Overview

overview

10

Static

static

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2022 05:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    7.8MB

  • MD5

    785ec578688eea5954c58fc5aaae01db

  • SHA1

    631e3dcb1e26ca403dcb27b3b8ca02e43fb7f892

  • SHA256

    de422863cd1d6fc32ed020e93643e24f11dfed84d7ac62de2b8e9d0b38563237

  • SHA512

    085683845f328b1675676297bbaec7634daf8aae4391d82fc66bbad6a36b1f630a6ab7184b3ad7701fb1922d53bab8f70101261124bc3bb85e1b8a8e964f20eb

Score
10/10
redlineytstealerinfostealerspywarestealerupx

Malware Config

Extracted

Family

redline

C2

185.200.191.18:80

Attributes
  • auth_value

    34e02e45e2e86edae48817cd60b40271

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

    stealerytstealer
  • YTStealer payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Users\Admin\AppData\Roaming\@norka16_crypted.exe
      C:\Users\Admin\AppData\Roaming\@norka16_crypted.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:223484
        • C:\Users\Admin\AppData\Local\Temp\Starter.exe
          "C:\Users\Admin\AppData\Local\Temp\Starter.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4056
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 219968
        3⤵
        • Program crash
        PID:223684
    • C:\Users\Admin\AppData\Roaming\5172511927.exe
      C:\Users\Admin\AppData\Roaming\5172511927.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "" "Get-WmiObject Win32_PortConnector"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:224044
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4968 -ip 4968
    1⤵
      PID:223560

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Starter.exe
      Filesize

      18KB

      MD5

      3d41fe66e7592eb35c5ef99a83fce2a4

      SHA1

      5dc2984ceb1a169b5571267159c43f1b0e5d757d

      SHA256

      7c58039db066e640a338ac6180adcf0b45cbfb9adaa7ae3b279d4628159c4198

      SHA512

      9ac687f2278f19265ae361eee6bbbe0234fed0d9b16c9f4524af8c9e1e131a51fddfa0a19cbbda9feb0b5ccf22ffaad97d5c425f179cb7d920dba66ad7f4e285

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Starter.exe
      Filesize

      18KB

      MD5

      3d41fe66e7592eb35c5ef99a83fce2a4

      SHA1

      5dc2984ceb1a169b5571267159c43f1b0e5d757d

      SHA256

      7c58039db066e640a338ac6180adcf0b45cbfb9adaa7ae3b279d4628159c4198

      SHA512

      9ac687f2278f19265ae361eee6bbbe0234fed0d9b16c9f4524af8c9e1e131a51fddfa0a19cbbda9feb0b5ccf22ffaad97d5c425f179cb7d920dba66ad7f4e285

      Download Submit

    • C:\Users\Admin\AppData\Roaming\5172511927.exe
      Filesize

      4.0MB

      MD5

      78efab6b59d6eb880a806d39a0a5a674

      SHA1

      eb090ebe308976a84529ce5f10326242004a1323

      SHA256

      c6ac05d2e8cda9f3b3e9f15c33e49f6396a325e83cff62bff1ca7ca932206329

      SHA512

      15f8f302a3eea8a02d9005d216197c4b6824a64f564c8cbc77155ce5c503ca61e1cf69668d18e9cb44ab68189a4a35a0343cdefd8743285fc6a3871a99704f36

      Download Submit

    • C:\Users\Admin\AppData\Roaming\5172511927.exe
      Filesize

      4.0MB

      MD5

      78efab6b59d6eb880a806d39a0a5a674

      SHA1

      eb090ebe308976a84529ce5f10326242004a1323

      SHA256

      c6ac05d2e8cda9f3b3e9f15c33e49f6396a325e83cff62bff1ca7ca932206329

      SHA512

      15f8f302a3eea8a02d9005d216197c4b6824a64f564c8cbc77155ce5c503ca61e1cf69668d18e9cb44ab68189a4a35a0343cdefd8743285fc6a3871a99704f36

      Download Submit

    • C:\Users\Admin\AppData\Roaming\@norka16_crypted.exe
      Filesize

      3.9MB

      MD5

      c5abc9e1019040b141907c6d3083cf23

      SHA1

      415d2ba3fbb41b59fce4d7563d6eacd415c9075d

      SHA256

      8b6034c0e31f6e849bc32c965eb2990875dd1c336845afa97cb482dfc82a6906

      SHA512

      7c6f0aaabeb6f9512f658923bd86d72189e48e5ec504c79f0495920dca9e4fb21fa93cab65a54acda5afc65935c70bfee765731cb0afff9ee411925a592a7dff

      Download Submit

    • C:\Users\Admin\AppData\Roaming\@norka16_crypted.exe
      Filesize

      3.9MB

      MD5

      c5abc9e1019040b141907c6d3083cf23

      SHA1

      415d2ba3fbb41b59fce4d7563d6eacd415c9075d

      SHA256

      8b6034c0e31f6e849bc32c965eb2990875dd1c336845afa97cb482dfc82a6906

      SHA512

      7c6f0aaabeb6f9512f658923bd86d72189e48e5ec504c79f0495920dca9e4fb21fa93cab65a54acda5afc65935c70bfee765731cb0afff9ee411925a592a7dff

      Download Submit

    • memory/2988-136-0x0000000000070000-0x0000000000E82000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/2988-141-0x0000000000070000-0x0000000000E82000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/2988-155-0x0000000000070000-0x0000000000E82000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/2988-132-0x0000000000000000-mapping.dmp

      Download

    • memory/4056-168-0x0000000005720000-0x000000000572A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4056-167-0x0000000000E00000-0x0000000000E0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4056-164-0x0000000000000000-mapping.dmp

      Download

    • memory/4968-137-0x0000000000400000-0x0000000000A9D000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/4968-130-0x0000000000000000-mapping.dmp

      Download

    • memory/223484-161-0x0000000007370000-0x0000000007532000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/223484-151-0x0000000004E60000-0x0000000004E9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/223484-142-0x0000000000000000-mapping.dmp

      Download

    • memory/223484-143-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/223484-156-0x0000000006150000-0x00000000061B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/223484-157-0x0000000006350000-0x00000000063C6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/223484-158-0x00000000064A0000-0x0000000006532000-memory.dmp

      Filesize

      584KB

      Download

    • memory/223484-159-0x0000000006AF0000-0x0000000007094000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/223484-160-0x0000000006560000-0x000000000657E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/223484-148-0x0000000005480000-0x0000000005A98000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/223484-162-0x0000000008180000-0x00000000086AC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/223484-163-0x00000000071F0000-0x0000000007240000-memory.dmp

      Filesize

      320KB

      Download

    • memory/223484-150-0x0000000004F70000-0x000000000507A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/223484-149-0x0000000002990000-0x00000000029A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/224044-153-0x000001D83C4B0000-0x000001D83C4D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/224044-152-0x0000000000000000-mapping.dmp

      Download

    • memory/224044-154-0x00007FFB8C9D0000-0x00007FFB8D491000-memory.dmp

      Filesize

      10.8MB

      Download