Analysis
-
max time kernel
1800s -
max time network
1800s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-12-2020 08:29
Static task
static1
Behavioral task
behavioral1
Sample
client.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
client.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
client.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
client.bin.exe
Resource
win10v20201028
General
-
Target
client.bin.exe
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/3984-59-0x0000000000400000-0x000000000042A000-memory.dmp family_redline behavioral1/memory/3984-60-0x000000000042411A-mapping.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2516 NS-5C19F.tmp 1140 dwm.exe 3644 2.exe 3984 2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation dwm.exe -
Loads dropped DLL 9 IoCs
pid Process 2516 NS-5C19F.tmp 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\DEPLOY~1\\dwm.exe" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 38 checkip.amazonaws.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3644 set thread context of 3984 3644 2.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2200 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe 1140 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1140 dwm.exe Token: SeDebugPrivilege 3984 2.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3644 2.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3644 2.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1144 wrote to memory of 2516 1144 client.bin.exe 75 PID 1144 wrote to memory of 2516 1144 client.bin.exe 75 PID 1144 wrote to memory of 2516 1144 client.bin.exe 75 PID 2516 wrote to memory of 548 2516 NS-5C19F.tmp 77 PID 2516 wrote to memory of 548 2516 NS-5C19F.tmp 77 PID 2516 wrote to memory of 548 2516 NS-5C19F.tmp 77 PID 548 wrote to memory of 192 548 cmd.exe 79 PID 548 wrote to memory of 192 548 cmd.exe 79 PID 548 wrote to memory of 192 548 cmd.exe 79 PID 548 wrote to memory of 1140 548 cmd.exe 80 PID 548 wrote to memory of 1140 548 cmd.exe 80 PID 548 wrote to memory of 1140 548 cmd.exe 80 PID 1140 wrote to memory of 1660 1140 dwm.exe 81 PID 1140 wrote to memory of 1660 1140 dwm.exe 81 PID 1140 wrote to memory of 1660 1140 dwm.exe 81 PID 1660 wrote to memory of 2192 1660 cmd.exe 83 PID 1660 wrote to memory of 2192 1660 cmd.exe 83 PID 1660 wrote to memory of 2192 1660 cmd.exe 83 PID 1140 wrote to memory of 3644 1140 dwm.exe 87 PID 1140 wrote to memory of 3644 1140 dwm.exe 87 PID 1140 wrote to memory of 3644 1140 dwm.exe 87 PID 3644 wrote to memory of 3984 3644 2.exe 88 PID 3644 wrote to memory of 3984 3644 2.exe 88 PID 3644 wrote to memory of 3984 3644 2.exe 88 PID 3644 wrote to memory of 3984 3644 2.exe 88 PID 3644 wrote to memory of 3984 3644 2.exe 88 PID 3644 wrote to memory of 3984 3644 2.exe 88 PID 3644 wrote to memory of 3984 3644 2.exe 88 PID 3644 wrote to memory of 3984 3644 2.exe 88 PID 3984 wrote to memory of 2276 3984 2.exe 89 PID 3984 wrote to memory of 2276 3984 2.exe 89 PID 3984 wrote to memory of 2276 3984 2.exe 89 PID 2276 wrote to memory of 2200 2276 cmd.exe 91 PID 2276 wrote to memory of 2200 2276 cmd.exe 91 PID 2276 wrote to memory of 2200 2276 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\client.bin.exe"C:\Users\Admin\AppData\Local\Temp\client.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\NS-7M64B.tmp\NS-5C19F.tmp"C:\Users\Admin\AppData\Local\Temp\NS-7M64B.tmp\NS-5C19F.tmp" /et9 $20110 C:\Users\Admin\AppData\Local\Temp\client.bin.exe 4590206 359424 /password=1dwhcbw /verysilent2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\ml2os0lx\lb3od53.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\xcopy.exexcopy /Y /I /S "C:\Users\Admin\AppData\Local\Temp\ml2os0lx\*" "C:\Users\Admin\AppData\Roaming\Deployment\"4⤵
- Enumerates system info in registry
PID:192
-
-
C:\Users\Admin\AppData\Roaming\Deployment\dwm.exe"C:\Users\Admin\AppData\Roaming\Deployment\dwm.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /V "dwm" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\DEPLOY~1\dwm.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /V "dwm" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\DEPLOY~1\dwm.exe"6⤵
- Adds Run key to start application
PID:2192
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exeC:\Users\Admin\AppData\Local\Temp\2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\2.exe"{path}"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 38⤵
- Runs ping.exe
PID:2200
-
-
-
-
-
-
-