Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2022 16:36

General

  • Target

    18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe

  • Size

    231KB

  • MD5

    801d35bad81609af210c455e11d2f13d

  • SHA1

    f3e56dde38c5d425d196ab218859a87250c1c0c3

  • SHA256

    18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518

  • SHA512

    95b36568c332e5a812d057a288b880b7161459b9b1474282f7cd843d5ff4c709c979fb00f04dc796098722662f1155f6cdf6e7da471e2eb732f05a8c48b96df9

  • SSDEEP

    3072:Vni+LdxD4qH5W5EWfLv+tU6o+D8wxqUMTOLtJ/33bRS1w7RkxmJZs:V3L3D4qqEQL167jFigJ/7E1GymI

Malware Config

Extracted

Family

redline

Botnet

11

C2

79.137.202.18:45218

Attributes
  • auth_value

    107e09eee63158d2488feb03dac75204

Extracted

Family

aurora

C2

195.43.142.218:8081

Signatures

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

  • Detects Smokeloader packer 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe
    "C:\Users\Admin\AppData\Local\Temp\18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4888
  • C:\Users\Admin\AppData\Local\Temp\EC59.exe
    C:\Users\Admin\AppData\Local\Temp\EC59.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:2112
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:4688
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:4968
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
              PID:3432
          • C:\Users\Admin\AppData\Local\Temp\EFF3.exe
            C:\Users\Admin\AppData\Local\Temp\EFF3.exe
            1⤵
            • Executes dropped EXE
            PID:2264
          • C:\Users\Admin\AppData\Local\Temp\F2C3.exe
            C:\Users\Admin\AppData\Local\Temp\F2C3.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2648
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              2⤵
                PID:940
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 252
                2⤵
                • Program crash
                PID:3900
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2648 -ip 2648
              1⤵
                PID:2460
              • C:\Users\Admin\AppData\Local\Temp\FD15.exe
                C:\Users\Admin\AppData\Local\Temp\FD15.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4472
                • C:\Windows\System32\Wbem\wmic.exe
                  wmic os get Caption
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:564
                • C:\Windows\system32\cmd.exe
                  cmd /C "wmic path win32_VideoController get name"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4652
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic path win32_VideoController get name
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3696
                • C:\Windows\system32\cmd.exe
                  cmd /C "wmic cpu get name"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1168
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic cpu get name
                    3⤵
                      PID:4116
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  1⤵
                    PID:1180
                  • C:\Windows\explorer.exe
                    C:\Windows\explorer.exe
                    1⤵
                      PID:2920
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      1⤵
                        PID:4200
                      • C:\Windows\explorer.exe
                        C:\Windows\explorer.exe
                        1⤵
                          PID:2028
                        • C:\Windows\SysWOW64\explorer.exe
                          C:\Windows\SysWOW64\explorer.exe
                          1⤵
                            PID:1640
                          • C:\Windows\SysWOW64\explorer.exe
                            C:\Windows\SysWOW64\explorer.exe
                            1⤵
                              PID:4080
                            • C:\Windows\SysWOW64\explorer.exe
                              C:\Windows\SysWOW64\explorer.exe
                              1⤵
                                PID:3356
                              • C:\Windows\explorer.exe
                                C:\Windows\explorer.exe
                                1⤵
                                  PID:1204
                                • C:\Windows\SysWOW64\explorer.exe
                                  C:\Windows\SysWOW64\explorer.exe
                                  1⤵
                                    PID:2504

                                  Network

                                  MITRE ATT&CK Matrix ATT&CK v6

                                  Execution

                                  Scripting

                                  1
                                  T1064

                                  Defense Evasion

                                  Scripting

                                  1
                                  T1064

                                  Credential Access

                                  Credentials in Files

                                  2
                                  T1081

                                  Discovery

                                  Query Registry

                                  1
                                  T1012

                                  Peripheral Device Discovery

                                  1
                                  T1120

                                  System Information Discovery

                                  1
                                  T1082

                                  Collection

                                  Data from Local System

                                  2
                                  T1005

                                  Command and Control

                                  Web Service

                                  1
                                  T1102

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\EC59.exe
                                    Filesize

