Overview

overview

10

Static

static

chrom.exe

windows7-x64

10

chrom.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2022 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    chrom.exe

  • Size

    3.9MB

  • MD5

    d60909eb4d445d948740877e759b7b83

  • SHA1

    dc8a672358fa25efbcefb5e4074aab7acdb413a6

  • SHA256

    2d241ce3d2981c29545a11c13ec0ecd7e021759d35dea0c762bb0c63bb1b555d

  • SHA512

    d10292ff78b4e14569d8b96170d0da905b1beb45a1bd76ff7fe7d43b5b72ef079bae7ce68c01759f46b5fb4fc60d367c1cc78fbc676b3adca947f45f58c18242

  • SSDEEP

    98304:FvJ7zh1f+X5wDg+kkq/0j+TdWRRsuwaxhYDU4PQv2Vph2XpR:RPl+XWkkqMaTdWb0aDv2VpC

Score
10/10
redlineytstealercrypt_mastifdiscoveryinfostealerspywarestealerupx

Malware Config

Extracted

Family

redline

Botnet

Crypt_Mastif

C2

194.36.177.60:81

Attributes
  • auth_value

    26018289184445b16046125f5e616df6

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

    stealerytstealer
  • YTStealer payload 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\chrom.exe
    "C:\Users\Admin\AppData\Local\Temp\chrom.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:936
    • C:\Users\Admin\AppData\Local\Temp\chrom.exe
      C:\Users\Admin\AppData\Local\Temp\chrom.exe
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\Users\Admin\AppData\Local\Temp\22windows_64.exe
        "C:\Users\Admin\AppData\Local\Temp\22windows_64.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4620
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell "" "Get-WmiObject Win32_PortConnector"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\chrom.exe.log
    Filesize

    1KB

    MD5

    7e88081fcf716d85992bb3af3d9b6454

    SHA1

    2153780fbc71061b0102a7a7b665349e1013e250

    SHA256

    5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

    SHA512

    ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    06ad34f9739c5159b4d92d702545bd49

    SHA1

    9152a0d4f153f3f40f7e606be75f81b582ee0c17

    SHA256

    474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

    SHA512

    c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    b1fc4b05b3c3ac5a2d02ca72cef44f6b

    SHA1

    29115cca0b7f7b3b80377255289794b7e077fafd

    SHA256

    c557bb63d0b40645f82e1f4cbe5a514fa56e2cf5674a0891b315c86aa9087872

    SHA512

    f25953c6c31d3da2d6ae6dd2e44668c77dbadfae4abe2a07379486ad9100ca6da073f26056e1037e16bb273a7da3010480de7afc40edba051016c1c13a0e52b1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\22windows_64.exe
    Filesize

    4.0MB

    MD5

    eaaad4f36853f423ee62272e125708ff

    SHA1

    71c045b6a66fef5dd1f20faefbce8df88c890788

    SHA256

    1901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901

    SHA512

    05292ae056faf45359b62d8feb6926c1144623e997df0893b9a74e423b84761f2ab6e3786c7fc5d7784e3ae9bff7c2e21166cbb7723f6315538357e674587431

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\22windows_64.exe
    Filesize

    4.0MB

    MD5

    eaaad4f36853f423ee62272e125708ff

    SHA1

    71c045b6a66fef5dd1f20faefbce8df88c890788

    SHA256

    1901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901

    SHA512

    05292ae056faf45359b62d8feb6926c1144623e997df0893b9a74e423b84761f2ab6e3786c7fc5d7784e3ae9bff7c2e21166cbb7723f6315538357e674587431

    Download Submit
  • memory/364-132-0x0000000000B90000-0x0000000000F76000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/364-133-0x0000000007190000-0x00000000071B2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/936-140-0x0000000007110000-0x000000000778A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/936-139-0x0000000005A80000-0x0000000005A9E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/936-141-0x0000000005F90000-0x0000000005FAA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/936-134-0x0000000000000000-mapping.dmp
    Download
  • memory/936-135-0x0000000002150000-0x0000000002186000-memory.dmp
    Filesize

    216KB

    Download
  • memory/936-138-0x0000000005300000-0x0000000005366000-memory.dmp
    Filesize

    408KB

    Download
  • memory/936-136-0x0000000004BF0000-0x0000000005218000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/936-137-0x0000000005290000-0x00000000052F6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3400-152-0x000000000B3E0000-0x000000000B90C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3400-145-0x0000000006390000-0x00000000069A8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3400-149-0x000000000A2B0000-0x000000000A342000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3400-150-0x000000000A900000-0x000000000AEA4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3400-151-0x000000000A700000-0x000000000A8C2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3400-147-0x0000000009020000-0x0000000009032000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3400-153-0x0000000005DF0000-0x0000000005E66000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3400-154-0x0000000005E70000-0x0000000005EC0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3400-146-0x00000000090D0000-0x00000000091DA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3400-148-0x0000000009080000-0x00000000090BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3400-142-0x0000000000000000-mapping.dmp
    Download
  • memory/3400-143-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4620-159-0x0000000000150000-0x0000000000F62000-memory.dmp
    Filesize

    14.1MB

    Download
  • memory/4620-158-0x0000000000150000-0x0000000000F62000-memory.dmp
    Filesize

    14.1MB

    Download
  • memory/4620-155-0x0000000000000000-mapping.dmp
    Download
  • memory/4620-166-0x0000000000150000-0x0000000000F62000-memory.dmp
    Filesize

    14.1MB

    Download
  • memory/4760-160-0x0000000000000000-mapping.dmp
    Download
  • memory/4760-161-0x000001EEE0370000-0x000001EEE0392000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4760-164-0x00007FFFE70A0000-0x00007FFFE7B61000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4760-165-0x00007FFFE70A0000-0x00007FFFE7B61000-memory.dmp
    Filesize

    10.8MB

    Download