Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
29-06-2024 23:33
General
-
Target
FieroHack.exe
-
Size
6.3MB
-
MD5
b88f61a7938ef8af011259c59efc3d3d
-
SHA1
ba6f4356993959799fbd88bb350558045c363a85
-
SHA256
640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2
-
SHA512
ba7a3564327f2ec4e0c34710205bdb297b8c4a29f020f973462897d52f4d99fefbb74c1f511195d2ac3bae0e44a8dc749cdf6d043ff5fba9939cdd73c59e7d40
-
SSDEEP
98304:0rLVoBkwXnc+AdMIm8r3ctMmKCOQhMCTgeZ1lcvd6:uhIkwt+x31/CICj1lg6
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 9 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 46 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FieroHack.exe"C:\Users\Admin\AppData\Local\Temp\FieroHack.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WeMod.exeC:\Users\Admin\AppData\Roaming\WeMod.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "BFFESVJT"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "BFFESVJT" binpath= "C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "BFFESVJT"3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\WeMod.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Users\Admin\AppData\Roaming\Sirus.exeC:\Users\Admin\AppData\Roaming\Sirus.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4436,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:81⤵
-
C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exeC:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3f52jgc.uu5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/476-31-0x0000000008FF0000-0x00000000090FA000-memory.dmpFilesize
1.0MB
-
memory/476-124-0x00000000745BE000-0x00000000745BF000-memory.dmpFilesize
4KB
-
memory/476-125-0x00000000745B0000-0x0000000074D60000-memory.dmpFilesize
7.7MB
-
memory/476-34-0x0000000009100000-0x000000000914C000-memory.dmpFilesize
304KB
-
memory/476-33-0x0000000008F90000-0x0000000008FCC000-memory.dmpFilesize
240KB
-
memory/476-25-0x0000000000FD0000-0x000000000101A000-memory.dmpFilesize
296KB
-
memory/476-32-0x0000000008F30000-0x0000000008F42000-memory.dmpFilesize
72KB
-
memory/476-30-0x00000000094A0000-0x0000000009AB8000-memory.dmpFilesize
6.1MB
-
memory/476-29-0x0000000005E60000-0x0000000005E6A000-memory.dmpFilesize
40KB
-
memory/476-28-0x0000000005BA0000-0x0000000005C32000-memory.dmpFilesize
584KB
-
memory/476-24-0x00000000745BE000-0x00000000745BF000-memory.dmpFilesize
4KB
-
memory/476-27-0x00000000745B0000-0x0000000074D60000-memory.dmpFilesize
7.7MB
-
memory/476-26-0x00000000060B0000-0x0000000006654000-memory.dmpFilesize
5.6MB
-
memory/524-113-0x0000000001630000-0x0000000001650000-memory.dmpFilesize
128KB
-
memory/524-106-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-127-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-126-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-120-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-121-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-122-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-123-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-119-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-107-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-108-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-109-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-110-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-111-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/524-112-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1536-54-0x00007FF67CA90000-0x00007FF67CFD0000-memory.dmpFilesize
