e3399bfff4db930492cac06d66cc026ea9bb337fa5a56ce1c3d71a9ed684e643fb2568422fb9797143ac2a0e8779e6a46ec5a2761c945e4b2d5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        Filesize

        3.9MB

        MD5

        02569a7a91a71133d4a1023bf32aa6f4

        SHA1

        0f16bcb3f3f085d3d3be912195558e9f9680d574

        SHA256

        8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

        SHA512

        534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        Filesize

        3.9MB

        MD5

        02569a7a91a71133d4a1023bf32aa6f4

        SHA1

        0f16bcb3f3f085d3d3be912195558e9f9680d574

        SHA256

        8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

        SHA512

        534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        Filesize

        3.9MB

        MD5

        02569a7a91a71133d4a1023bf32aa6f4

        SHA1

        0f16bcb3f3f085d3d3be912195558e9f9680d574

        SHA256

        8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

        SHA512

        534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

        Download Submit

      • C:\Users\Public\BEgHvre3gJNc.exe
        Filesize

        42KB

        MD5

        c523d423234494eeb7b60a892d7a4bea

        SHA1

        db992908237ee2ab5c07f4362b9a29516ac09a5d

        SHA256

        98c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3

        SHA512

        0aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec

        Download Submit

      • C:\Users\Public\BEgHvre3gJNc.exe
        Filesize

        42KB

        MD5

        c523d423234494eeb7b60a892d7a4bea

        SHA1

        db992908237ee2ab5c07f4362b9a29516ac09a5d

        SHA256

        98c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3

        SHA512

        0aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec

        Download Submit

      • C:\Users\Public\M3gJNbpqWpct.exe
        Filesize

        106KB

        MD5

        64eeb5ab677596ec8516a8414428b5d7

        SHA1

        4c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a

        SHA256

        2ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3

        SHA512

        16012d1985a45256d4978e0506a900ea9c8009530f0068e7870b3ec5b8ba2ebe0eb3542bc28a43eda3a7c1eb4dd2eeae672abb57a9799d51e1db3aa49598c439

        Download Submit

      • C:\Users\Public\M3gJNbpqWpct.exe
        Filesize

        106KB

        MD5

        64eeb5ab677596ec8516a8414428b5d7

        SHA1

        4c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a

        SHA256

        2ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3

        SHA512

        16012d1985a45256d4978e0506a900ea9c8009530f0068e7870b3ec5b8ba2ebe0eb3542bc28a43eda3a7c1eb4dd2eeae672abb57a9799d51e1db3aa49598c439

        Download Submit

      • memory/260-171-0x00007FFADB5E0000-0x00007FFADC0A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/260-170-0x000001E0AC620000-0x000001E0AC682000-memory.dmp

        Filesize

        392KB

        Download

      • memory/260-172-0x000001E0ACA40000-0x000001E0ACA42000-memory.dmp

        Filesize

        8KB

        Download

      • memory/648-163-0x00000000011C0000-0x00000000011C2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/648-162-0x00007FFADB5E0000-0x00007FFADC0A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2224-180-0x00000000001D0000-0x00000000001E4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2324-144-0x00007FFADB5E0000-0x00007FFADC0A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2324-145-0x0000000002690000-0x0000000002692000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2324-142-0x0000000000510000-0x0000000000520000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2680-131-0x00007FFADCCE0000-0x00007FFADD7A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2680-132-0x00000177A4CD0000-0x00000177A4CD2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2680-130-0x00000177A3040000-0x00000177A30A2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4524-185-0x0000000001F90000-0x0000000001FB0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4524-184-0x0000000001F70000-0x0000000001F90000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4796-176-0x0000000000350000-0x0000000000750000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4972-148-0x0000000004E00000-0x0000000004F0A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4972-146-0x0000000005230000-0x0000000005848000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4972-143-0x0000000000340000-0x0000000000360000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4972-147-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4972-156-0x0000000005E00000-0x00000000063A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4972-154-0x0000000005070000-0x00000000050E6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4972-161-0x0000000005CC0000-0x0000000005D26000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4972-149-0x0000000004D70000-0x0000000004DAC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4972-155-0x0000000005190000-0x0000000005222000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4972-157-0x0000000005870000-0x000000000588E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4972-166-0x0000000006800000-0x0000000006850000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4972-165-0x0000000007B30000-0x000000000805C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4972-164-0x0000000007430000-0x00000000075F2000-memory.dmp

        Filesize

        1.8MB

        Download