                                    67KB

                                    MD5

                                    666d8f33d37064fd5d14e2166c9bfa69

                                    SHA1

                                    3b27df9335a9b2efe9da1057e9f8312a72d1ca9d

                                    SHA256

                                    7fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157

                                    SHA512

                                    ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df

                                  • C:\Users\Admin\AppData\Local\Temp\EC59.exe
                                    Filesize

                                    67KB

                                    MD5

                                    666d8f33d37064fd5d14e2166c9bfa69

                                    SHA1

                                    3b27df9335a9b2efe9da1057e9f8312a72d1ca9d

                                    SHA256

                                    7fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157

                                    SHA512

                                    ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df

                                  • C:\Users\Admin\AppData\Local\Temp\EFF3.exe
                                    Filesize

                                    4KB

                                    MD5

                                    9748489855d9dd82ab09da5e3e55b19e

                                    SHA1

                                    6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

                                    SHA256

                                    05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

                                    SHA512

                                    7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

                                  • C:\Users\Admin\AppData\Local\Temp\EFF3.exe
                                    Filesize

                                    4KB

                                    MD5

                                    9748489855d9dd82ab09da5e3e55b19e

                                    SHA1

                                    6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

                                    SHA256

                                    05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

                                    SHA512

                                    7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

                                  • C:\Users\Admin\AppData\Local\Temp\F2C3.exe
                                    Filesize

                                    399KB

                                    MD5

                                    ac508206006eb41c605373e9793e7622

                                    SHA1

                                    3223ac24de6fd4650bbcf1495e73944085bc0e07

                                    SHA256

                                    775f35230e0d3bd996440811af08110905803280094996a22b02f6b7b85c6b32

                                    SHA512

                                    9aa4d2d50a915919f1f238f0838636cfa6f7fc3e634508f5a110ac4097c919d9076753612af7c2e1c9013281ca4e1a209743560d2f0f01c8c9329c47b113ba2c

                                  • C:\Users\Admin\AppData\Local\Temp\F2C3.exe
                                    Filesize

                                    399KB

                                    MD5

                                    ac508206006eb41c605373e9793e7622

                                    SHA1

                                    3223ac24de6fd4650bbcf1495e73944085bc0e07

                                    SHA256

                                    775f35230e0d3bd996440811af08110905803280094996a22b02f6b7b85c6b32

                                    SHA512

                                    9aa4d2d50a915919f1f238f0838636cfa6f7fc3e634508f5a110ac4097c919d9076753612af7c2e1c9013281ca4e1a209743560d2f0f01c8c9329c47b113ba2c

                                  • C:\Users\Admin\AppData\Local\Temp\FD15.exe
                                    Filesize

                                    1MB

                                    MD5

                                    3e8b9e2a1f3d5a7a2322bce514e90a27

                                    SHA1

                                    d0e6cf406c70bb223ebaa41aa12f3b34ac217e7f

                                    SHA256

                                    00c142f59684f5582673779b0a21edb9309ac9bf24392e41b621899a626cc6d5

                                    SHA512

                                    b75b86bcc939946944239222f7dc0498f0fad890a61325d53114431f6b746bb4853f6a15f65716c7880afd5c21dd85b91f10e4235b503643314e2371aa4648b7

                                  • C:\Users\Admin\AppData\Local\Temp\FD15.exe
                                    Filesize

                                    1MB

                                    MD5

                                    3e8b9e2a1f3d5a7a2322bce514e90a27

                                    SHA1

                                    d0e6cf406c70bb223ebaa41aa12f3b34ac217e7f

                                    SHA256

                                    00c142f59684f5582673779b0a21edb9309ac9bf24392e41b621899a626cc6d5

                                    SHA512

                                    b75b86bcc939946944239222f7dc0498f0fad890a61325d53114431f6b746bb4853f6a15f65716c7880afd5c21dd85b91f10e4235b503643314e2371aa4648b7

