Overview

overview

10

Static

static

310fd2e6a2...88.exe

windows7_x64

10

310fd2e6a2...88.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    10-03-2021 17:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    310fd2e6a2056c7983afd48b75b5ca88.exe

  • Size

    995KB

  • MD5

    310fd2e6a2056c7983afd48b75b5ca88

  • SHA1

    ddfeb5cbe8b9ae528629fe5e8afea7a7ea8fe570

  • SHA256

    1df627a462077149e7a934ea1b758c8fccf34933f340fab14ca8976b4a6a5c20

  • SHA512

    e60b86a1f38d7062bf1f766bc905abd7605803dc380b077f643d5b3b9c7a5c6710e2d777d2d05a7c3b756da8d87850653f2ef6d236e599287bd316b0039a51fe

Score
10/10
redlineagilenetdiscoveryinfostealerpersistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\310fd2e6a2056c7983afd48b75b5ca88.exe
    "C:\Users\Admin\AppData\Local\Temp\310fd2e6a2056c7983afd48b75b5ca88.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Users\Admin\AppData\Local\Temp\310fd2e6a2056c7983afd48b75b5ca88.exe
      "C:\Users\Admin\AppData\Local\Temp\310fd2e6a2056c7983afd48b75b5ca88.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Users\Admin\AppData\Local\Temp\update.exe
        "C:\Users\Admin\AppData\Local\Temp\update.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3984
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Documents\drivers\\uplauncher.exe,"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1832
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Documents\drivers\\uplauncher.exe,"
            5⤵
            • Modifies WinLogon for persistence
            PID:1976
        • C:\Users\Admin\Documents\drivers\uplauncher.exe
          "C:\Users\Admin\Documents\drivers\uplauncher.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3412
          • C:\Users\Admin\Documents\drivers\uplauncher.exe
            "C:\Users\Admin\Documents\drivers\uplauncher.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1344
            • C:\Users\Admin\Documents\drivers\uplauncher.exe
              "C:\Users\Admin\Documents\drivers\uplauncher.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\310fd2e6a2056c7983afd48b75b5ca88.exe.log
    MD5

    8b0dd41c781f2103af068edf33534a51

    SHA1

    098e1e3466102faa5596f3f43994f8e39458534e

    SHA256

    8c4fe19e7e0ae1d0b74f396d2053fcf1071974c850d3e6c7e921d811546ae81d

    SHA512

    11a8bc39ce4da61c855dcf95aef3da6cec591d8c3f013a14c5451ad582126383aa1c75517510bd0b93bace023b2238fee09739752c35ec7db1a14d77fb6eb58d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uplauncher.exe.log
    MD5

    5b650053603e6da74db3e68eb78cce7c

    SHA1

    c8530ff9de11aa6f7ae8f44f3225cead3a39d6ec

    SHA256

    0699ccdfd7be10071af5ab49cc901515e8c016712ff6a535183b27007c11b6f0

    SHA512

    104597b176fccc8175074064b79edadd6db91d808231038544526ed78686e0389c251967cad1c9a1ebdc844770eb09ebcb20d29db5ffd81b31339e0ba1a0c70c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\update.exe
    MD5

    94d71670e23d7506db97f44644b7e231

    SHA1

    f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

    SHA256

    1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

    SHA512

    dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\update.exe
    MD5

    94d71670e23d7506db97f44644b7e231

    SHA1

    f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

    SHA256

    1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

    SHA512

    dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

    Download Submit
  • C:\Users\Admin\Documents\drivers\uplauncher.exe
    MD5

    94d71670e23d7506db97f44644b7e231

    SHA1

    f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

    SHA256

    1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

    SHA512

    dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

    Download Submit
  • C:\Users\Admin\Documents\drivers\uplauncher.exe
    MD5

    94d71670e23d7506db97f44644b7e231

    SHA1

    f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

    SHA256

    1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

    SHA512

    dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

    Download Submit
  • C:\Users\Admin\Documents\drivers\uplauncher.exe
    MD5

    94d71670e23d7506db97f44644b7e231

    SHA1

    f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

    SHA256

    1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

    SHA512

    dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

    Download Submit
  • C:\Users\Admin\Documents\drivers\uplauncher.exe
    MD5

    94d71670e23d7506db97f44644b7e231

    SHA1

    f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

    SHA256

    1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

    SHA512

    dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

    Download Submit
  • memory/812-11-0x00000000050C1000-0x00000000050C2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/812-7-0x0000000004F70000-0x0000000004F71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/812-3-0x0000000000380000-0x0000000000381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/812-5-0x00000000053D0000-0x00000000053D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/812-12-0x0000000009230000-0x000000000923B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/812-6-0x0000000004ED0000-0x0000000004ED1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/812-2-0x0000000074070000-0x000000007475E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/812-13-0x0000000009240000-0x0000000009241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/812-8-0x00000000050C0000-0x00000000050C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/812-10-0x0000000006390000-0x00000000063BF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1344-82-0x0000000005430000-0x0000000005431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1344-81-0x0000000005640000-0x0000000005641000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1344-74-0x0000000074070000-0x000000007475E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1344-87-0x0000000005641000-0x0000000005642000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1344-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1832-51-0x0000000000000000-mapping.dmp
    Download
  • memory/1976-52-0x0000000000000000-mapping.dmp
    Download
  • memory/2272-88-0x0000000000000000-mapping.dmp
    Download
  • memory/2272-90-0x0000000074070000-0x000000007475E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2272-98-0x0000000005900000-0x0000000005901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2272-97-0x0000000005970000-0x0000000005971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-20-0x0000000005840000-0x0000000005841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-29-0x00000000079B0000-0x00000000079B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-14-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/2716-15-0x000000000041F376-mapping.dmp
    Download
  • memory/2716-17-0x0000000074070000-0x000000007475E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2716-21-0x0000000003130000-0x0000000003131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-22-0x0000000005D80000-0x0000000005D81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-23-0x0000000006510000-0x0000000006511000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-24-0x0000000005FA0000-0x0000000005FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-25-0x0000000006000000-0x0000000006001000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-26-0x0000000006040000-0x0000000006041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-33-0x0000000003131000-0x0000000003132000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-32-0x0000000007520000-0x0000000007521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-27-0x00000000062A0000-0x00000000062A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-28-0x00000000072B0000-0x00000000072B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3412-64-0x0000000004EC0000-0x0000000004EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3412-54-0x0000000000000000-mapping.dmp
    Download
  • memory/3412-70-0x0000000004EC1000-0x0000000004EC2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3412-65-0x0000000004E20000-0x0000000004E21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3412-62-0x0000000004F90000-0x0000000004F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3412-57-0x0000000074070000-0x000000007475E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3984-53-0x0000000005871000-0x0000000005872000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3984-39-0x0000000000E40000-0x0000000000E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3984-35-0x0000000000000000-mapping.dmp
    Download
  • memory/3984-38-0x0000000074070000-0x000000007475E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3984-50-0x0000000007270000-0x0000000007271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3984-48-0x00000000072B0000-0x00000000072D1000-memory.dmp
    Filesize

    132KB

    Download
  • memory/3984-46-0x0000000005870000-0x0000000005871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3984-47-0x0000000003100000-0x0000000003101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3984-43-0x00000000059C0000-0x00000000059C1000-memory.dmp
    Filesize

    4KB

    Download