Analysis
-
max time kernel
140s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-03-2024 05:46
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20240226-en
General
-
Target
tmp.exe
-
Size
1.7MB
-
MD5
211c3659790c88b15827ec89ffa5898f
-
SHA1
f0ef5847fb9a1db37b3307e3b2b6f90098aa6e65
-
SHA256
0f2f61669d3bc852e0defe69777a70627ae072b167425a64f4c88ac9ca84389c
-
SHA512
a7aa227100c27ba414d53af42c9dbedd3f509fa7b32fc442d2f0ede75292c917e226ec78238a66c6d46531d23856a4d1bcf1ad9567d4c1e75bfdeb975769e708
-
SSDEEP
24576:mnkh7MnClk+2SEETqUjuX5DYF5l53hDGlLVnHeV+6nn3kuoMryAF72btp/H:mn8kCKSEEA5DY/glLxHeV+6n38MHh2P
Malware Config
Extracted
redline
@logscloudyt_bot
185.172.128.33:8970
Signatures
-
Detect ZGRat V1 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3380-0-0x00000000007A0000-0x0000000000962000-memory.dmp family_zgrat_v1 behavioral2/memory/4928-6-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe family_zgrat_v1 behavioral2/memory/3060-36-0x0000000000C20000-0x0000000000C74000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe family_redline behavioral2/memory/3060-36-0x0000000000C20000-0x0000000000C74000-memory.dmp family_redline behavioral2/memory/3672-35-0x0000000000460000-0x00000000004B0000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 2 IoCs
Processes:
fate.exeolehpsp.exepid process 3672 fate.exe 3060 olehpsp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 3380 set thread context of 4928 3380 tmp.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
olehpsp.exefate.exepid process 3060 olehpsp.exe 3672 fate.exe 3672 fate.exe 3672 fate.exe 3672 fate.exe 3672 fate.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
olehpsp.exefate.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3060 olehpsp.exe Token: SeDebugPrivilege 3672 fate.exe Token: SeDebugPrivilege 4928 RegAsm.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
tmp.exeRegAsm.execmd.exedescription pid process target process PID 3380 wrote to memory of 4928 3380 tmp.exe RegAsm.exe PID 3380 wrote to memory of 4928 3380 tmp.exe RegAsm.exe PID 3380 wrote to memory of 4928 3380 tmp.exe RegAsm.exe PID 3380 wrote to memory of 4928 3380 tmp.exe RegAsm.exe PID 3380 wrote to memory of 4928 3380 tmp.exe RegAsm.exe PID 3380 wrote to memory of 4928 3380 tmp.exe RegAsm.exe PID 3380 wrote to memory of 4928 3380 tmp.exe RegAsm.exe PID 3380 wrote to memory of 4928 3380 tmp.exe RegAsm.exe PID 4928 wrote to memory of 3672 4928 RegAsm.exe fate.exe PID 4928 wrote to memory of 3672 4928 RegAsm.exe fate.exe PID 4928 wrote to memory of 3672 4928 RegAsm.exe fate.exe PID 4928 wrote to memory of 3060 4928 RegAsm.exe olehpsp.exe PID 4928 wrote to memory of 3060 4928 RegAsm.exe olehpsp.exe PID 4928 wrote to memory of 1772 4928 RegAsm.exe cmd.exe PID 4928 wrote to memory of 1772 4928 RegAsm.exe cmd.exe PID 4928 wrote to memory of 1772 4928 RegAsm.exe cmd.exe PID 1772 wrote to memory of 1268 1772 cmd.exe choice.exe PID 1772 wrote to memory of 1268 1772 cmd.exe choice.exe PID 1772 wrote to memory of 1268 1772 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe"C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\configurationValue\fate.exeFilesize
296KB
MD528f30e43da4c45f023b546fc871a12ea
SHA1ab063bbb313b75320f4335a8cd878f7a02e5f91c
SHA2561e246855bc5d7648a3425771faa304d08ce84496a3afa7a023937ac41d381c6b
SHA512559099480bc8518f740249b096c123bc5dfb9dc0126d1c681f4e650329cfb4383754ec8a307057f24b2692c36f4fa8e90b5b5d2debe1061e1ece27a7b26335b4
-
C:\Users\Admin\AppData\Roaming\configurationValue\fate.exeFilesize
64KB
MD57e5015cfb112821ba95aa9b93333780d
SHA12f71c23b628273db3c7a873c04df1b964609bc62
