Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2022 05:14
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220715-en
General
-
Target
tmp.exe
-
Size
107KB
-
MD5
f8a7a4c5d75bfda7dbadf09e3a39e089
-
SHA1
4527a2ff764c084e55c190d98824ef664a6f1892
-
SHA256
6bb0ee5036962c86db2292f5ccd21d63a22cbb17a6937c0d89b53ea97b77e8e6
-
SHA512
54887714264f38063eb6166b3d77ba949ddf2b70d169f5d24fdddadb4cee8572d25031b0bcb0ecaa87deccce7b4449d41e7017debf2db7933598c9f18bd735e1
Malware Config
Extracted
redline
cheat
nicehash.at:1338
-
auth_value
8095fccd90c93353aaa1fc77bca0ff3f
Extracted
quasar
1.4.0
Office04
nicehash.at:4000
dc4bad02-e33b-461d-8bb2-c976586d2ac0
-
encryption_key
51DF8E701C6F05B28BEC40BEB21419EF5FEC8A38
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
300
-
startup_key
JavaClient Startup
-
subdirectory
JavaTools
Extracted
bitrat
1.38
nicehash.at:6000
-
communication_password
74963e9852aafd36ba521fa22b39e244
-
install_dir
localappdata
-
install_file
Java.exe
-
tor_process
tor
Signatures
-
Quasar payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\qsr.exe family_quasar C:\Users\Admin\AppData\Local\Temp\qsr.exe family_quasar behavioral2/memory/2148-146-0x0000000000450000-0x00000000004D4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\JavaTools\Client.exe family_quasar C:\Users\Admin\AppData\Roaming\JavaTools\Client.exe family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/844-130-0x0000000000700000-0x0000000000720000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
qsr.exebit.exeClient.exepid process 2148 qsr.exe 4384 bit.exe 3440 Client.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\bit.exe upx C:\Users\Admin\AppData\Local\Temp\bit.exe upx behavioral2/memory/4384-151-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4384-163-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bit.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\localappdata\\Java.exe" bit.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
bit.exepid process 4384 bit.exe 4384 bit.exe 4384 bit.exe 4384 bit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tmp.exepid process 844 tmp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
tmp.exeqsr.exeClient.exebit.exedescription pid process Token: SeDebugPrivilege 844 tmp.exe Token: SeDebugPrivilege 2148 qsr.exe Token: SeDebugPrivilege 3440 Client.exe Token: SeShutdownPrivilege 4384 bit.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
bit.exeClient.exepid process 4384 bit.exe 4384 bit.exe 3440 Client.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
tmp.exeqsr.exeClient.exedescription pid process target process PID 844 wrote to memory of 2148 844 tmp.exe qsr.exe PID 844 wrote to memory of 2148 844 tmp.exe qsr.exe PID 844 wrote to memory of 4384 844 tmp.exe bit.exe PID 844 wrote to memory of 4384 844 tmp.exe bit.exe PID 844 wrote to memory of 4384 844 tmp.exe bit.exe PID 2148 wrote to memory of 4304 2148 qsr.exe schtasks.exe PID 2148 wrote to memory of 4304 2148 qsr.exe schtasks.exe PID 2148 wrote to memory of 3440 2148 qsr.exe Client.exe PID 2148 wrote to memory of 3440 2148 qsr.exe Client.exe PID 3440 wrote to memory of 640 3440 Client.exe schtasks.exe PID 3440 wrote to memory of 640 3440 Client.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\qsr.exe"C:\Users\Admin\AppData\Local\Temp\qsr.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "JavaClient Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\qsr.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4304 -
C:\Users\Admin\AppData\Roaming\JavaTools\Client.exe"C:\Users\Admin\AppData\Roaming\JavaTools\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "JavaClient Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\JavaTools\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:640 -
C:\Users\Admin\AppData\Local\Temp\bit.exe"C:\Users\Admin\AppData\Local\Temp\bit.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bit.exeFilesize
1.4MB
MD5c8fa9d8cf4ff8780466a34d8d5d43594
SHA11902971da5e39dccc308207ab77a7e1c987c31cd
SHA256772f6645c35033bb27c15d96b3c9fc58bc7feca6b06e5a0479157b75987e2214
SHA5129a87c3fc220fdc6f959fb9a5bfe6b526a003a4d1fd473581ba3d044bdf4cb3fffe531a5b56b87ea243a787da80a10372ff932457f069dd174be9654681f44c03
-
C:\Users\Admin\AppData\Local\Temp\bit.exeFilesize
1.4MB
