recordbreaker | b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9

General

Target

b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe
Size

991KB
MD5

dd7c0c58450314880d48eeece29c0fd4
SHA1

ea3c53e23a5ced8a6f01c96e7837597e62899bbb
SHA256

b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9
SHA512

e6322a123e1783ead529049ef3b888cd8750ed3815e7725ea1c249e3c5797f0944e37eb6055df867d43db8a85845177330ef9e4b9a085034f065347c6e2d5a4b

Score

10^/10

recordbreaker stealer suricata

Malware Config

Extracted

Family

recordbreaker

C2

http://146.70.124.71

Signatures

RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
suricata
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 884 set thread context of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1776	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1988	powershell.exe
884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 1988	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	27
PID 884 wrote to memory of 1988	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	27
PID 884 wrote to memory of 1988	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	27
PID 884 wrote to memory of 1988	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	27
PID 884 wrote to memory of 944	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	29
PID 884 wrote to memory of 944	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	29
PID 884 wrote to memory of 944	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	29
PID 884 wrote to memory of 944	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	29
PID 944 wrote to memory of 1776	944	cmd.exe	31
PID 944 wrote to memory of 1776	944	cmd.exe	31
PID 944 wrote to memory of 1776	944	cmd.exe	31
PID 944 wrote to memory of 1776	944	cmd.exe	31
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32
PID 884 wrote to memory of 1532	884	b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe	32

C:\Users\Admin\AppData\Local\Temp\b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe
"C:\Users\Admin\AppData\Local\Temp\b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Start-Sleep -Seconds 10;Start-Sleep -Seconds 10;
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 15
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\timeout.exe
    timeout 15
    3⤵
    - Delays execution with timeout.exe
    PID:1776
- C:\Users\Admin\AppData\Local\Temp\b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe
  C:\Users\Admin\AppData\Local\Temp\b03a3100651c153d710c4f4778cb428c3723d936c428e757b7d17354243eacb9.exe
  2⤵
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/884-61-0x00000000011B0000-0x000000000126E000-memory.dmp

Filesize
760KB

Download
memory/884-55-0x0000000000C50000-0x0000000000D0C000-memory.dmp

Filesize
752KB

Download
memory/884-54-0x0000000001280000-0x000000000137E000-memory.dmp

Filesize
1016KB

Download
memory/884-62-0x0000000004A50000-0x0000000004A9C000-memory.dmp

Filesize
304KB

Download
memory/1532-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1532-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1532-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1532-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1532-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1532-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1532-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1532-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1988-60-0x0000000071D30000-0x00000000722DB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-59-0x0000000071D30000-0x00000000722DB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-58-0x0000000071D30000-0x00000000722DB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-57-0x0000000075741000-0x0000000075743000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing