Analysis

  • max time kernel
    153s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2022, 10:26

General

  • Target

    2d1f283056afba3e59b97ba5d2e3c36c.exe

  • Size

    290KB

  • MD5

    2d1f283056afba3e59b97ba5d2e3c36c

  • SHA1

    18fbb5c92a65a542efc33c4e000befc7f4b72116

  • SHA256

    ed1c41a20c214c391ae549808e0dea31c731a284df551bab65eeef58aa8b0923

  • SHA512

    95413dbadc9fbaf53c54c8583fbd6d1e1bd4102ba3f4288603e055711859c8ac61ca9519fe2c16005ecfa7d985c8342ba37931f1cd8a8f2313ddec91f76b129b

  • SSDEEP

    3072:m71zXZ1wMA4fCbMROmbiF7SN4Q+LcjGraJSjonbl5O:BMKbMROmbitmmcjxHD

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Wallets

45coZygmFLnRF5NY7Uz51tadci9wak52fbbhfgKR5q5BTB9QbKMiCnXiPiiwCwyUTQeF4nZD5mdAugj8yB5hTLA9ViAFFR8

Attributes
  • payload_urls

    http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet/shared/xmrig.exe

Extracted

Family

redline

Botnet

installs-49

C2

94.140.112.157:29329

Attributes
  • auth_value

    f137ab12b29192785aff1f9a524f0090

Signatures

  • Detects Smokeloader packer 1 IoCs
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d1f283056afba3e59b97ba5d2e3c36c.exe
    "C:\Users\Admin\AppData\Local\Temp\2d1f283056afba3e59b97ba5d2e3c36c.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3944
  • C:\Users\Admin\AppData\Local\Temp\D8AD.exe
    C:\Users\Admin\AppData\Local\Temp\D8AD.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Users\Admin\AppData\Local\Temp\Miner.exe
      "C:\Users\Admin\AppData\Local\Temp\Miner.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:344
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Miner.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4028
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:1260
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:2788
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f
            4⤵
            • Creates scheduled task(s)
            PID:1052
          • C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
            "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4672
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1580
              5⤵
              • Program crash
              PID:1212
      • C:\Users\Admin\AppData\Local\Temp\installs49.exe
        "C:\Users\Admin\AppData\Local\Temp\installs49.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4712
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1240
        2⤵
        • Program crash
        PID:1344
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4412 -ip 4412
      1⤵
        PID:4764
      • C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
        C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
        1⤵
        • Executes dropped EXE
        PID:3116
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4672 -ip 4672
        1⤵
          PID:2596

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Miner.exe.log

                Filesize

                612B

                MD5

                81ab0e59097e03cb04c32378024d6628

                SHA1

                cc2a7a335f905e787906b6a0820acfbd4c5d0ed2

                SHA256

                704dd8b8fb6dfccf43fd0712e36950102151fe7232d6602c53a42af967969533

                SHA512

                3dd1374962c4d913ad6ec4207889abcca3e28946fa8937626bd2d13025a538e676bfc2efe76d27031d3f741bb3934104c0cf4e10da62758839add1fe543dfacb

              • C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

                Filesize

                16KB

                MD5

                d1b22ce6e0f11c1b8283a85d9f902bbd

                SHA1

                8593038e651f856367d094b4541dd7cbffb8e7a3

                SHA256

                95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8

                SHA512

                d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

              • C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

                Filesize

                16KB

                MD5

                d1b22ce6e0f11c1b8283a85d9f902bbd

                SHA1

                8593038e651f856367d094b4541dd7cbffb8e7a3

                SHA256

                95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8

                SHA512

                d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

              • C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe

                Filesize

                16KB

                MD5

                d1b22ce6e0f11c1b8283a85d9f902bbd

                SHA1

                8593038e651f856367d094b4541dd7cbffb8e7a3

                SHA256

                95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8

                SHA512

                d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

              • C:\Users\Admin\AppData\Local\Temp\D8AD.exe

                Filesize

                436KB

                MD5

                f1ae38e744808d4df42eed53c896323a

                SHA1

                0d0edac38a4e1a1c073aa99fc1009230a05deb74

                SHA256

                9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439

                SHA512

                b23262fd0709c2cdf2702bab85a39ffeeebc28644e268ddecf5861bef6307b3f92c50a73b5725fa1a8578033c446bd957277224a24ed7ccd806bf3d0a77376d6

