Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-05-2024 14:03
Static task
static1
General
-
Target
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe
-
Size
1.8MB
-
MD5
e427f7e972e458acca51c043839c9c04
-
SHA1
800cb9174a2afeb2a1402d7bd8deee4f97e36a4d
-
SHA256
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27
-
SHA512
a5e978064f24b9c19fd4ea39e833804479088a1843e18b9801e812589cef9262434757ac9950821a6abf0e321e73c2b96dd3087dcf62fcba39b36ae8c8671f70
-
SSDEEP
49152:BKLAvkPPHS++crkFwOnxAvpmcTajVMNqq:qAvkXxrkbneBmcuZeqq
Malware Config
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
redline
1
185.215.113.67:40960
Extracted
lumma
https://femininiespywageg.shop/api
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe family_redline behavioral2/memory/1524-74-0x0000000000B50000-0x0000000000BA2000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
axplont.exeaxplont.exeaxplont.exe3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplont.exe3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exeaxplont.exeaxplont.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe -
Executes dropped EXE 5 IoCs
Processes:
axplont.exeaxplont.exeaxplont.exefileosn.exelumma1234.exepid process 2196 axplont.exe 3892 axplont.exe 1100 axplont.exe 1524 fileosn.exe 3896 lumma1234.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exeaxplont.exeaxplont.exeaxplont.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe Key opened \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine axplont.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exeaxplont.exeaxplont.exeaxplont.exepid process 1736 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe 2196 axplont.exe 3892 axplont.exe 1100 axplont.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lumma1234.exedescription pid process target process PID 3896 set thread context of 344 3896 lumma1234.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exedescription ioc process File created C:\Windows\Tasks\axplont.job 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
fileosn.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 fileosn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 fileosn.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exeaxplont.exeaxplont.exeaxplont.exepid process 1736 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe 1736 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe 2196 axplont.exe 2196 axplont.exe 3892 axplont.exe 3892 axplont.exe 1100 axplont.exe 1100 axplont.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exeaxplont.exelumma1234.exedescription pid process target process PID 1736 wrote to memory of 2196 1736 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe axplont.exe PID 1736 wrote to memory of 2196 1736 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe axplont.exe PID 1736 wrote to memory of 2196 1736 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe axplont.exe PID 2196 wrote to memory of 1524 2196 axplont.exe fileosn.exe PID 2196 wrote to memory of 1524 2196 axplont.exe fileosn.exe PID 2196 wrote to memory of 1524 2196 axplont.exe fileosn.exe PID 2196 wrote to memory of 3896 2196 axplont.exe lumma1234.exe PID 2196 wrote to memory of 3896 2196 axplont.exe lumma1234.exe PID 2196 wrote to memory of 3896 2196 axplont.exe lumma1234.exe PID 3896 wrote to memory of 4716 3896 lumma1234.exe RegAsm.exe PID 3896 wrote to memory of 4716 3896 lumma1234.exe RegAsm.exe PID 3896 wrote to memory of 4716 3896 lumma1234.exe RegAsm.exe PID 3896 wrote to memory of 344 3896 lumma1234.exe RegAsm.exe PID 3896 wrote to memory of 344 3896 lumma1234.exe RegAsm.exe PID 3896 wrote to memory of 344 3896 lumma1234.exe RegAsm.exe PID 3896 wrote to memory of 344 3896 lumma1234.exe RegAsm.exe PID 3896 wrote to memory of 344 3896 lumma1234.exe RegAsm.exe PID 3896 wrote to memory of 344 3896 lumma1234.exe RegAsm.exe PID 3896 wrote to memory of 344 3896 lumma1234.exe RegAsm.exe PID 3896 wrote to memory of 344 3896 lumma1234.exe RegAsm.exe PID 3896 wrote to memory of 344 3896 lumma1234.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe"C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exeFilesize
1.1MB
MD57cea595dbd1fdd056b616f7fa6c68dee
