Analysis
-
max time kernel
40s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2023 12:01
Static task
static1
Behavioral task
behavioral1
Sample
MavrodiBlack 2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
MavrodiBlack 2.exe
Resource
win10v2004-20230220-en
General
-
Target
MavrodiBlack 2.exe
-
Size
592KB
-
MD5
a5f8768a97c74ecc4c26c402f2bcef11
-
SHA1
d234ce957544025614d49e1e18f3bac6352ca994
-
SHA256
679ecde4cd6afa60eaf6ab07179310def1cc22b0790b1efeb52ce1d80b06531c
-
SHA512
e425b6d9f19de18465af3ea438a9ec3ee9f0ca30608146f3094fa28960a841f5d3a9a2a13655c2123d93f5bcab79e57a37b10d7201ffddd8b8991c3f0eae6009
-
SSDEEP
6144:jS6d7abcho/OiptVSaPCpikafd5Y9k1WeR7LSxDxpaG6WiX22QbjMrgXScKl+mH1:W6dvhop3zlEyLeKXo8r2Kl+4mW/QKU6
Malware Config
Extracted
redline
37.220.87.13:48790
-
auth_value
5ccbd06c4978ff4912009e42060b2daf
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1292 created 2552 1292 200224.exe 33 -
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Updater.lnk AppLaunch.exe -
Executes dropped EXE 1 IoCs
pid Process 1292 200224.exe -
Loads dropped DLL 3 IoCs
pid Process 4696 AppLaunch.exe 4696 AppLaunch.exe 4696 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1252 set thread context of 4696 1252 MavrodiBlack 2.exe 84 -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.SQLite.dll AppLaunch.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.SQLite.Linq.dll AppLaunch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\x86\SQLite.Interop.dll AppLaunch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.SQLite.dll AppLaunch.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.SQLite.EF6.dll AppLaunch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.SQLite.Linq.dll AppLaunch.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\x86 AppLaunch.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\x64 AppLaunch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\x64\SQLite.Interop.dll AppLaunch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.SQLite.EF6.dll AppLaunch.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4112 sc.exe 2656 sc.exe 2432 sc.exe 3712 sc.exe 2964 sc.exe -
Program crash 4 IoCs
pid pid_target Process procid_target 4528 3600 WerFault.exe 91 3532 1564 WerFault.exe 98 3888 1252 WerFault.exe 112 2024 1564 WerFault.exe 98 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4696 AppLaunch.exe 4696 AppLaunch.exe 1292 200224.exe 1292 200224.exe 1856 powershell.exe 1856 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4696 AppLaunch.exe Token: SeDebugPrivilege 1856 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1252 wrote to memory of 4696 1252 MavrodiBlack 2.exe 84 PID 1252 wrote to memory of 4696 1252 MavrodiBlack 2.exe 84 PID 1252 wrote to memory of 4696 1252 MavrodiBlack 2.exe 84 PID 1252 wrote to memory of 4696 1252 MavrodiBlack 2.exe 84 PID 1252 wrote to memory of 4696 1252 MavrodiBlack 2.exe 84 PID 4696 wrote to memory of 1292 4696 AppLaunch.exe 87 PID 4696 wrote to memory of 1292 4696 AppLaunch.exe 87
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\MavrodiBlack 2.exe"C:\Users\Admin\AppData\Local\Temp\MavrodiBlack 2.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"3⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\200224.exe"C:\Users\Admin\AppData\Local\200224.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1292
-
-
C:\Users\Admin\AppData\Local\631599.exe"C:\Users\Admin\AppData\Local\631599.exe"4⤵PID:3600
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"5⤵PID:1564
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"6⤵PID:3268
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 4606⤵
- Program crash
PID:3532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 4646⤵
- Program crash
PID:2024
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 1405⤵
- Program crash
PID:4528
-
-
-
C:\Users\Admin\AppData\Local\517221.exe"C:\Users\Admin\AppData\Local\517221.exe"4⤵PID:1252