              • C:\Users\Admin\AppData\Local\Temp\D8AD.exe

                Filesize

                436KB

                MD5

                f1ae38e744808d4df42eed53c896323a

                SHA1

                0d0edac38a4e1a1c073aa99fc1009230a05deb74

                SHA256

                9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439

                SHA512

                b23262fd0709c2cdf2702bab85a39ffeeebc28644e268ddecf5861bef6307b3f92c50a73b5725fa1a8578033c446bd957277224a24ed7ccd806bf3d0a77376d6

              • C:\Users\Admin\AppData\Local\Temp\Miner.exe

                Filesize

                16KB

                MD5

                d1b22ce6e0f11c1b8283a85d9f902bbd

                SHA1

                8593038e651f856367d094b4541dd7cbffb8e7a3

                SHA256

                95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8

                SHA512

                d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

              • C:\Users\Admin\AppData\Local\Temp\Miner.exe

                Filesize

                16KB

                MD5

                d1b22ce6e0f11c1b8283a85d9f902bbd

                SHA1

                8593038e651f856367d094b4541dd7cbffb8e7a3

                SHA256

                95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8

                SHA512

                d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed

              • C:\Users\Admin\AppData\Local\Temp\installs49.exe

                Filesize

                88KB

                MD5

                24f5400ea175ed8a981c5f4184587ac4

                SHA1

                24b9e12675b4e5f389eb01d6c423e123909d02d9

                SHA256

                3be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4

                SHA512

                4d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669

              • C:\Users\Admin\AppData\Local\Temp\installs49.exe

                Filesize

                88KB

                MD5

                24f5400ea175ed8a981c5f4184587ac4

                SHA1

                24b9e12675b4e5f389eb01d6c423e123909d02d9

                SHA256

                3be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4

                SHA512

                4d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669

              • memory/344-146-0x0000000000C70000-0x0000000000C7A000-memory.dmp

                Filesize

                40KB

              • memory/344-147-0x00000000054F0000-0x0000000005556000-memory.dmp

                Filesize

                408KB

              • memory/3944-132-0x0000000002BFC000-0x0000000002C0C000-memory.dmp

                Filesize

                64KB

              • memory/3944-133-0x0000000004790000-0x0000000004799000-memory.dmp

                Filesize

                36KB

              • memory/3944-134-0x0000000000400000-0x0000000002B92000-memory.dmp

                Filesize

                39.6MB

              • memory/3944-135-0x0000000000400000-0x0000000002B92000-memory.dmp

                Filesize

                39.6MB

              • memory/4412-139-0x0000000002DAC000-0x0000000002DE1000-memory.dmp

                Filesize

                212KB

              • memory/4412-140-0x0000000002D10000-0x0000000002D52000-memory.dmp

                Filesize

                264KB

              • memory/4412-142-0x0000000000400000-0x0000000002BB6000-memory.dmp

                Filesize

                39.7MB

              • memory/4412-141-0x0000000007220000-0x00000000077C4000-memory.dmp

                Filesize

                5.6MB

              • memory/4412-159-0x0000000002DAC000-0x0000000002DE1000-memory.dmp

                Filesize

                212KB

              • memory/4412-160-0x0000000000400000-0x0000000002BB6000-memory.dmp

                Filesize

                39.7MB

              • memory/4712-157-0x0000000005700000-0x000000000580A000-memory.dmp

                Filesize

                1.0MB

              • memory/4712-158-0x0000000005630000-0x000000000566C000-memory.dmp

                Filesize

                240KB

              • memory/4712-156-0x00000000055D0000-0x00000000055E2000-memory.dmp

                Filesize

                72KB

              • memory/4712-155-0x0000000006630000-0x0000000006C48000-memory.dmp

                Filesize

                6.1MB

              • memory/4712-165-0x00000000059C0000-0x0000000005A52000-memory.dmp

                Filesize

                584KB

              • memory/4712-154-0x0000000000D30000-0x0000000000D4C000-memory.dmp

                Filesize

                112KB

              • memory/4712-167-0x00000000064F0000-0x0000000006540000-memory.dmp

                Filesize

                320KB

              • memory/4712-168-0x0000000006C50000-0x0000000006CC6000-memory.dmp

                Filesize

                472KB

              • memory/4712-169-0x0000000006EA0000-0x0000000007062000-memory.dmp

                Filesize

                1.8MB

              • memory/4712-170-0x00000000075A0000-0x0000000007ACC000-memory.dmp

                Filesize

                5.2MB

              • memory/4712-171-0x0000000007110000-0x000000000712E000-memory.dmp

                Filesize

                120KB