MD5c8fa9d8cf4ff8780466a34d8d5d43594
SHA11902971da5e39dccc308207ab77a7e1c987c31cd
SHA256772f6645c35033bb27c15d96b3c9fc58bc7feca6b06e5a0479157b75987e2214
SHA5129a87c3fc220fdc6f959fb9a5bfe6b526a003a4d1fd473581ba3d044bdf4cb3fffe531a5b56b87ea243a787da80a10372ff932457f069dd174be9654681f44c03
-
C:\Users\Admin\AppData\Local\Temp\qsr.exeFilesize
502KB
MD563ff62dafb5b4bed02a24c9738bbd899
SHA1b255bbb04d6166aa173ca5b447ef53ab46f53cb2
SHA256754a413b433a1f829bd215bfcd26d3a1e0cbdb09a7c3b8586e3d9d19bd4d7ed0
SHA51277e1cbb6d897497590f778e2efd66f895c01df35f1348d084aee513225760c702ff1d3ae45a631ec3868a19a8bb3aa5ef93c2e234002c7b7f9175891ce1992fc
-
C:\Users\Admin\AppData\Local\Temp\qsr.exeFilesize
502KB
MD563ff62dafb5b4bed02a24c9738bbd899
SHA1b255bbb04d6166aa173ca5b447ef53ab46f53cb2
SHA256754a413b433a1f829bd215bfcd26d3a1e0cbdb09a7c3b8586e3d9d19bd4d7ed0
SHA51277e1cbb6d897497590f778e2efd66f895c01df35f1348d084aee513225760c702ff1d3ae45a631ec3868a19a8bb3aa5ef93c2e234002c7b7f9175891ce1992fc
-
C:\Users\Admin\AppData\Roaming\JavaTools\Client.exeFilesize
502KB
MD563ff62dafb5b4bed02a24c9738bbd899
SHA1b255bbb04d6166aa173ca5b447ef53ab46f53cb2
SHA256754a413b433a1f829bd215bfcd26d3a1e0cbdb09a7c3b8586e3d9d19bd4d7ed0
SHA51277e1cbb6d897497590f778e2efd66f895c01df35f1348d084aee513225760c702ff1d3ae45a631ec3868a19a8bb3aa5ef93c2e234002c7b7f9175891ce1992fc
-
C:\Users\Admin\AppData\Roaming\JavaTools\Client.exeFilesize
502KB
MD563ff62dafb5b4bed02a24c9738bbd899
SHA1b255bbb04d6166aa173ca5b447ef53ab46f53cb2
SHA256754a413b433a1f829bd215bfcd26d3a1e0cbdb09a7c3b8586e3d9d19bd4d7ed0
SHA51277e1cbb6d897497590f778e2efd66f895c01df35f1348d084aee513225760c702ff1d3ae45a631ec3868a19a8bb3aa5ef93c2e234002c7b7f9175891ce1992fc
-
memory/640-158-0x0000000000000000-mapping.dmp
-
memory/844-135-0x0000000005450000-0x00000000054B6000-memory.dmpFilesize
408KB
-
memory/844-138-0x00000000060A0000-0x0000000006116000-memory.dmpFilesize
472KB
-
memory/844-139-0x00000000063F0000-0x000000000640E000-memory.dmpFilesize
120KB
-
memory/844-140-0x0000000006AC0000-0x0000000006B10000-memory.dmpFilesize
320KB
-
memory/844-141-0x0000000006DE0000-0x0000000006FA2000-memory.dmpFilesize
1.8MB
-
memory/844-142-0x00000000074E0000-0x0000000007A0C000-memory.dmpFilesize
5.2MB
-
memory/844-137-0x0000000006000000-0x0000000006092000-memory.dmpFilesize
584KB
-
memory/844-136-0x0000000006510000-0x0000000006AB4000-memory.dmpFilesize
5.6MB
-
memory/844-130-0x0000000000700000-0x0000000000720000-memory.dmpFilesize
128KB
-
memory/844-134-0x00000000050F0000-0x000000000512C000-memory.dmpFilesize
240KB
-
memory/844-133-0x00000000051C0000-0x00000000052CA000-memory.dmpFilesize
1.0MB
-
memory/844-132-0x0000000005090000-0x00000000050A2000-memory.dmpFilesize
72KB
-
memory/844-131-0x0000000005640000-0x0000000005C58000-memory.dmpFilesize
6.1MB
-
memory/2148-150-0x00007FFBFA7F0000-0x00007FFBFB2B1000-memory.dmpFilesize
10.8MB
-
memory/2148-146-0x0000000000450000-0x00000000004D4000-memory.dmpFilesize
528KB
-
memory/2148-143-0x0000000000000000-mapping.dmp
-
memory/2148-156-0x00007FFBFA7F0000-0x00007FFBFB2B1000-memory.dmpFilesize
10.8MB
-
memory/3440-161-0x000000001AFD0000-0x000000001B020000-memory.dmpFilesize
320KB
-
memory/3440-162-0x000000001C3C0000-0x000000001C472000-memory.dmpFilesize
712KB
-
memory/3440-164-0x00007FFBFA7F0000-0x00007FFBFB2B1000-memory.dmpFilesize
10.8MB
-
memory/3440-157-0x00007FFBFA7F0000-0x00007FFBFB2B1000-memory.dmpFilesize
10.8MB
-
memory/3440-153-0x0000000000000000-mapping.dmp
-
memory/4304-152-0x0000000000000000-mapping.dmp
-
memory/4384-163-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4384-151-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4384-160-0x0000000074030000-0x0000000074069000-memory.dmpFilesize
228KB
-
memory/4384-159-0x0000000074350000-0x0000000074389000-memory.dmpFilesize
228KB
-
memory/4384-147-0x0000000000000000-mapping.dmp
-
memory/4384-165-0x0000000074030000-0x0000000074069000-memory.dmpFilesize
228KB
-
memory/4384-166-0x0000000074030000-0x0000000074069000-memory.dmpFilesize
228KB
-
memory/4384-167-0x0000000074350000-0x0000000074389000-memory.dmpFilesize
228KB
-
memory/4384-168-0x0000000074030000-0x0000000074069000-memory.dmpFilesize
228KB
-
memory/4384-169-0x0000000074030000-0x0000000074069000-memory.dmpFilesize
228KB
-
memory/4384-170-0x0000000074030000-0x0000000074069000-memory.dmpFilesize
228KB