                                  • memory/564-179-0x0000000000000000-mapping.dmp
                                  • memory/940-205-0x0000000007BD0000-0x0000000007C46000-memory.dmp
                                    Filesize

                                    472KB

                                  • memory/940-162-0x00000000057E0000-0x000000000581C000-memory.dmp
                                    Filesize

                                    240KB

                                  • memory/940-208-0x0000000008570000-0x0000000008A9C000-memory.dmp
                                    Filesize

                                    5MB

                                  • memory/940-161-0x0000000005780000-0x0000000005792000-memory.dmp
                                    Filesize

                                    72KB

                                  • memory/940-160-0x0000000005850000-0x000000000595A000-memory.dmp
                                    Filesize

                                    1MB

                                  • memory/940-194-0x0000000005B20000-0x0000000005BB2000-memory.dmp
                                    Filesize

                                    584KB

                                  • memory/940-195-0x00000000068F0000-0x0000000006E94000-memory.dmp
                                    Filesize

                                    5MB

                                  • memory/940-149-0x0000000000000000-mapping.dmp
                                  • memory/940-150-0x0000000000400000-0x0000000000432000-memory.dmp
                                    Filesize

                                    200KB

                                  • memory/940-159-0x0000000005D20000-0x0000000006338000-memory.dmp
                                    Filesize

                                    6MB

                                  • memory/940-207-0x0000000007E70000-0x0000000008032000-memory.dmp
                                    Filesize

                                    1MB

                                  • memory/940-206-0x0000000007C50000-0x0000000007CA0000-memory.dmp
                                    Filesize

                                    320KB

                                  • memory/1168-182-0x0000000000000000-mapping.dmp
                                  • memory/1180-173-0x0000000000DB0000-0x0000000000DB7000-memory.dmp
                                    Filesize

                                    28KB

                                  • memory/1180-170-0x0000000000000000-mapping.dmp
                                  • memory/1180-209-0x0000000000DB0000-0x0000000000DB7000-memory.dmp
                                    Filesize

                                    28KB

                                  • memory/1180-174-0x0000000000DA0000-0x0000000000DAB000-memory.dmp
                                    Filesize

                                    44KB

                                  • memory/1204-216-0x0000000000D00000-0x0000000000D07000-memory.dmp
                                    Filesize

                                    28KB

                                  • memory/1204-198-0x0000000000000000-mapping.dmp
                                  • memory/1204-200-0x0000000000D00000-0x0000000000D07000-memory.dmp
                                    Filesize

                                    28KB

                                  • memory/1204-201-0x0000000000CF0000-0x0000000000CFD000-memory.dmp
                                    Filesize

                                    52KB

                                  • memory/1640-192-0x0000000000180000-0x00000000001A2000-memory.dmp
                                    Filesize

                                    136KB

                                  • memory/1640-190-0x0000000000150000-0x0000000000177000-memory.dmp
                                    Filesize

                                    156KB

                                  • memory/1640-213-0x0000000000180000-0x00000000001A2000-memory.dmp
                                    Filesize

                                    136KB

                                  • memory/1640-187-0x0000000000000000-mapping.dmp
                                  • memory/2028-189-0x0000000000EA0000-0x0000000000EAC000-memory.dmp
                                    Filesize

                                    48KB

                                  • memory/2028-212-0x0000000000EB0000-0x0000000000EB6000-memory.dmp
                                    Filesize

                                    24KB

                                  • memory/2028-186-0x0000000000000000-mapping.dmp
                                  • memory/2028-188-0x0000000000EB0000-0x0000000000EB6000-memory.dmp
                                    Filesize

                                    24KB

                                  • memory/2112-155-0x0000000000000000-mapping.dmp
                                  • memory/2264-140-0x0000000000000000-mapping.dmp
                                  • memory/2264-143-0x00000000000D0000-0x00000000000D8000-memory.dmp
                                    Filesize

                                    32KB

                                  • memory/2264-145-0x00007FF99C940000-0x00007FF99D401000-memory.dmp
                                    Filesize

                                    10MB

                                  • memory/2504-203-0x0000000000DB0000-0x0000000000DB8000-memory.dmp
                                    Filesize