SHA2567cb811fa25123c18f9ddea8da9a8f52a600b407732a2eda0ff6eb1537337f51c
SHA512567ac0d42ed27560ccea9c015c98c8a7eb24d92d0c9fb96c699e2093ba310a9862ba2ad21a2de976e32cf03200aed172b8d694168a84d3e79727936156c05150
-
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exeFilesize
310KB
MD5afbc408680d16aa491e10c002dc9c3d0
SHA1272e07bc68d862f65fc2006d9d714ad03cb09086
SHA2567b32e5045377a79d4f7f552d9971022f6883799eebeffa8f48f3c76e66acb80d
SHA51205601f82bc44aaca332b7357b745a5658199c6bb86d26cbf9a110686351717359a6b64f1c713e278a3517b470cf7bc6db48c647f587999931606a137d0040fbb
-
memory/3060-43-0x000000001BA30000-0x000000001BA42000-memory.dmpFilesize
72KB
-
memory/3060-51-0x000000001BE10000-0x000000001BE2E000-memory.dmpFilesize
120KB
-
memory/3060-42-0x000000001DFB0000-0x000000001E0BA000-memory.dmpFilesize
1.0MB
-
memory/3060-44-0x000000001BDB0000-0x000000001BDEC000-memory.dmpFilesize
240KB
-
memory/3060-56-0x00007FFE838B0000-0x00007FFE84371000-memory.dmpFilesize
10.8MB
-
memory/3060-39-0x000000001B8D0000-0x000000001B8E0000-memory.dmpFilesize
64KB
-
memory/3060-50-0x000000001E540000-0x000000001E5B6000-memory.dmpFilesize
472KB
-
memory/3060-52-0x000000001B8D0000-0x000000001B8E0000-memory.dmpFilesize
64KB
-
memory/3060-54-0x000000001F090000-0x000000001F5B8000-memory.dmpFilesize
5.2MB
-
memory/3060-36-0x0000000000C20000-0x0000000000C74000-memory.dmpFilesize
336KB
-
memory/3060-53-0x000000001E990000-0x000000001EB52000-memory.dmpFilesize
1.8MB
-
memory/3060-37-0x00007FFE838B0000-0x00007FFE84371000-memory.dmpFilesize
10.8MB
-
memory/3380-1-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB
-
memory/3380-0-0x00000000007A0000-0x0000000000962000-memory.dmpFilesize
1.8MB
-
memory/3380-2-0x00000000051C0000-0x00000000051D0000-memory.dmpFilesize
64KB
-
memory/3380-5-0x0000000002C80000-0x0000000004C80000-memory.dmpFilesize
32.0MB
-
memory/3380-9-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB
-
memory/3672-35-0x0000000000460000-0x00000000004B0000-memory.dmpFilesize
320KB
-
memory/3672-34-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB
-
memory/3672-60-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB
-
memory/3672-41-0x0000000004D80000-0x0000000004D8A000-memory.dmpFilesize
40KB
-
memory/3672-47-0x0000000004FF0000-0x0000000005002000-memory.dmpFilesize
72KB
-
memory/3672-48-0x0000000005050000-0x000000000508C000-memory.dmpFilesize
240KB
-
memory/3672-49-0x00000000050A0000-0x00000000050EC000-memory.dmpFilesize
304KB
-
memory/3672-40-0x0000000004D90000-0x0000000004E22000-memory.dmpFilesize
584KB
-
memory/3672-46-0x0000000005130000-0x000000000523A000-memory.dmpFilesize
1.0MB
-
memory/3672-38-0x00000000052A0000-0x0000000005844000-memory.dmpFilesize
5.6MB
-
memory/3672-63-0x0000000007670000-0x00000000076C0000-memory.dmpFilesize
320KB
-
memory/3672-65-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB
-
memory/3672-62-0x00000000070E0000-0x000000000760C000-memory.dmpFilesize
5.2MB
-
memory/3672-57-0x0000000005A10000-0x0000000005A76000-memory.dmpFilesize
408KB
-
memory/3672-61-0x00000000069E0000-0x0000000006BA2000-memory.dmpFilesize
1.8MB
-
memory/3672-45-0x0000000005E70000-0x0000000006488000-memory.dmpFilesize
6.1MB
-
memory/4928-59-0x00000000056E0000-0x00000000056F0000-memory.dmpFilesize
64KB
-
memory/4928-58-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB
-
memory/4928-11-0x00000000056E0000-0x00000000056F0000-memory.dmpFilesize
64KB
-
memory/4928-6-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/4928-10-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB
-
memory/4928-66-0x0000000074B20000-0x00000000752D0000-memory.dmpFilesize
7.7MB