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:2124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 3245⤵
- Program crash
PID:3888
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1224
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4112
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2656
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2432
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3712
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2964
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2728
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:5080
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4556
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:1560
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:4384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qlgljmw#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:3404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3600 -ip 36001⤵PID:4800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1564 -ip 15641⤵PID:4936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1252 -ip 12521⤵PID:1376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1564 -ip 15641⤵PID:2312
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.9MB
MD59889b03f358c1e2a2635ae17eb4bf489
SHA13919276a8b72c4205512dd41ecf8c066bf721be0
SHA2560c879e57aab759d1e31ba1ac2a03ffe1be3f44bd028a2dd4c597acec333b83d6
SHA512ef9522066e646523c53249f788efdef9ac441087d8f6b6a5a56a2811f71cbf3b344be0f118bc9f3c12f62767d427736e5cab200c55ed66521170b3fc0ce31d6a
-
Filesize
9.9MB
MD59889b03f358c1e2a2635ae17eb4bf489
SHA13919276a8b72c4205512dd41ecf8c066bf721be0
SHA2560c879e57aab759d1e31ba1ac2a03ffe1be3f44bd028a2dd4c597acec333b83d6
SHA512ef9522066e646523c53249f788efdef9ac441087d8f6b6a5a56a2811f71cbf3b344be0f118bc9f3c12f62767d427736e5cab200c55ed66521170b3fc0ce31d6a
-
Filesize
1.7MB
MD5dcdc4c52c6a415cabd01d1c474e2e864
SHA1b820f7e29b10e9cb1c9ae973e038e44e2ba8c54c
SHA256277d23a2a848349b79d6a9d47cef165e6b8e8e160fed97dec27418bd468e402c
SHA512df2f1bd2d831c7e78eabbeee5547e4ff090289d66c66a84cad0910398ba7c152bc2a133dbda69b541d48173f837505a8321d6ccc51781fb7495c9e2ce2046270
-
Filesize
1.7MB
MD5dcdc4c52c6a415cabd01d1c474e2e864
SHA1b820f7e29b10e9cb1c9ae973e038e44e2ba8c54c
SHA256277d23a2a848349b79d6a9d47cef165e6b8e8e160fed97dec27418bd468e402c
SHA512df2f1bd2d831c7e78eabbeee5547e4ff090289d66c66a84cad0910398ba7c152bc2a133dbda69b541d48173f837505a8321d6ccc51781fb7495c9e2ce2046270
-
Filesize
1.7MB
MD5dcdc4c52c6a415cabd01d1c474e2e864
SHA1b820f7e29b10e9cb1c9ae973e038e44e2ba8c54c
SHA256277d23a2a848349b79d6a9d47cef165e6b8e8e160fed97dec27418bd468e402c
SHA512df2f1bd2d831c7e78eabbeee5547e4ff090289d66c66a84cad0910398ba7c152bc2a133dbda69b541d48173f837505a8321d6ccc51781fb7495c9e2ce2046270
-
Filesize
327KB
MD522b25918bfdd12b1b6646cf6cdf1e867
SHA13b621a13ff4b1493df48992d37fcc9d67edf40ab
SHA2568be6deb199d15344938cca068b14d9af482d69b0e864c42bc0f11690dd8cf1f7
SHA51232fbbb221a7aa0977d07c4ad67c3564f133cdade6db8488e67345ecf5c8d594123da1ddb506166f1e25ce6174a004f3f5d428dfea44eda4b7ce4a24cd33721e2
-
Filesize
327KB
MD522b25918bfdd12b1b6646cf6cdf1e867
SHA13b621a13ff4b1493df48992d37fcc9d67edf40ab
SHA2568be6deb199d15344938cca068b14d9af482d69b0e864c42bc0f11690dd8cf1f7
SHA51232fbbb221a7aa0977d07c4ad67c3564f133cdade6db8488e67345ecf5c8d594123da1ddb506166f1e25ce6174a004f3f5d428dfea44eda4b7ce4a24cd33721e2
-
Filesize
327KB
MD522b25918bfdd12b1b6646cf6cdf1e867
SHA13b621a13ff4b1493df48992d37fcc9d67edf40ab
SHA2568be6deb199d15344938cca068b14d9af482d69b0e864c42bc0f11690dd8cf1f7
SHA51232fbbb221a7aa0977d07c4ad67c3564f133cdade6db8488e67345ecf5c8d594123da1ddb506166f1e25ce6174a004f3f5d428dfea44eda4b7ce4a24cd33721e2
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
Filesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
Filesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b