Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    75s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2022 15:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    3.9MB

  • MD5

    d60909eb4d445d948740877e759b7b83

  • SHA1

    dc8a672358fa25efbcefb5e4074aab7acdb413a6

  • SHA256

    2d241ce3d2981c29545a11c13ec0ecd7e021759d35dea0c762bb0c63bb1b555d

  • SHA512

    d10292ff78b4e14569d8b96170d0da905b1beb45a1bd76ff7fe7d43b5b72ef079bae7ce68c01759f46b5fb4fc60d367c1cc78fbc676b3adca947f45f58c18242

  • SSDEEP

    98304:FvJ7zh1f+X5wDg+kkq/0j+TdWRRsuwaxhYDU4PQv2Vph2XpR:RPl+XWkkqMaTdWb0aDv2VpC

Score
10/10
redlineytstealercrypt_mastifdiscoveryinfostealerspywarestealerupx

Malware Config

Extracted

Family

redline

Botnet

Crypt_Mastif

C2

194.36.177.60:81

Attributes
  • auth_value

    26018289184445b16046125f5e616df6

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

    stealerytstealer
  • YTStealer payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1312
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Users\Admin\AppData\Local\Temp\22windows_64.exe
        "C:\Users\Admin\AppData\Local\Temp\22windows_64.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell "" "Get-WmiObject Win32_PortConnector"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp.exe.log
    Filesize

    1KB

    MD5

    7e88081fcf716d85992bb3af3d9b6454

    SHA1

    2153780fbc71061b0102a7a7b665349e1013e250

    SHA256

    5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

    SHA512

    ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    06ad34f9739c5159b4d92d702545bd49

    SHA1

    9152a0d4f153f3f40f7e606be75f81b582ee0c17

    SHA256

    474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

    SHA512

    c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    2fa3c163449dce4a79f324a6c96286fb

    SHA1

    f575ab12432c7bb6afc58a4093f62464244c3cf6

    SHA256

    9aac36402f8d17e64c675c608f79670a013fab2bfc101e21fb668058179ce41f

    SHA512

    f6e2446e3ba463782dca06db2a5294bff5d020f89157999fbbc7c7fee7791b881a1e54efd12aa5222cb81a8f78779c7598499300086764e6e77347a0aa7bac11

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\22windows_64.exe
    Filesize

    4.0MB

    MD5

    eaaad4f36853f423ee62272e125708ff

    SHA1

    71c045b6a66fef5dd1f20faefbce8df88c890788

    SHA256

    1901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901

    SHA512

    05292ae056faf45359b62d8feb6926c1144623e997df0893b9a74e423b84761f2ab6e3786c7fc5d7784e3ae9bff7c2e21166cbb7723f6315538357e674587431

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\22windows_64.exe
    Filesize

    4.0MB

    MD5

    eaaad4f36853f423ee62272e125708ff

    SHA1

    71c045b6a66fef5dd1f20faefbce8df88c890788

    SHA256

    1901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901

    SHA512

    05292ae056faf45359b62d8feb6926c1144623e997df0893b9a74e423b84761f2ab6e3786c7fc5d7784e3ae9bff7c2e21166cbb7723f6315538357e674587431

    Download Submit
  • memory/876-132-0x0000000000FA0000-0x0000000001386000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/876-133-0x00000000099B0000-0x00000000099D2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1312-140-0x0000000007390000-0x0000000007A0A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1312-141-0x0000000006210000-0x000000000622A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1312-134-0x0000000000000000-mapping.dmp
    Download
  • memory/1312-138-0x00000000056C0000-0x0000000005726000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1312-135-0x0000000002710000-0x0000000002746000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1312-139-0x0000000005D10000-0x0000000005D2E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1312-136-0x0000000005020000-0x0000000005648000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1312-137-0x0000000005650000-0x00000000056B6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2444-155-0x0000000000000000-mapping.dmp
    Download
  • memory/2444-165-0x00000000005E0000-0x00000000013F2000-memory.dmp
    Filesize

    14.1MB

    Download
  • memory/2444-159-0x00000000005E0000-0x00000000013F2000-memory.dmp
    Filesize

    14.1MB

    Download
  • memory/2444-158-0x00000000005E0000-0x00000000013F2000-memory.dmp
    Filesize

    14.1MB

    Download
  • memory/3224-146-0x00000000064A0000-0x00000000065AA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3224-148-0x00000000092E0000-0x000000000931C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3224-153-0x000000000B160000-0x000000000B1D6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3224-154-0x000000000B1E0000-0x000000000B230000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3224-151-0x000000000B8A0000-0x000000000BA62000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3224-150-0x000000000A520000-0x000000000A5B2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3224-149-0x000000000AA00000-0x000000000AFA4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3224-152-0x000000000BFA0000-0x000000000C4CC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3224-147-0x00000000063F0000-0x0000000006402000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3224-142-0x0000000000000000-mapping.dmp
    Download
  • memory/3224-143-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3224-145-0x00000000065C0000-0x0000000006BD8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4672-161-0x0000022037F00000-0x0000022037F22000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4672-164-0x00007FFD0F8C0000-0x00007FFD10381000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4672-160-0x0000000000000000-mapping.dmp
    Download
  • memory/4672-166-0x00007FFD0F8C0000-0x00007FFD10381000-memory.dmp
    Filesize

    10.8MB

    Download