Analysis
-
max time kernel
91s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 01:27
Static task
static1
Behavioral task
behavioral1
Sample
Chron.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Chron.exe
Resource
win10v2004-20220812-en
General
-
Target
Chron.exe
-
Size
490KB
-
MD5
f87135178fe6abd26406c9a9d026894a
-
SHA1
dfcea258c1e56097601f7a5e7fb4e4f9a6aec3eb
-
SHA256
4905ecda46a5a03e0d6c5a8144ec47063109fc2eb5fbb5e06722080e63eb7394
-
SHA512
885ec3c0a56ec5247579f85ae83d909c43264c4466dfeab24bb7d2d388f1a3f2abce0136303726384c2c91b2a398d84e8ec09c21ef81c70e74157d21f9c7b251
-
SSDEEP
6144:FLXU3QBk29LvIY28arOtXNt25Qd9lxtPoCFbfgKrcwny2BHaxK7:5U3yu9WQQT9oCFKwn7B6i
Malware Config
Extracted
redline
Crypt_Mastif_V1
194.36.177.60:81
-
auth_value
140a3d1ac14114893f898a1e7e4ba24f
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/5004-134-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral2/memory/5004-135-0x0000000000422206-mapping.dmp family_redline -
YTStealer payload 2 IoCs
resource yara_rule behavioral2/memory/796-153-0x0000000000DF0000-0x0000000001C02000-memory.dmp family_ytstealer behavioral2/memory/796-158-0x0000000000DF0000-0x0000000001C02000-memory.dmp family_ytstealer -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 796 22windows_64.exe -
resource yara_rule behavioral2/files/0x0006000000022f54-150.dat upx behavioral2/files/0x0006000000022f54-151.dat upx behavioral2/memory/796-152-0x0000000000DF0000-0x0000000001C02000-memory.dmp upx behavioral2/memory/796-153-0x0000000000DF0000-0x0000000001C02000-memory.dmp upx behavioral2/memory/796-158-0x0000000000DF0000-0x0000000001C02000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4712 set thread context of 5004 4712 Chron.exe 83 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4712 Chron.exe 4712 Chron.exe 5004 InstallUtil.exe 5004 InstallUtil.exe 2272 powershell.exe 2272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4712 Chron.exe Token: SeDebugPrivilege 5004 InstallUtil.exe Token: SeDebugPrivilege 2272 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4712 wrote to memory of 5008 4712 Chron.exe 82 PID 4712 wrote to memory of 5008 4712 Chron.exe 82 PID 4712 wrote to memory of 5008 4712 Chron.exe 82 PID 4712 wrote to memory of 5008 4712 Chron.exe 82 PID 4712 wrote to memory of 5008 4712 Chron.exe 82 PID 4712 wrote to memory of 5004 4712 Chron.exe 83 PID 4712 wrote to memory of 5004 4712 Chron.exe 83 PID 4712 wrote to memory of 5004 4712 Chron.exe 83 PID 4712 wrote to memory of 5004 4712 Chron.exe 83 PID 4712 wrote to memory of 5004 4712 Chron.exe 83 PID 4712 wrote to memory of 5004 4712 Chron.exe 83 PID 4712 wrote to memory of 5004 4712 Chron.exe 83 PID 4712 wrote to memory of 5004 4712 Chron.exe 83 PID 5004 wrote to memory of 796 5004 InstallUtil.exe 90 PID 5004 wrote to memory of 796 5004 InstallUtil.exe 90 PID 796 wrote to memory of 2272 796 22windows_64.exe 92 PID 796 wrote to memory of 2272 796 22windows_64.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chron.exe"C:\Users\Admin\AppData\Local\Temp\Chron.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵PID:5008
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\22windows_64.exe"C:\Users\Admin\AppData\Local\Temp\22windows_64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5eaaad4f36853f423ee62272e125708ff
SHA171c045b6a66fef5dd1f20faefbce8df88c890788
SHA2561901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901
SHA51205292ae056faf45359b62d8feb6926c1144623e997df0893b9a74e423b84761f2ab6e3786c7fc5d7784e3ae9bff7c2e21166cbb7723f6315538357e674587431
-
Filesize
4.0MB
MD5eaaad4f36853f423ee62272e125708ff
SHA171c045b6a66fef5dd1f20faefbce8df88c890788
SHA2561901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901
SHA51205292ae056faf45359b62d8feb6926c1144623e997df0893b9a74e423b84761f2ab6e3786c7fc5d7784e3ae9bff7c2e21166cbb7723f6315538357e674587431