Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 00:22
Static task
static1
Behavioral task
behavioral1
Sample
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral2
Sample
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe
Resource
win11-20240730-en
General
-
Target
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe
-
Size
294KB
-
MD5
58ccb4c9da26dbf5584194406ee2f4b3
-
SHA1
ae91798532b747f410099ef7d0e36bffeca6361c
-
SHA256
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97
-
SHA512
dff6b4bf25fc5b5cf1a64ee645fb0310b072ec69c89a6e863cf9e0800e1d36f8dc4e567cf19c7dc8ac704d351b604cbf8d35959c3a64a10aa6b54f5c8fedb3c2
-
SSDEEP
6144:M3VPjut1s07wltS102nj9W0t3KMONuGfpul4EdSCM:gZjut1s0qQj9ztaMMdxop3M
Malware Config
Extracted
redline
exodusmarket.io
91.92.240.111:1334
Extracted
quasar
1.4.1
Office04
51.222.21.20:4782
374acc94-a8cd-45c6-bc31-752e0f83541d
-
encryption_key
5B2A5F50FABB3F6748116D7077D95758D0DFFC77
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\adada.exe family_quasar behavioral1/memory/4684-4225-0x00000000007A0000-0x0000000000AC4000-memory.dmp family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/704-1-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/704-1-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 4 IoCs
Processes:
pureee.exeadada.exedropperrr.exesvchost.exepid process 4616 pureee.exe 4684 adada.exe 4536 dropperrr.exe 720 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exepureee.exedescription pid process target process PID 768 set thread context of 704 768 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 4616 set thread context of 1952 4616 pureee.exe AddInProcess.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exeRegAsm.exedropperrr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dropperrr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 956 schtasks.exe 2580 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
RegAsm.exepureee.exepid process 704 RegAsm.exe 704 RegAsm.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe 4616 pureee.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RegAsm.exeadada.exesvchost.exepureee.exeAddInProcess.exedescription pid process Token: SeDebugPrivilege 704 RegAsm.exe Token: SeDebugPrivilege 4684 adada.exe Token: SeDebugPrivilege 720 svchost.exe Token: SeDebugPrivilege 4616 pureee.exe Token: SeLockMemoryPrivilege 1952 AddInProcess.exe Token: SeLockMemoryPrivilege 1952 AddInProcess.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AddInProcess.exepid process 1952 AddInProcess.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exeRegAsm.exeadada.exesvchost.exepureee.exedescription pid process target process PID 768 wrote to memory of 704 768 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 768 wrote to memory of 704 768 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 768 wrote to memory of 704 768 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 768 wrote to memory of 704 768 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 768 wrote to memory of 704 768 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 768 wrote to memory of 704 768 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 768 wrote to memory of 704 768 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 768 wrote to memory of 704 768 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 704 wrote to memory of 4616 704 RegAsm.exe pureee.exe PID 704 wrote to memory of 4616 704 RegAsm.exe pureee.exe PID 704 wrote to memory of 4684 704 RegAsm.exe adada.exe PID 704 wrote to memory of 4684 704 RegAsm.exe adada.exe PID 704 wrote to memory of 4536 704 RegAsm.exe dropperrr.exe PID 704 wrote to memory of 4536 704 RegAsm.exe dropperrr.exe PID 704 wrote to memory of 4536 704 RegAsm.exe dropperrr.exe PID 4684 wrote to memory of 956 4684 adada.exe schtasks.exe PID 4684 wrote to memory of 956 4684 adada.exe schtasks.exe PID 4684 wrote to memory of 720 4684 adada.exe svchost.exe PID 4684 wrote to memory of 720 4684 adada.exe svchost.exe PID 720 wrote to memory of 2580 720 svchost.exe schtasks.exe PID 720 wrote to memory of 2580 720 svchost.exe schtasks.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe PID 4616 wrote to memory of 1952 4616 pureee.exe AddInProcess.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe"C:\Users\Admin\AppData\Local\Temp\2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Users\Admin\AppData\Local\Temp\pureee.exe"C:\Users\Admin\AppData\Local\Temp\pureee.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=504⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\adada.exe"C:\Users\Admin\AppData\Local\Temp\adada.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:956 -
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\dropperrr.exe"C:\Users\Admin\AppData\Local\Temp\dropperrr.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD59c682f5b5000cd003e76530706955a72
SHA11a69da76e05d114a317342dae3e9c7b10f107d43
SHA25636e6a3dd4bfc86c4e707f43cd9515707442d6c424b7661cb41766cfdca322522
SHA51233bd859542e1ae74d8c81427af44022cb91861dc02ee4202505f1e010487d06cb27e1aa83be6af17be4e2d8973289595b2ebe9bdf99a187956662df30b6dc88f
-
Filesize
476KB
MD535e7f1f850ca524d0eaa6522a4451834
SHA1e98db252a62c84fd87416d2ec347de46ec053ebd
SHA2562449fe334bbf8f09ff80422578a6c6961d20a0a456b214f6490c5ed1ae859c9e
SHA5123b013378a51a29652ff84f61050b344f504ef51a51944d469b1d0e629e4abad979416a56b9cffb6cfe20b80dfbebffec35dce6f5dc10b02907dee538f9f17a01
-
Filesize
662KB
MD50006ad7b9f2a9b304e5b3790f6f18807
SHA100db2c60fca8aec6b504dd8fd4861a2e59a21fe9
SHA256014d6c58dd7459c1664196ccd49b796f861d7d7e7e6c573bbb9cdc7cadc21450
SHA51231fcde22e25be698ef2efd44cc65b758e8c9e8b62504f3254f9cc44bfaabdaa0c94cefceac12833372f8b2797b6bd0205bb9c8f1626e25ee4117d886198fb7db
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD53914229ad727c7cd45e8a32ad29036a4
SHA1d01f833636d7972e1fe488925b21f8d8a2c987e9
SHA2566c93e72f201c3172c2b1b2a5ee1b5e13bbf57078b9b7e2298019ad0d6463d1f1
SHA512fab86a83e0feb9df02c7ffede3ad0a6fa139e8707526ed2b06c139bb7d341b8515832ea4b07144ac11eeab5646d461c7fb2c73492f5a951755e0a29a3baac103
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2