Analysis
-
max time kernel
46s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
26-01-2023 21:46
General
-
Target
tmp77EA.tmp.exe
-
Size
2.3MB
-
MD5
1d85c4d35f557fbbde158258300b753f
-
SHA1
1a0f596ee4f5abdb3dc3bad8a1247625fce982ea
-
SHA256
36ccb94aa071489c4f03b72cd09c2560e40d66e541e006b5f6ca1b6e84ef2e1a
-
SHA512
09aa7748f392dd2104672e4f774d717298659bb6df21db51de8455e01dba0ee0d5761ecf7cf5bd24eaae80943b91ed4ab189d1e1a0df9621636bb33a2e2cdd52
-
SSDEEP
49152:Vg9FpS1fbJT9VhpwKxh5ors6lz1u1M6s1V2hcCudLP1FqDfk:S9FpYJT9pw+2sMz1u1M6s/2HIPjqDc
Malware Config
Extracted
redline
redline
79.137.133.225:25999
-
auth_value
38284dbf15da9b4a9eaee0ef0d2b343f
Signatures
-
Detect PureCrypter injector 1 IoCs
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp77EA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp77EA.tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tmp77EA.tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp77EA.tmp.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/516-57-0x0000000000000000-mapping.dmp
-
memory/516-59-0x000000006F900000-0x000000006FEAB000-memory.dmpFilesize
5.7MB
-
memory/516-60-0x000000006F900000-0x000000006FEAB000-memory.dmpFilesize
5.7MB
-
memory/516-61-0x000000006F900000-0x000000006FEAB000-memory.dmpFilesize
5.7MB
-
memory/1500-54-0x0000000000D90000-0x0000000000FEE000-memory.dmpFilesize
2.4MB
-
memory/1500-55-0x00000000049D0000-0x0000000004C2C000-memory.dmpFilesize
2.4MB
-
memory/1500-56-0x0000000075D71000-0x0000000075D73000-memory.dmpFilesize
8KB
-
memory/1500-62-0x00000000047D0000-0x000000000481C000-memory.dmpFilesize
304KB
-
memory/1544-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1544-66-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1544-64-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1544-68-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1544-70-0x000000000041B59A-mapping.dmp
-
memory/1544-69-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1544-72-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1544-74-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB