Overview

overview

10

Static

static

Chron.exe

windows7-x64

3

Chron.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2022 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Chron.exe

  • Size

    490KB

  • MD5

    f87135178fe6abd26406c9a9d026894a

  • SHA1

    dfcea258c1e56097601f7a5e7fb4e4f9a6aec3eb

  • SHA256

    4905ecda46a5a03e0d6c5a8144ec47063109fc2eb5fbb5e06722080e63eb7394

  • SHA512

    885ec3c0a56ec5247579f85ae83d909c43264c4466dfeab24bb7d2d388f1a3f2abce0136303726384c2c91b2a398d84e8ec09c21ef81c70e74157d21f9c7b251

  • SSDEEP

    6144:FLXU3QBk29LvIY28arOtXNt25Qd9lxtPoCFbfgKrcwny2BHaxK7:5U3yu9WQQT9oCFKwn7B6i

Score
10/10
redlineytstealercrypt_mastif_v1infostealerspywarestealerupx

Malware Config

Extracted

Family

redline

Botnet

Crypt_Mastif_V1

C2

194.36.177.60:81

Attributes
  • auth_value

    140a3d1ac14114893f898a1e7e4ba24f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

    stealerytstealer
  • YTStealer payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chron.exe
    "C:\Users\Admin\AppData\Local\Temp\Chron.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
        PID:5008
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Users\Admin\AppData\Local\Temp\22windows_64.exe
          "C:\Users\Admin\AppData\Local\Temp\22windows_64.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "" "Get-WmiObject Win32_PortConnector"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2272

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\22windows_64.exe
      Filesize

      4.0MB

      MD5

      eaaad4f36853f423ee62272e125708ff

      SHA1

      71c045b6a66fef5dd1f20faefbce8df88c890788

      SHA256

      1901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901

      SHA512

      05292ae056faf45359b62d8feb6926c1144623e997df0893b9a74e423b84761f2ab6e3786c7fc5d7784e3ae9bff7c2e21166cbb7723f6315538357e674587431

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\22windows_64.exe
      Filesize

      4.0MB

      MD5

      eaaad4f36853f423ee62272e125708ff

      SHA1

      71c045b6a66fef5dd1f20faefbce8df88c890788

      SHA256

      1901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901

      SHA512

      05292ae056faf45359b62d8feb6926c1144623e997df0893b9a74e423b84761f2ab6e3786c7fc5d7784e3ae9bff7c2e21166cbb7723f6315538357e674587431

      Download Submit
    • memory/796-149-0x0000000000000000-mapping.dmp
      Download
    • memory/796-158-0x0000000000DF0000-0x0000000001C02000-memory.dmp
      Filesize

      14.1MB

      Download
    • memory/796-152-0x0000000000DF0000-0x0000000001C02000-memory.dmp
      Filesize

      14.1MB

      Download
    • memory/796-153-0x0000000000DF0000-0x0000000001C02000-memory.dmp
      Filesize

      14.1MB

      Download
    • memory/2272-154-0x0000000000000000-mapping.dmp
      Download
    • memory/2272-156-0x00007FF9BD770000-0x00007FF9BE231000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2272-155-0x000002AD7F810000-0x000002AD7F832000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2272-157-0x00007FF9BD770000-0x00007FF9BE231000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4712-132-0x000001436E780000-0x000001436E800000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4712-137-0x00007FF9DC090000-0x00007FF9DC285000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/4712-136-0x00007FF9BDF90000-0x00007FF9BEA51000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4712-133-0x00007FF9BDF90000-0x00007FF9BEA51000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5004-138-0x0000000005BE0000-0x00000000061F8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/5004-147-0x00000000092A0000-0x0000000009462000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/5004-148-0x0000000009FB0000-0x000000000A4DC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/5004-146-0x0000000008570000-0x00000000085C0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/5004-145-0x00000000084F0000-0x0000000008566000-memory.dmp
      Filesize

      472KB

      Download
    • memory/5004-144-0x0000000008400000-0x0000000008466000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5004-143-0x0000000008360000-0x00000000083F2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/5004-142-0x0000000008820000-0x0000000008DC4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/5004-141-0x00000000059E0000-0x0000000005A1C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/5004-140-0x00000000057A0000-0x00000000057B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/5004-139-0x0000000006200000-0x000000000630A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/5004-135-0x0000000000422206-mapping.dmp
      Download
    • memory/5004-134-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download