Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2022 16:42

General

  • Target

    e9f8b316306170264c2640f235e5d7dd2470d74123566509d7a21984778720dd.exe

  • Size

    231KB

  • MD5

    ff58b2c40941c7066739fe425f01d928

  • SHA1

    ea2044c506fcea503f82fe1bc74c031db636aa59

  • SHA256

    e9f8b316306170264c2640f235e5d7dd2470d74123566509d7a21984778720dd

  • SHA512

    e42721c6062dc72d5f6141a4bc21140e571259b97443a306debdaea72864d452c8b04429d66743db6915af57ce2ddcff352fe4962fe0eb2ef9b109237502d6a7

  • SSDEEP

    3072:c5d+LO82n5TfpgX4h2XVCkFLq5c6Ka8tJ/OkZFw7RkxmJZs:cWLp2BOFCkFu57iJ/OkrGymI

Malware Config

Extracted

Family

redline

Botnet

11

C2

79.137.202.18:45218

Attributes
  • auth_value

    107e09eee63158d2488feb03dac75204

Extracted

Family

aurora

C2

195.43.142.218:8081

Signatures

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

  • Detects Smokeloader packer 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9f8b316306170264c2640f235e5d7dd2470d74123566509d7a21984778720dd.exe
    "C:\Users\Admin\AppData\Local\Temp\e9f8b316306170264c2640f235e5d7dd2470d74123566509d7a21984778720dd.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4816
  • C:\Users\Admin\AppData\Local\Temp\DB32.exe
    C:\Users\Admin\AppData\Local\Temp\DB32.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:700
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:2156
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:4896
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:932
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
              PID:3164
          • C:\Users\Admin\AppData\Local\Temp\DDD3.exe
            C:\Users\Admin\AppData\Local\Temp\DDD3.exe
            1⤵
            • Executes dropped EXE
            PID:3532
          • C:\Users\Admin\AppData\Local\Temp\E0E1.exe
            C:\Users\Admin\AppData\Local\Temp\E0E1.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2520
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              2⤵
                PID:4556
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 240
                2⤵
                • Program crash
                PID:5084
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2520 -ip 2520
              1⤵
                PID:4292
              • C:\Users\Admin\AppData\Local\Temp\E806.exe
                C:\Users\Admin\AppData\Local\Temp\E806.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:3936
                • C:\Windows\System32\Wbem\wmic.exe
                  wmic os get Caption
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4952
                • C:\Windows\system32\cmd.exe
                  cmd /C "wmic path win32_VideoController get name"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4076
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic path win32_VideoController get name
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4176
                • C:\Windows\system32\cmd.exe
                  cmd /C "wmic cpu get name"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1352
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic cpu get name
                    3⤵
                      PID:4336
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  1⤵
                    PID:1516
                  • C:\Windows\explorer.exe
                    C:\Windows\explorer.exe
                    1⤵
                      PID:3192
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      1⤵
                        PID:3552
                      • C:\Windows\explorer.exe
                        C:\Windows\explorer.exe
                        1⤵
                          PID:1900
                        • C:\Windows\SysWOW64\explorer.exe
                          C:\Windows\SysWOW64\explorer.exe
                          1⤵
                            PID:3384
                          • C:\Windows\SysWOW64\explorer.exe
                            C:\Windows\SysWOW64\explorer.exe
                            1⤵
                              PID:3324
                            • C:\Windows\SysWOW64\explorer.exe
                              C:\Windows\SysWOW64\explorer.exe
                              1⤵
                                PID:4188
                              • C:\Windows\explorer.exe
                                C:\Windows\explorer.exe
                                1⤵
                                  PID:3872
                                • C:\Windows\SysWOW64\explorer.exe
                                  C:\Windows\SysWOW64\explorer.exe
                                  1⤵
                                    PID:1160

                                  Network

                                  MITRE ATT&CK Matrix ATT&CK v6

                                  Execution

                                  Scripting

                                  1
                                  T1064

                                  Defense Evasion

                                  Scripting

                                  1
                                  T1064

                                  Credential Access

                                  Credentials in Files

                                  2
                                  T1081

                                  Discovery

                                  Query Registry

                                  1
                                  T1012

                                  Peripheral Device Discovery

                                  1
                                  T1120

                                  System Information Discovery

                                  1
                                  T1082

                                  Collection

                                  Data from Local System

                                  2
                                  T1005

                                  Command and Control

                                  Web Service

                                  1
                                  T1102

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\DB32.exe
                                    Filesize

