Analysis

  • max time kernel
    1800s
  • max time network
    1800s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    27-12-2020 08:29

General

  • Target

    client.bin.exe

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\client.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\client.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Users\Admin\AppData\Local\Temp\NS-7M64B.tmp\NS-5C19F.tmp
      "C:\Users\Admin\AppData\Local\Temp\NS-7M64B.tmp\NS-5C19F.tmp" /et9 $20110 C:\Users\Admin\AppData\Local\Temp\client.bin.exe 4590206 359424 /password=1dwhcbw /verysilent
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\ml2os0lx\lb3od53.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /Y /I /S "C:\Users\Admin\AppData\Local\Temp\ml2os0lx\*" "C:\Users\Admin\AppData\Roaming\Deployment\"
          4⤵
          • Enumerates system info in registry
          PID:192
        • C:\Users\Admin\AppData\Roaming\Deployment\dwm.exe
          "C:\Users\Admin\AppData\Roaming\Deployment\dwm.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /V "dwm" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\DEPLOY~1\dwm.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1660
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /V "dwm" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\DEPLOY~1\dwm.exe"
              6⤵
              • Adds Run key to start application
              PID:2192
          • C:\Users\Admin\AppData\Local\Temp\2.exe
            C:\Users\Admin\AppData\Local\Temp\2.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3644
            • C:\Users\Admin\AppData\Local\Temp\2.exe
              "{path}"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3984
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Temp\2.exe"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2276
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1 -n 3
                  8⤵
                  • Runs ping.exe
                  PID:2200

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3644-54-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

    Filesize

    4KB

  • memory/3644-55-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

    Filesize

    4KB

  • memory/3644-56-0x00000000084A0000-0x00000000084A1000-memory.dmp

    Filesize

    4KB

  • memory/3644-57-0x0000000005140000-0x0000000005144000-memory.dmp

    Filesize

    16KB

  • memory/3644-58-0x0000000008930000-0x00000000089D9000-memory.dmp

    Filesize

    676KB

  • memory/3644-53-0x0000000005240000-0x0000000005241000-memory.dmp

    Filesize

    4KB

  • memory/3644-51-0x0000000000440000-0x0000000000441000-memory.dmp

    Filesize

    4KB

  • memory/3644-50-0x0000000071090000-0x000000007177E000-memory.dmp

    Filesize

    6.9MB

  • memory/3984-66-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

    Filesize

    4KB

  • memory/3984-67-0x0000000005460000-0x0000000005461000-memory.dmp

    Filesize

    4KB

  • memory/3984-68-0x0000000005440000-0x0000000005441000-memory.dmp

    Filesize

    4KB

  • memory/3984-69-0x00000000054B0000-0x00000000054B1000-memory.dmp

    Filesize

    4KB

  • memory/3984-70-0x0000000005750000-0x0000000005751000-memory.dmp

    Filesize

    4KB

  • memory/3984-71-0x00000000068D0000-0x00000000068D1000-memory.dmp

    Filesize

    4KB

  • memory/3984-72-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

    Filesize

    4KB

  • memory/3984-75-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

    Filesize

    4KB

  • memory/3984-76-0x0000000006D20000-0x0000000006D21000-memory.dmp

    Filesize

    4KB

  • memory/3984-77-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

    Filesize

    4KB

  • memory/3984-63-0x0000000071090000-0x000000007177E000-memory.dmp

    Filesize

    6.9MB

  • memory/3984-59-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB