Analysis
-
max time kernel
601s -
max time network
590s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-12-2020 08:29
Static task
static1
Behavioral task
behavioral1
Sample
client.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
client.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
client.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
client.bin.exe
Resource
win10v20201028
General
-
Target
client.bin.exe
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral4/memory/940-79-0x0000000000400000-0x000000000042A000-memory.dmp family_redline behavioral4/memory/940-80-0x000000000042411A-mapping.dmp family_redline -
Executes dropped EXE 7 IoCs
pid Process 960 NS-ICSLS.tmp 3840 dwm.exe 3008 1.exe 2252 WindowsFormsApp1.exe 2268 dwedfwefewfweferferf.exe 1452 2.exe 940 2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation dwm.exe -
Loads dropped DLL 9 IoCs
pid Process 960 NS-ICSLS.tmp 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\DEPLOY~1\\dwm.exe" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 api.ipify.org 34 ip-api.com 44 checkip.amazonaws.com 32 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1452 set thread context of 940 1452 2.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1528 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 2268 dwedfwefewfweferferf.exe 2268 dwedfwefewfweferferf.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3840 dwm.exe Token: SeDebugPrivilege 2268 dwedfwefewfweferferf.exe Token: SeDebugPrivilege 940 2.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1452 2.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1452 2.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 644 wrote to memory of 960 644 client.bin.exe 74 PID 644 wrote to memory of 960 644 client.bin.exe 74 PID 644 wrote to memory of 960 644 client.bin.exe 74 PID 960 wrote to memory of 3084 960 NS-ICSLS.tmp 76 PID 960 wrote to memory of 3084 960 NS-ICSLS.tmp 76 PID 960 wrote to memory of 3084 960 NS-ICSLS.tmp 76 PID 3084 wrote to memory of 2600 3084 cmd.exe 78 PID 3084 wrote to memory of 2600 3084 cmd.exe 78 PID 3084 wrote to memory of 2600 3084 cmd.exe 78 PID 3084 wrote to memory of 3840 3084 cmd.exe 79 PID 3084 wrote to memory of 3840 3084 cmd.exe 79 PID 3084 wrote to memory of 3840 3084 cmd.exe 79 PID 3840 wrote to memory of 1172 3840 dwm.exe 80 PID 3840 wrote to memory of 1172 3840 dwm.exe 80 PID 3840 wrote to memory of 1172 3840 dwm.exe 80 PID 1172 wrote to memory of 2132 1172 cmd.exe 82 PID 1172 wrote to memory of 2132 1172 cmd.exe 82 PID 1172 wrote to memory of 2132 1172 cmd.exe 82 PID 3840 wrote to memory of 3008 3840 dwm.exe 86 PID 3840 wrote to memory of 3008 3840 dwm.exe 86 PID 3840 wrote to memory of 3008 3840 dwm.exe 86 PID 3008 wrote to memory of 2252 3008 1.exe 87 PID 3008 wrote to memory of 2252 3008 1.exe 87 PID 2252 wrote to memory of 2268 2252 WindowsFormsApp1.exe 89 PID 2252 wrote to memory of 2268 2252 WindowsFormsApp1.exe 89 PID 2252 wrote to memory of 2268 2252 WindowsFormsApp1.exe 89 PID 3840 wrote to memory of 1452 3840 dwm.exe 90 PID 3840 wrote to memory of 1452 3840 dwm.exe 90 PID 3840 wrote to memory of 1452 3840 dwm.exe 90 PID 2268 wrote to memory of 2636 2268 dwedfwefewfweferferf.exe 91 PID 2268 wrote to memory of 2636 2268 dwedfwefewfweferferf.exe 91 PID 2268 wrote to memory of 2636 2268 dwedfwefewfweferferf.exe 91 PID 2636 wrote to memory of 1496 2636 cmd.exe 93 PID 2636 wrote to memory of 1496 2636 cmd.exe 93 PID 2636 wrote to memory of 1496 2636 cmd.exe 93 PID 1452 wrote to memory of 940 1452 2.exe 94 PID 1452 wrote to memory of 940 1452 2.exe 94 PID 1452 wrote to memory of 940 1452 2.exe 94 PID 1452 wrote to memory of 940 1452 2.exe 94 PID 1452 wrote to memory of 940 1452 2.exe 94 PID 1452 wrote to memory of 940 1452 2.exe 94 PID 1452 wrote to memory of 940 1452 2.exe 94 PID 1452 wrote to memory of 940 1452 2.exe 94 PID 940 wrote to memory of 2944 940 2.exe 95 PID 940 wrote to memory of 2944 940 2.exe 95 PID 940 wrote to memory of 2944 940 2.exe 95 PID 2944 wrote to memory of 1528 2944 cmd.exe 97 PID 2944 wrote to memory of 1528 2944 cmd.exe 97 PID 2944 wrote to memory of 1528 2944 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\client.bin.exe"C:\Users\Admin\AppData\Local\Temp\client.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\NS-MA6UH.tmp\NS-ICSLS.tmp"C:\Users\Admin\AppData\Local\Temp\NS-MA6UH.tmp\NS-ICSLS.tmp" /et9 $2010E C:\Users\Admin\AppData\Local\Temp\client.bin.exe 4590206 359424 /password=1dwhcbw /verysilent2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\ml2os0lx\lb3od53.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\xcopy.exexcopy /Y /I /S "C:\Users\Admin\AppData\Local\Temp\ml2os0lx\*" "C:\Users\Admin\AppData\Roaming\Deployment\"4⤵
- Enumerates system info in registry
PID:2600
-
-
C:\Users\Admin\AppData\Roaming\Deployment\dwm.exe"C:\Users\Admin\AppData\Roaming\Deployment\dwm.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /V "dwm" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\DEPLOY~1\dwm.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /V "dwm" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\DEPLOY~1\dwm.exe"6⤵
- Adds Run key to start application
PID:2132
-
-
-
C:\Users\Admin\AppData\Local\Temp\1.exeC:\Users\Admin\AppData\Local\Temp\1.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp1.exe"C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp1.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\dwedfwefewfweferferf.exe"C:\Users\Admin\AppData\Local\dwedfwefewfweferferf.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "dwedfwefewfweferferf.exe"8⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 39⤵PID:1496
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exeC:\Users\Admin\AppData\Local\Temp\2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\2.exe"{path}"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 38⤵
- Runs ping.exe
PID:1528
-
-
-
-
-
-
-