Overview

overview

10

Static

static

1712476341.exe

windows7_x64

10

1712476341.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    10-03-2021 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1712476341.exe

  • Size

    256KB

  • MD5

    0230b090e69b97194d25a53f2d5514eb

  • SHA1

    ac76b29802d240f721fb09adff57950f32989fb7

  • SHA256

    1b51a62c1d975227247671411dfa82b3521e82eeaa665e420e81e1f8bf0616f7

  • SHA512

    4f907e2624cf9c87c8d5aae709329f20cd59077ba370ba7b581100aa980cb9a92186b4f8436568bb0b8d1ef3551b514c967febdf2f717f3be718a8bc39035907

Score
10/10
redlinediscoveryevasioninfostealerspywaretrojan

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1712476341.exe
    "C:\Users\Admin\AppData\Local\Temp\1712476341.exe"
    1⤵
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1108
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1712476341.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:620
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:816
    • C:\Users\Admin\AppData\Local\Temp\1712476341.exe
      "C:\Users\Admin\AppData\Local\Temp\1712476341.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1808
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

5
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/620-11-0x0000000073E00000-0x00000000744EE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/620-57-0x0000000006300000-0x0000000006301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-12-0x00000000009D0000-0x00000000009D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-13-0x00000000048B0000-0x00000000048B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-7-0x0000000000000000-mapping.dmp
    Download
  • memory/620-8-0x00000000760D1000-0x00000000760D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/620-22-0x0000000002690000-0x0000000002691000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-42-0x0000000005610000-0x0000000005611000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-28-0x0000000006020000-0x0000000006021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-58-0x0000000006310000-0x0000000006311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-46-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-14-0x0000000002410000-0x0000000002411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-41-0x0000000006280000-0x0000000006281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-17-0x0000000004870000-0x0000000004871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-18-0x0000000004872000-0x0000000004873000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-34-0x0000000006120000-0x0000000006121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/620-33-0x0000000006080000-0x0000000006081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/756-9-0x0000000000000000-mapping.dmp
    Download
  • memory/816-10-0x0000000000000000-mapping.dmp
    Download
  • memory/968-20-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/968-19-0x0000000073E00000-0x00000000744EE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/968-16-0x000000000041E192-mapping.dmp
    Download
  • memory/968-15-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/968-59-0x0000000004650000-0x0000000004651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1108-2-0x0000000073E00000-0x00000000744EE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1108-6-0x0000000000B90000-0x0000000000C26000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1108-5-0x0000000004430000-0x0000000004431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1108-3-0x0000000000D90000-0x0000000000D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1476-23-0x0000000000000000-mapping.dmp
    Download
  • memory/1476-24-0x0000000001F70000-0x0000000001F81000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1476-25-0x0000000000420000-0x0000000000421000-memory.dmp
    Filesize

    4KB

    Download