5.2MB
-
memory/1536-15-0x000001E39FCC0000-0x000001E39FCC1000-memory.dmpFilesize
4KB
-
memory/1536-22-0x00007FF81B230000-0x00007FF81B4F9000-memory.dmpFilesize
2.8MB
-
memory/1536-20-0x00007FF67CA90000-0x00007FF67CFD0000-memory.dmpFilesize
5.2MB
-
memory/1536-5-0x00007FF67CA90000-0x00007FF67CFD0000-memory.dmpFilesize
5.2MB
-
memory/1536-10-0x000001E39FC50000-0x000001E39FC97000-memory.dmpFilesize
284KB
-
memory/1536-21-0x00007FF81DA10000-0x00007FF81DC05000-memory.dmpFilesize
2.0MB
-
memory/1536-14-0x00007FF81D790000-0x00007FF81D82E000-memory.dmpFilesize
632KB
-
memory/1536-55-0x00007FF67CD21000-0x00007FF67CFD0000-memory.dmpFilesize
2.7MB
-
memory/1536-6-0x00007FF67CD21000-0x00007FF67CFD0000-memory.dmpFilesize
2.7MB
-
memory/1536-7-0x00007FF67CA90000-0x00007FF67CFD0000-memory.dmpFilesize
5.2MB
-
memory/1536-8-0x00007FF67CA90000-0x00007FF67CFD0000-memory.dmpFilesize
5.2MB
-
memory/1536-9-0x00007FF67CA90000-0x00007FF67CFD0000-memory.dmpFilesize
5.2MB
-
memory/1536-53-0x00007FF81D790000-0x00007FF81D82E000-memory.dmpFilesize
632KB
-
memory/1536-52-0x00007FF81B230000-0x00007FF81B4F9000-memory.dmpFilesize
2.8MB
-
memory/1536-4-0x00007FF67CA90000-0x00007FF67CFD0000-memory.dmpFilesize
5.2MB
-
memory/1536-51-0x00007FF81DA10000-0x00007FF81DC05000-memory.dmpFilesize
2.0MB
-
memory/1536-23-0x00007FF81D790000-0x00007FF81D82E000-memory.dmpFilesize
632KB
-
memory/2068-102-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2068-101-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2068-100-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2068-99-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2068-98-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2068-105-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2988-94-0x00000197F0980000-0x00000197F0986000-memory.dmpFilesize
24KB
-
memory/2988-93-0x00000197F0950000-0x00000197F0958000-memory.dmpFilesize
32KB
-
memory/2988-92-0x00000197F09A0000-0x00000197F09BA000-memory.dmpFilesize
104KB
-
memory/2988-91-0x00000197F0940000-0x00000197F094A000-memory.dmpFilesize
40KB
-
memory/2988-90-0x00000197F0960000-0x00000197F097C000-memory.dmpFilesize
112KB
-
memory/2988-95-0x00000197F0990000-0x00000197F099A000-memory.dmpFilesize
40KB
-
memory/2988-89-0x00000197F07F0000-0x00000197F07FA000-memory.dmpFilesize
40KB
-
memory/2988-88-0x00000197F0730000-0x00000197F07E5000-memory.dmpFilesize
724KB
-
memory/2988-87-0x00000197F0710000-0x00000197F072C000-memory.dmpFilesize
112KB
-
memory/4344-42-0x000001E179630000-0x000001E179652000-memory.dmpFilesize
136KB
-
memory/4428-67-0x00007FF81D790000-0x00007FF81D82E000-memory.dmpFilesize
632KB
-
memory/4428-61-0x00007FF72A8C0000-0x00007FF72AE00000-memory.dmpFilesize
5.2MB
-
memory/4428-58-0x00007FF72A8C0000-0x00007FF72AE00000-memory.dmpFilesize
5.2MB
-
memory/4428-118-0x00007FF72A8C0000-0x00007FF72AE00000-memory.dmpFilesize
5.2MB
-
memory/4428-116-0x00007FF81B230000-0x00007FF81B4F9000-memory.dmpFilesize
2.8MB
-
memory/4428-115-0x00007FF81DA10000-0x00007FF81DC05000-memory.dmpFilesize
2.0MB
-
memory/4428-117-0x00007FF81D790000-0x00007FF81D82E000-memory.dmpFilesize
632KB
-
memory/4428-62-0x000001E889B80000-0x000001E889BC7000-memory.dmpFilesize
284KB
-
memory/4428-63-0x00007FF72A8C0000-0x00007FF72AE00000-memory.dmpFilesize
5.2MB
-
memory/4428-60-0x00007FF72A8C0000-0x00007FF72AE00000-memory.dmpFilesize
5.2MB
-
memory/4428-59-0x00007FF72A8C0000-0x00007FF72AE00000-memory.dmpFilesize
5.2MB