Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-06-2022 12:43
Static task
static1
Behavioral task
behavioral1
Sample
905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe
Resource
win10v2004-20220414-en
General
-
Target
905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe
-
Size
218KB
-
MD5
387af1d8f0c82fa1111931c2cad2f912
-
SHA1
7dc4b93f1c6031512ea2f232741740292f0d3232
-
SHA256
905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a
-
SHA512
d72c4a04ff54c3d9c22e0c22eb843f420ee7ba423ebc9ed77e72bf6477fbbcbfc756c2e8003bcae63e2ef63330dc878f482cf300877841484be8d31437696d31
Malware Config
Extracted
redline
mario2
193.106.191.129:80
-
auth_value
4ef7e3fec3a418b2f0233b604d0560d9
Signatures
-
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
resource yara_rule behavioral1/memory/3688-158-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
-
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4944 7DFA.exe 4496 93D5.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4944 set thread context of 3688 4944 7DFA.exe 97 -
Program crash 1 IoCs
pid pid_target Process procid_target 916 2848 WerFault.exe 93 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3896 905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe 3896 905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3020 Process not Found -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3896 905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeDebugPrivilege 3688 InstallUtil.exe Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3020 wrote to memory of 4944 3020 Process not Found 91 PID 3020 wrote to memory of 4944 3020 Process not Found 91 PID 3020 wrote to memory of 4944 3020 Process not Found 91 PID 3020 wrote to memory of 4496 3020 Process not Found 92 PID 3020 wrote to memory of 4496 3020 Process not Found 92 PID 3020 wrote to memory of 4496 3020 Process not Found 92 PID 3020 wrote to memory of 2848 3020 Process not Found 93 PID 3020 wrote to memory of 2848 3020 Process not Found 93 PID 3020 wrote to memory of 2848 3020 Process not Found 93 PID 3020 wrote to memory of 2848 3020 Process not Found 93 PID 3020 wrote to memory of 3892 3020 Process not Found 96 PID 3020 wrote to memory of 3892 3020 Process not Found 96 PID 3020 wrote to memory of 3892 3020 Process not Found 96 PID 4944 wrote to memory of 3688 4944 7DFA.exe 97 PID 4944 wrote to memory of 3688 4944 7DFA.exe 97 PID 4944 wrote to memory of 3688 4944 7DFA.exe 97 PID 4944 wrote to memory of 3688 4944 7DFA.exe 97 PID 4944 wrote to memory of 3688 4944 7DFA.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe"C:\Users\Admin\AppData\Local\Temp\905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3896
-
C:\Users\Admin\AppData\Local\Temp\7DFA.exeC:\Users\Admin\AppData\Local\Temp\7DFA.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
-
C:\Users\Admin\AppData\Local\Temp\93D5.exeC:\Users\Admin\AppData\Local\Temp\93D5.exe1⤵
- Executes dropped EXE
PID:4496
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 8722⤵
- Program crash
PID:916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2848 -ip 28481⤵PID:992
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5df9cc49add3e01f23c63b0f73469f752
SHA16f8199ae9280e13671f5eb5715b093cd93f6732e
SHA256b18d30fdfaa2f3469131da279fe2a64ed3cf6c1cbc8785ea1ba6e7596ae85419
SHA51209100b76b4d0ba5a417da4a68977ed0a9eba8563cc5866e0cf912234ebded7598c482967e1812c143868c43c49eb882f82588dfafc041698b814c564decfc9b5
-
Filesize
1.6MB
MD5df9cc49add3e01f23c63b0f73469f752
SHA16f8199ae9280e13671f5eb5715b093cd93f6732e
SHA256b18d30fdfaa2f3469131da279fe2a64ed3cf6c1cbc8785ea1ba6e7596ae85419
SHA51209100b76b4d0ba5a417da4a68977ed0a9eba8563cc5866e0cf912234ebded7598c482967e1812c143868c43c49eb882f82588dfafc041698b814c564decfc9b5
-
Filesize
6.6MB
MD5a840af25865513286606284b38490add
SHA13ab6eaaa2457f3afc1a37645152a91efa95751af
SHA25626923ba499b7c445e86e76c616dee82cd5699de4bdfcf61d3e09562b36f2fbad
SHA512fec4a023ac03aa0733d6e4f11dd9f79c1329b2b73acd543e85b96d2fd32de4374a26250dd36f82919e32bd022fa3e753c8bf09cdb9e92670314ba0f7ef38ceb6
-
Filesize
6.6MB
MD5a840af25865513286606284b38490add
SHA13ab6eaaa2457f3afc1a37645152a91efa95751af
SHA25626923ba499b7c445e86e76c616dee82cd5699de4bdfcf61d3e09562b36f2fbad
SHA512fec4a023ac03aa0733d6e4f11dd9f79c1329b2b73acd543e85b96d2fd32de4374a26250dd36f82919e32bd022fa3e753c8bf09cdb9e92670314ba0f7ef38ceb6