                                    67KB

                                    MD5

                                    666d8f33d37064fd5d14e2166c9bfa69

                                    SHA1

                                    3b27df9335a9b2efe9da1057e9f8312a72d1ca9d

                                    SHA256

                                    7fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157

                                    SHA512

                                    ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df

                                  • C:\Users\Admin\AppData\Local\Temp\DB32.exe
                                    Filesize

                                    67KB

                                    MD5

                                    666d8f33d37064fd5d14e2166c9bfa69

                                    SHA1

                                    3b27df9335a9b2efe9da1057e9f8312a72d1ca9d

                                    SHA256

                                    7fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157

                                    SHA512

                                    ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df

                                  • C:\Users\Admin\AppData\Local\Temp\DDD3.exe
                                    Filesize

                                    4KB

                                    MD5

                                    9748489855d9dd82ab09da5e3e55b19e

                                    SHA1

                                    6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

                                    SHA256

                                    05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

                                    SHA512

                                    7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

                                  • C:\Users\Admin\AppData\Local\Temp\DDD3.exe
                                    Filesize

                                    4KB

                                    MD5

                                    9748489855d9dd82ab09da5e3e55b19e

                                    SHA1

                                    6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

                                    SHA256

                                    05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

                                    SHA512

                                    7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

                                  • C:\Users\Admin\AppData\Local\Temp\E0E1.exe
                                    Filesize

                                    399KB

                                    MD5

                                    ac508206006eb41c605373e9793e7622

                                    SHA1

                                    3223ac24de6fd4650bbcf1495e73944085bc0e07

                                    SHA256

                                    775f35230e0d3bd996440811af08110905803280094996a22b02f6b7b85c6b32

                                    SHA512

                                    9aa4d2d50a915919f1f238f0838636cfa6f7fc3e634508f5a110ac4097c919d9076753612af7c2e1c9013281ca4e1a209743560d2f0f01c8c9329c47b113ba2c

                                  • C:\Users\Admin\AppData\Local\Temp\E0E1.exe
                                    Filesize

                                    399KB

                                    MD5

                                    ac508206006eb41c605373e9793e7622

                                    SHA1

                                    3223ac24de6fd4650bbcf1495e73944085bc0e07

                                    SHA256

                                    775f35230e0d3bd996440811af08110905803280094996a22b02f6b7b85c6b32

                                    SHA512

                                    9aa4d2d50a915919f1f238f0838636cfa6f7fc3e634508f5a110ac4097c919d9076753612af7c2e1c9013281ca4e1a209743560d2f0f01c8c9329c47b113ba2c

                                  • C:\Users\Admin\AppData\Local\Temp\E806.exe
                                    Filesize

                                    1MB

                                    MD5

                                    3e8b9e2a1f3d5a7a2322bce514e90a27

                                    SHA1

                                    d0e6cf406c70bb223ebaa41aa12f3b34ac217e7f

                                    SHA256

                                    00c142f59684f5582673779b0a21edb9309ac9bf24392e41b621899a626cc6d5

                                    SHA512

                                    b75b86bcc939946944239222f7dc0498f0fad890a61325d53114431f6b746bb4853f6a15f65716c7880afd5c21dd85b91f10e4235b503643314e2371aa4648b7

                                  • C:\Users\Admin\AppData\Local\Temp\E806.exe
                                    Filesize

                                    1MB

                                    MD5

                                    3e8b9e2a1f3d5a7a2322bce514e90a27

                                    SHA1

                                    d0e6cf406c70bb223ebaa41aa12f3b34ac217e7f

                                    SHA256

                                    00c142f59684f5582673779b0a21edb9309ac9bf24392e41b621899a626cc6d5

                                    SHA512

                                    b75b86bcc939946944239222f7dc0498f0fad890a61325d53114431f6b746bb4853f6a15f65716c7880afd5c21dd85b91f10e4235b503643314e2371aa4648b7

