Overview

overview

10

Static

static

10

bb762ded17...e6.exe

windows7-x64

10

bb762ded17...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe

  • Size

    95KB

  • MD5

    735c15c37831cdc319c03f4f7971da49

  • SHA1

    166949cdb534d97c564adc27f297406a4bf38204

  • SHA256

    bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6

  • SHA512

    3c9227b9472d7840f74363b9801756923de56fcff5349f6e287206531c0da4717a9de520322d122bef30f7b66fdbeaac715ebbe64389de89b1c7d5e832e87ac8

  • SSDEEP

    1536:9qskXqrzWBlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed2OtmulgS6pY:rCgzWHY3+zi0ZbYe1g0ujyzd6Y

Score
10/10
redlinesectopratxmrigexodusdiscoveryevasionexecutioninfostealerminerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

exodus

C2

94.156.8.229:1334

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 13 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
    "C:\Users\Admin\AppData\Local\Temp\bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Users\Admin\AppData\Local\Temp\east.exe
      "C:\Users\Admin\AppData\Local\Temp\east.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:3240
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1240
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          4⤵
            PID:5044
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:4888
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:4192
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          3⤵
          • Launches sc.exe
          PID:1904
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          3⤵
          • Launches sc.exe
          PID:4148
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          3⤵
          • Launches sc.exe
          PID:1096
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1092
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1708
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:384
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4456
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
          3⤵
          • Launches sc.exe
          PID:736
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
          3⤵
          • Launches sc.exe
          PID:4024
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop eventlog
          3⤵
          • Launches sc.exe
          PID:1364
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
          3⤵
          • Launches sc.exe
          PID:4808
    • C:\ProgramData\Google\Chrome\updater.exe
      C:\ProgramData\Google\Chrome\updater.exe
      1⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4092
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3416
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          3⤵
            PID:3508
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          2⤵
          • Launches sc.exe
          PID:4248
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          2⤵
          • Launches sc.exe
          PID:816
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          2⤵
          • Launches sc.exe
          PID:2700
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          2⤵
          • Launches sc.exe
          PID:368
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          2⤵
          • Launches sc.exe
          PID:4256
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:788
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4004
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4324
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2984
        • C:\Windows\system32\conhost.exe
          C:\Windows\system32\conhost.exe
          2⤵
            PID:756
          • C:\Windows\explorer.exe
            explorer.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1588

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_azdtv5ns.sjn.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\east.exe
          Filesize

          5.1MB

          MD5

          53fc8153edf492734d97158afd8644a5

          SHA1

          682296b14eddb32ccadaaecc098b497539393b94

          SHA256

          0cbef477e60c59c62f64fe6760ebcf4325c479a957a5622a66feabb0cf50befc

          SHA512

          bda8742db17f89534e2c8a3c53a14d31cb52179cfe06bf24114690046eae42ccb67394e054eb4a53df28b0e0ff5a7ebeb2d23c809b7d40579d988a695c3981eb

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp6468.tmp
          Filesize

          46KB

          MD5

          8f5942354d3809f865f9767eddf51314

          SHA1

          20be11c0d42fc0cef53931ea9152b55082d1a11e

          SHA256

          776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

          SHA512

          fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp647E.tmp
          Filesize

          100KB

          MD5

          7e58c37fd1d2f60791d5f890d3635279

          SHA1

          5b7b963802b7f877d83fe5be180091b678b56a02

          SHA256

          df01ff75a8b48de6e0244b43f74b09ab7ebe99167e5da84739761e0d99fb9fc7

          SHA512

          a3ec0c65b2781340862eddd6a9154fb0e243a54e88121f0711c5648971374b6f7a87d8b2a6177b4f1ae0d78fb05cf0ee034d3242920301e2ee9fcd883a21b85e

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp64B8.tmp
          Filesize

          48KB

          MD5

          349e6eb110e34a08924d92f6b334801d

          SHA1

          bdfb289daff51890cc71697b6322aa4b35ec9169

          SHA256

          c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

          SHA512

          2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp64BE.tmp
          Filesize