SHA1c7962d3a9e57f838e8d86709ff6a72bf9046d22e
SHA2564a34a915c77f67ee89df3be2c286cf3c135da8ee38c8590151de6b6f75f1412f
SHA51204e77c27a55bd1a665c540d902ad161758be4c479ceec1f82a7196b93a6a77d7d600c1cc2b5765be447f7cd33caac21a25cc7253e4727f14557ff5a469e63a4d
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exeFilesize
304KB
MD584bf36993bdd61d216e83fe391fcc7fd
SHA1e023212e847a54328aaea05fbe41eb4828855ce6
SHA2568e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exeFilesize
518KB
MD5c4ffab152141150528716daa608d5b92
SHA1a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeFilesize
1.8MB
MD5e427f7e972e458acca51c043839c9c04
SHA1800cb9174a2afeb2a1402d7bd8deee4f97e36a4d
SHA2563887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27
SHA512a5e978064f24b9c19fd4ea39e833804479088a1843e18b9801e812589cef9262434757ac9950821a6abf0e321e73c2b96dd3087dcf62fcba39b36ae8c8671f70
-
C:\Users\Admin\AppData\Local\Temp\TmpE29B.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
memory/344-119-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/344-117-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1100-55-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/1100-53-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/1524-98-0x0000000006CA0000-0x0000000006CB2000-memory.dmpFilesize
72KB
-
memory/1524-74-0x0000000000B50000-0x0000000000BA2000-memory.dmpFilesize
328KB
-
memory/1524-99-0x0000000006D00000-0x0000000006D3C000-memory.dmpFilesize
240KB
-
memory/1524-100-0x0000000006E70000-0x0000000006EBC000-memory.dmpFilesize
304KB
-
memory/1524-75-0x0000000005C80000-0x0000000006226000-memory.dmpFilesize
5.6MB
-
memory/1524-97-0x0000000006D60000-0x0000000006E6A000-memory.dmpFilesize
1.0MB
-
memory/1524-96-0x0000000007210000-0x0000000007828000-memory.dmpFilesize
6.1MB
-
memory/1524-93-0x0000000006AD0000-0x0000000006AEE000-memory.dmpFilesize
120KB
-
memory/1524-92-0x0000000005BC0000-0x0000000005C36000-memory.dmpFilesize
472KB
-
memory/1524-76-0x00000000056D0000-0x0000000005762000-memory.dmpFilesize
584KB
-
memory/1524-77-0x0000000005660000-0x000000000566A000-memory.dmpFilesize
40KB
-
memory/1736-5-0x00000000000D0000-0x0000000000590000-memory.dmpFilesize
4.8MB
-
memory/1736-0-0x00000000000D0000-0x0000000000590000-memory.dmpFilesize
4.8MB
-
memory/1736-15-0x00000000000D0000-0x0000000000590000-memory.dmpFilesize
4.8MB
-
memory/1736-3-0x00000000000D0000-0x0000000000590000-memory.dmpFilesize
4.8MB
-
memory/1736-2-0x00000000000D1000-0x00000000000FF000-memory.dmpFilesize
184KB
-
memory/1736-1-0x0000000077BF6000-0x0000000077BF8000-memory.dmpFilesize
8KB
-
memory/2196-24-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-19-0x0000000000901000-0x000000000092F000-memory.dmpFilesize
184KB
-
memory/2196-50-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-35-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-34-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-33-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-32-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-124-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-123-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-122-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-121-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-26-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-25-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-23-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-22-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-21-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-20-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-120-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-18-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/2196-51-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/3892-28-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/3892-29-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/3892-30-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/3892-31-0x0000000000900000-0x0000000000DC0000-memory.dmpFilesize
4.8MB
-
memory/3896-118-0x00000000011A0000-0x00000000011A1000-memory.dmpFilesize
4KB
-
memory/3896-116-0x00000000011A0000-0x00000000011A1000-memory.dmpFilesize
4KB