                                  • memory/700-136-0x0000000000000000-mapping.dmp
                                  • memory/700-139-0x00000000005C0000-0x00000000005D6000-memory.dmp
                                    Filesize

                                    88KB

                                  • memory/700-144-0x0000000004F10000-0x0000000004F76000-memory.dmp
                                    Filesize

                                    408KB

                                  • memory/932-158-0x0000000000000000-mapping.dmp
                                  • memory/1160-203-0x0000000000000000-mapping.dmp
                                  • memory/1160-204-0x0000000000B20000-0x0000000000B28000-memory.dmp
                                    Filesize

                                    32KB

                                  • memory/1160-205-0x0000000000B10000-0x0000000000B1B000-memory.dmp
                                    Filesize

                                    44KB

                                  • memory/1160-218-0x0000000000B20000-0x0000000000B28000-memory.dmp
                                    Filesize

                                    32KB

                                  • memory/1352-184-0x0000000000000000-mapping.dmp
                                  • memory/1516-174-0x0000000000C60000-0x0000000000C6B000-memory.dmp
                                    Filesize

                                    44KB

                                  • memory/1516-206-0x0000000000C70000-0x0000000000C77000-memory.dmp
                                    Filesize

                                    28KB

                                  • memory/1516-173-0x0000000000C70000-0x0000000000C77000-memory.dmp
                                    Filesize

                                    28KB

                                  • memory/1516-166-0x0000000000000000-mapping.dmp
                                  • memory/1900-213-0x0000000000570000-0x0000000000576000-memory.dmp
                                    Filesize

                                    24KB

                                  • memory/1900-188-0x0000000000560000-0x000000000056C000-memory.dmp
                                    Filesize

                                    48KB

                                  • memory/1900-185-0x0000000000000000-mapping.dmp
                                  • memory/1900-187-0x0000000000570000-0x0000000000576000-memory.dmp
                                    Filesize

                                    24KB

                                  • memory/2156-155-0x0000000000000000-mapping.dmp
                                  • memory/2520-146-0x0000000000000000-mapping.dmp
                                  • memory/3164-159-0x0000000000000000-mapping.dmp
                                  • memory/3192-177-0x00000000005E0000-0x00000000005EF000-memory.dmp
                                    Filesize

                                    60KB

                                  • memory/3192-209-0x00000000005F0000-0x00000000005F9000-memory.dmp
                                    Filesize

                                    36KB

                                  • memory/3192-176-0x00000000005F0000-0x00000000005F9000-memory.dmp
                                    Filesize

                                    36KB

                                  • memory/3192-175-0x0000000000000000-mapping.dmp
                                  • memory/3324-194-0x0000000000C60000-0x0000000000C69000-memory.dmp
                                    Filesize

                                    36KB

                                  • memory/3324-193-0x0000000000C70000-0x0000000000C75000-memory.dmp
                                    Filesize

                                    20KB

                                  • memory/3324-215-0x0000000000C70000-0x0000000000C75000-memory.dmp
                                    Filesize

                                    20KB

                                  • memory/3324-192-0x0000000000000000-mapping.dmp
                                  • memory/3384-191-0x0000000000C60000-0x0000000000C87000-memory.dmp
                                    Filesize

                                    156KB

                                  • memory/3384-214-0x0000000000C90000-0x0000000000CB2000-memory.dmp
                                    Filesize

                                    136KB

                                  • memory/3384-190-0x0000000000C90000-0x0000000000CB2000-memory.dmp
                                    Filesize

                                    136KB

                                  • memory/3384-189-0x0000000000000000-mapping.dmp
                                  • memory/3532-140-0x0000000000000000-mapping.dmp
                                  • memory/3532-143-0x00000000007F0000-0x00000000007F8000-memory.dmp
                                    Filesize

                                    32KB

                                  • memory/3532-145-0x00007FFA04700000-0x00007FFA051C1000-memory.dmp
                                    Filesize

                                    10MB

                                  • memory/3552-178-0x0000000000000000-mapping.dmp
                                  • memory/3552-212-0x0000000000D30000-0x0000000000D35000-memory.dmp
                                    Filesize