          20KB

          MD5

          49693267e0adbcd119f9f5e02adf3a80

          SHA1

          3ba3d7f89b8ad195ca82c92737e960e1f2b349df

          SHA256

          d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

          SHA512

          b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp64C4.tmp
          Filesize

          116KB

          MD5

          f70aa3fa04f0536280f872ad17973c3d

          SHA1

          50a7b889329a92de1b272d0ecf5fce87395d3123

          SHA256

          8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

          SHA512

          30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp64FF.tmp
          Filesize

          96KB

          MD5

          d367ddfda80fdcf578726bc3b0bc3e3c

          SHA1

          23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

          SHA256

          0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

          SHA512

          40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

          Download Submit
        • C:\Windows\system32\drivers\etc\hosts
          Filesize

          3KB

          MD5

          00930b40cba79465b7a38ed0449d1449

          SHA1

          4b25a89ee28b20ba162f23772ddaf017669092a5

          SHA256

          eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

          SHA512

          cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

          Download Submit
        • memory/212-166-0x00000000074D0000-0x0000000007546000-memory.dmp
          Filesize

          472KB

          Download
        • memory/212-204-0x00000000745BE000-0x00000000745BF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/212-9-0x0000000007660000-0x0000000007B8C000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/212-8-0x0000000006F60000-0x0000000007122000-memory.dmp
          Filesize

          1.8MB

          Download
        • memory/212-7-0x0000000005C80000-0x0000000005D8A000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/212-6-0x00000000745B0000-0x0000000074D60000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/212-5-0x0000000005A20000-0x0000000005A6C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/212-4-0x00000000059E0000-0x0000000005A1C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/212-165-0x0000000007430000-0x00000000074C2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/212-1-0x0000000000FB0000-0x0000000000FCE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/212-167-0x0000000008140000-0x00000000086E4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/212-168-0x0000000007640000-0x000000000765E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/212-3-0x0000000005980000-0x0000000005992000-memory.dmp
          Filesize

          72KB

          Download
        • memory/212-10-0x0000000006EF0000-0x0000000006F56000-memory.dmp
          Filesize

          408KB

          Download
        • memory/212-206-0x00000000745B0000-0x0000000074D60000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/212-0-0x00000000745BE000-0x00000000745BF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/212-2-0x0000000005F40000-0x0000000006558000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/756-265-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/756-262-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/756-258-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/756-259-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/756-260-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/756-261-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/1240-208-0x000001F09D9B0000-0x000001F09D9D2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1240-218-0x00007FFAD9DD0000-0x00007FFADA891000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1240-219-0x00007FFAD9DD0000-0x00007FFADA891000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1240-222-0x00007FFAD9DD0000-0x00007FFADA891000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1240-207-0x00007FFAD9DD3000-0x00007FFAD9DD5000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1588-270-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-278-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-284-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-283-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-282-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-281-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-280-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-279-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-268-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-266-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-277-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-275-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-272-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-273-0x0000000000460000-0x0000000000480000-memory.dmp
          Filesize

          128KB

          Download
        • memory/1588-271-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-269-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-267-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-274-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/1588-276-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4092-253-0x000001E7B1CA0000-0x000001E7B1CAA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/4092-245-0x000001E7B1A30000-0x000001E7B1A4C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/4092-246-0x000001E7B1A50000-0x000001E7B1B05000-memory.dmp
          Filesize

          724KB

          Download
        • memory/4092-247-0x000001E7B1A20000-0x000001E7B1A2A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/4092-248-0x000001E7B1C70000-0x000001E7B1C8C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/4092-249-0x000001E7B1C50000-0x000001E7B1C5A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/4092-251-0x000001E7B1C60000-0x000001E7B1C68000-memory.dmp
          Filesize

          32KB

          Download
        • memory/4092-250-0x000001E7B1CB0000-0x000001E7B1CCA000-memory.dmp
          Filesize

          104KB

          Download
        • memory/4092-252-0x000001E7B1C90000-0x000001E7B1C96000-memory.dmp
          Filesize

          24KB

          Download