                                    32KB

                                  • memory/2504-204-0x0000000000DA0000-0x0000000000DAB000-memory.dmp
                                    Filesize

                                    44KB

                                  • memory/2504-217-0x0000000000DB0000-0x0000000000DB8000-memory.dmp
                                    Filesize

                                    32KB

                                  • memory/2504-202-0x0000000000000000-mapping.dmp
                                  • memory/2648-146-0x0000000000000000-mapping.dmp
                                  • memory/2920-176-0x0000000000720000-0x0000000000729000-memory.dmp
                                    Filesize

                                    36KB

                                  • memory/2920-177-0x0000000000710000-0x000000000071F000-memory.dmp
                                    Filesize

                                    60KB

                                  • memory/2920-210-0x0000000000720000-0x0000000000729000-memory.dmp
                                    Filesize

                                    36KB

                                  • memory/2920-175-0x0000000000000000-mapping.dmp
                                  • memory/3356-196-0x0000000000000000-mapping.dmp
                                  • memory/3356-215-0x0000000000DB0000-0x0000000000DB6000-memory.dmp
                                    Filesize

                                    24KB

                                  • memory/3356-197-0x0000000000DB0000-0x0000000000DB6000-memory.dmp
                                    Filesize

                                    24KB

                                  • memory/3356-199-0x0000000000DA0000-0x0000000000DAB000-memory.dmp
                                    Filesize

                                    44KB

                                  • memory/3432-158-0x0000000000000000-mapping.dmp
                                  • memory/3696-181-0x0000000000000000-mapping.dmp
                                  • memory/4080-191-0x0000000000000000-mapping.dmp
                                  • memory/4080-193-0x0000000000DA0000-0x0000000000DA9000-memory.dmp
                                    Filesize

                                    36KB

                                  • memory/4080-214-0x0000000000DB0000-0x0000000000DB5000-memory.dmp
                                    Filesize

                                    20KB

                                  • memory/4116-183-0x0000000000000000-mapping.dmp
                                  • memory/4200-178-0x0000000000000000-mapping.dmp
                                  • memory/4200-185-0x00000000006F0000-0x00000000006F9000-memory.dmp
                                    Filesize

                                    36KB

                                  • memory/4200-211-0x0000000000700000-0x0000000000705000-memory.dmp
                                    Filesize

                                    20KB

                                  • memory/4200-184-0x0000000000700000-0x0000000000705000-memory.dmp
                                    Filesize

                                    20KB

                                  • memory/4472-172-0x000001D8E4B60000-0x000001D8E4BA9000-memory.dmp
                                    Filesize

                                    292KB

                                  • memory/4472-218-0x00000000004A0000-0x000000000088A000-memory.dmp
                                    Filesize

                                    3MB

                                  • memory/4472-163-0x0000000000000000-mapping.dmp
                                  • memory/4472-171-0x00000000004A0000-0x000000000088A000-memory.dmp
                                    Filesize

                                    3MB

                                  • memory/4652-180-0x0000000000000000-mapping.dmp
                                  • memory/4688-157-0x0000000000000000-mapping.dmp
                                  • memory/4888-133-0x0000000000460000-0x0000000000469000-memory.dmp
                                    Filesize

                                    36KB

                                  • memory/4888-134-0x0000000000400000-0x000000000045E000-memory.dmp
                                    Filesize

                                    376KB

                                  • memory/4888-135-0x0000000000400000-0x000000000045E000-memory.dmp
                                    Filesize

                                    376KB

                                  • memory/4888-132-0x000000000048F000-0x000000000049F000-memory.dmp
                                    Filesize

                                    64KB

                                  • memory/4964-139-0x00000000009B0000-0x00000000009C6000-memory.dmp
                                    Filesize

                                    88KB

                                  • memory/4964-136-0x0000000000000000-mapping.dmp
                                  • memory/4964-144-0x0000000005330000-0x0000000005396000-memory.dmp
                                    Filesize

                                    408KB

                                  • memory/4968-156-0x0000000000000000-mapping.dmp