                                    20KB

                                  • memory/3552-182-0x0000000000D30000-0x0000000000D35000-memory.dmp
                                    Filesize

                                    20KB

                                  • memory/3552-183-0x0000000000D20000-0x0000000000D29000-memory.dmp
                                    Filesize

                                    36KB

                                  • memory/3872-201-0x0000000000620000-0x0000000000627000-memory.dmp
                                    Filesize

                                    28KB

                                  • memory/3872-202-0x0000000000610000-0x000000000061D000-memory.dmp
                                    Filesize

                                    52KB

                                  • memory/3872-200-0x0000000000000000-mapping.dmp
                                  • memory/3872-217-0x0000000000620000-0x0000000000627000-memory.dmp
                                    Filesize

                                    28KB

                                  • memory/3936-219-0x00000000001C0000-0x00000000005AA000-memory.dmp
                                    Filesize

                                    3MB

                                  • memory/3936-172-0x000002589E2F0000-0x000002589E339000-memory.dmp
                                    Filesize

                                    292KB

                                  • memory/3936-171-0x00000000001C0000-0x00000000005AA000-memory.dmp
                                    Filesize

                                    3MB

                                  • memory/3936-162-0x0000000000000000-mapping.dmp
                                  • memory/4076-180-0x0000000000000000-mapping.dmp
                                  • memory/4176-181-0x0000000000000000-mapping.dmp
                                  • memory/4188-195-0x0000000000000000-mapping.dmp
                                  • memory/4188-216-0x0000000000410000-0x0000000000416000-memory.dmp
                                    Filesize

                                    24KB

                                  • memory/4188-198-0x0000000000410000-0x0000000000416000-memory.dmp
                                    Filesize

                                    24KB

                                  • memory/4188-199-0x0000000000400000-0x000000000040B000-memory.dmp
                                    Filesize

                                    44KB

                                  • memory/4336-186-0x0000000000000000-mapping.dmp
                                  • memory/4556-161-0x0000000004DB0000-0x0000000004DC2000-memory.dmp
                                    Filesize

                                    72KB

                                  • memory/4556-211-0x0000000006840000-0x0000000006890000-memory.dmp
                                    Filesize

                                    320KB

                                  • memory/4556-197-0x0000000005F30000-0x00000000064D4000-memory.dmp
                                    Filesize

                                    5MB

                                  • memory/4556-160-0x0000000004E80000-0x0000000004F8A000-memory.dmp
                                    Filesize

                                    1MB

                                  • memory/4556-157-0x0000000005360000-0x0000000005978000-memory.dmp
                                    Filesize

                                    6MB

                                  • memory/4556-207-0x0000000007360000-0x0000000007522000-memory.dmp
                                    Filesize

                                    1MB

                                  • memory/4556-208-0x0000000007A60000-0x0000000007F8C000-memory.dmp
                                    Filesize

                                    5MB

                                  • memory/4556-165-0x0000000004E10000-0x0000000004E4C000-memory.dmp
                                    Filesize

                                    240KB

                                  • memory/4556-210-0x00000000067C0000-0x0000000006836000-memory.dmp
                                    Filesize

                                    472KB

                                  • memory/4556-196-0x0000000005150000-0x00000000051E2000-memory.dmp
                                    Filesize

                                    584KB

                                  • memory/4556-150-0x0000000000360000-0x0000000000392000-memory.dmp
                                    Filesize

                                    200KB

                                  • memory/4556-149-0x0000000000000000-mapping.dmp
                                  • memory/4816-135-0x0000000000400000-0x000000000045E000-memory.dmp
                                    Filesize

                                    376KB

                                  • memory/4816-134-0x0000000000400000-0x000000000045E000-memory.dmp
                                    Filesize

                                    376KB

                                  • memory/4816-132-0x000000000059E000-0x00000000005AE000-memory.dmp
                                    Filesize

                                    64KB

                                  • memory/4816-133-0x0000000000570000-0x0000000000579000-memory.dmp
                                    Filesize

                                    36KB

                                  • memory/4896-156-0x0000000000000000-mapping.dmp
                                  • memory/4952-179-0x0000000000000000-mapping.dmp