Analysis

  • max time kernel
    44s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/08/2022, 00:12

General

  • Target

    f8afeeab30c1ef52199dfabc7be6d4c6.exe

  • Size

    175KB

  • MD5

    f8afeeab30c1ef52199dfabc7be6d4c6

  • SHA1

    b306886efbdc6b38af5292f232c83cac3af8fb49

  • SHA256

    537967a4ff0594af46c09bf023eb4964af5a9bf2ef902acc2000e53addeba193

  • SHA512

    3a3a1b469f6925090fef244551cd7b6bdbca72c58010bb3660386d78a80416b096a6e788bb715667a6bfe42516b1fdf711f575cfa3a9e240b2bb350778c24ca7

  • SSDEEP

    3072:tTHr/+PDJ8K+7V1T4rlIZPFpTJYyvqtWroLwyrxfiWpiOwIm12i/tWo1Vz8xo:NrGPuKW10rCYCq8xyrtWOwIm1v/V1VE

Malware Config

Extracted

Family

redline

C2

78.24.216.5:42717

Attributes
  • auth_value

    6687e352a0604d495c3851d248ebf06f

Extracted

Family

raccoon

Botnet

ea6e085210142782ca765e8e63fe811d

C2

http://206.188.196.200/

rc4.plain

Signatures

  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8afeeab30c1ef52199dfabc7be6d4c6.exe
    "C:\Users\Admin\AppData\Local\Temp\f8afeeab30c1ef52199dfabc7be6d4c6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Users\Admin\AppData\Local\Temp\8999.exe
      "C:\Users\Admin\AppData\Local\Temp\8999.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
    • C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe
      "C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe"
      2⤵
      • Executes dropped EXE
      PID:1704

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2.0.1-beta.exe

          Filesize

          57KB

          MD5

          b167ba266d25d54ae5d7a85b6d30309e

          SHA1

          1e2e2c9934a6276529b39c784597026ffb2336b8

          SHA256

          595a15ed654f8c7ffcd47dd71fa637f6be7cbf2524b7867aa7c941df3f681cf2

          SHA512

          3b52e2fff5e17bb034c49acc90dd73972ea24237789e99cf89e1eb30831d4de94e2d3c3a445a06449cd30c4abd517f13b7584ee45c3a875e82c1310dfaa31370

        • C:\Users\Admin\AppData\Local\Temp\8999.exe

          Filesize

          107KB

          MD5

          46c9e711e372e5400396c316aee84ef2

          SHA1

          87d69acf7d1aa5c14d589f2675b762d31df4f045

          SHA256

          649c7ce4e1f7fa6cbc84427bc59f02c3aee0d5147e020d78ad5098b0edfd9278

          SHA512

          b75d0c2523967595894d11e82e549117597cc52c3cc3521fbdb0e8f64c14842a0648a5ac2afc6d5a24f7d35985639513a093ac9ca86f19a2a5d9824a8a7fae88

        • C:\Users\Admin\AppData\Local\Temp\8999.exe

          Filesize

          107KB

          MD5

          46c9e711e372e5400396c316aee84ef2

          SHA1

          87d69acf7d1aa5c14d589f2675b762d31df4f045

          SHA256

          649c7ce4e1f7fa6cbc84427bc59f02c3aee0d5147e020d78ad5098b0edfd9278

          SHA512

          b75d0c2523967595894d11e82e549117597cc52c3cc3521fbdb0e8f64c14842a0648a5ac2afc6d5a24f7d35985639513a093ac9ca86f19a2a5d9824a8a7fae88

        • \Users\Admin\AppData\Local\Temp\2.0.1-beta.exe

          Filesize

          57KB

          MD5

          b167ba266d25d54ae5d7a85b6d30309e

          SHA1

          1e2e2c9934a6276529b39c784597026ffb2336b8

          SHA256

          595a15ed654f8c7ffcd47dd71fa637f6be7cbf2524b7867aa7c941df3f681cf2

          SHA512

          3b52e2fff5e17bb034c49acc90dd73972ea24237789e99cf89e1eb30831d4de94e2d3c3a445a06449cd30c4abd517f13b7584ee45c3a875e82c1310dfaa31370

        • \Users\Admin\AppData\Local\Temp\2.0.1-beta.exe

          Filesize

          57KB

          MD5

          b167ba266d25d54ae5d7a85b6d30309e

          SHA1

          1e2e2c9934a6276529b39c784597026ffb2336b8

          SHA256

          595a15ed654f8c7ffcd47dd71fa637f6be7cbf2524b7867aa7c941df3f681cf2

          SHA512

          3b52e2fff5e17bb034c49acc90dd73972ea24237789e99cf89e1eb30831d4de94e2d3c3a445a06449cd30c4abd517f13b7584ee45c3a875e82c1310dfaa31370

        • \Users\Admin\AppData\Local\Temp\8999.exe

          Filesize

          107KB

          MD5

          46c9e711e372e5400396c316aee84ef2

          SHA1

          87d69acf7d1aa5c14d589f2675b762d31df4f045

          SHA256

          649c7ce4e1f7fa6cbc84427bc59f02c3aee0d5147e020d78ad5098b0edfd9278

          SHA512

          b75d0c2523967595894d11e82e549117597cc52c3cc3521fbdb0e8f64c14842a0648a5ac2afc6d5a24f7d35985639513a093ac9ca86f19a2a5d9824a8a7fae88

        • memory/832-54-0x0000000001030000-0x0000000001062000-memory.dmp

          Filesize

          200KB

        • memory/832-55-0x0000000075921000-0x0000000075923000-memory.dmp

          Filesize

          8KB

        • memory/1708-60-0x0000000000DD0000-0x0000000000DF0000-memory.dmp

          Filesize

          128KB