redline | 9624e9bf93ace2e4b9106fb1b30c1dfb9de68bf63f4fb9559f11078569fbe334

General

Target

ce0f93d2bb7f18632d6695cf4800f436.exe
Size

1.4MB
MD5

ce0f93d2bb7f18632d6695cf4800f436
SHA1

c36922e5580cf622752115f2c8fa95278ad455a7
SHA256

9624e9bf93ace2e4b9106fb1b30c1dfb9de68bf63f4fb9559f11078569fbe334
SHA512

df13fbc9df58029868f442b84f5b24cea6cab0fe019898dce524ed99876642db4ae0ad2226d35c7fa75f8a43644cfb36d3a9a4ad6c2bfe67ddd9709af604b99b

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1940-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/1940-12-0x000000000041FA42-mapping.dmp	family_redline

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

ce0f93d2bb7f18632d6695cf4800f436.exe

pid	process
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ce0f93d2bb7f18632d6695cf4800f436.exe

description pid process target process

PID 644 set thread context of 1940 644 ce0f93d2bb7f18632d6695cf4800f436.exe ce0f93d2bb7f18632d6695cf4800f436.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3464 644 WerFault.exe ce0f93d2bb7f18632d6695cf4800f436.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1196 timeout.exe

description	pid	process	target process
PID 644 set thread context of 1940	644	ce0f93d2bb7f18632d6695cf4800f436.exe	ce0f93d2bb7f18632d6695cf4800f436.exe

pid	pid_target	process	target process
3464	644	WerFault.exe	ce0f93d2bb7f18632d6695cf4800f436.exe

pid	process
1196	timeout.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

ce0f93d2bb7f18632d6695cf4800f436.exeWerFault.exe

pid	process
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe
644	ce0f93d2bb7f18632d6695cf4800f436.exe
3464	WerFault.exe
3464	WerFault.exe
3464	WerFault.exe
3464	WerFault.exe
3464	WerFault.exe
3464	WerFault.exe
3464	WerFault.exe
3464	WerFault.exe
3464	WerFault.exe
3464	WerFault.exe
3464	WerFault.exe
3464	WerFault.exe
3464	WerFault.exe
3464	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ce0f93d2bb7f18632d6695cf4800f436.exeWerFault.exece0f93d2bb7f18632d6695cf4800f436.exe

description	pid	process
Token: SeDebugPrivilege	644	ce0f93d2bb7f18632d6695cf4800f436.exe
Token: SeRestorePrivilege	3464	WerFault.exe
Token: SeBackupPrivilege	3464	WerFault.exe
Token: SeDebugPrivilege	3464	WerFault.exe
Token: SeDebugPrivilege	1940	ce0f93d2bb7f18632d6695cf4800f436.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ce0f93d2bb7f18632d6695cf4800f436.execmd.exe

description	pid	process	target process
PID 644 wrote to memory of 2836	644	ce0f93d2bb7f18632d6695cf4800f436.exe	cmd.exe
PID 644 wrote to memory of 2836	644	ce0f93d2bb7f18632d6695cf4800f436.exe	cmd.exe
PID 644 wrote to memory of 2836	644	ce0f93d2bb7f18632d6695cf4800f436.exe	cmd.exe
PID 2836 wrote to memory of 1196	2836	cmd.exe	timeout.exe
PID 2836 wrote to memory of 1196	2836	cmd.exe	timeout.exe
PID 2836 wrote to memory of 1196	2836	cmd.exe	timeout.exe
PID 644 wrote to memory of 1940	644	ce0f93d2bb7f18632d6695cf4800f436.exe	ce0f93d2bb7f18632d6695cf4800f436.exe
PID 644 wrote to memory of 1940	644	ce0f93d2bb7f18632d6695cf4800f436.exe	ce0f93d2bb7f18632d6695cf4800f436.exe
PID 644 wrote to memory of 1940	644	ce0f93d2bb7f18632d6695cf4800f436.exe	ce0f93d2bb7f18632d6695cf4800f436.exe
PID 644 wrote to memory of 1940	644	ce0f93d2bb7f18632d6695cf4800f436.exe	ce0f93d2bb7f18632d6695cf4800f436.exe
PID 644 wrote to memory of 1940	644	ce0f93d2bb7f18632d6695cf4800f436.exe	ce0f93d2bb7f18632d6695cf4800f436.exe
PID 644 wrote to memory of 1940	644	ce0f93d2bb7f18632d6695cf4800f436.exe	ce0f93d2bb7f18632d6695cf4800f436.exe
PID 644 wrote to memory of 1940	644	ce0f93d2bb7f18632d6695cf4800f436.exe	ce0f93d2bb7f18632d6695cf4800f436.exe
PID 644 wrote to memory of 1940	644	ce0f93d2bb7f18632d6695cf4800f436.exe	ce0f93d2bb7f18632d6695cf4800f436.exe

C:\Users\Admin\AppData\Local\Temp\ce0f93d2bb7f18632d6695cf4800f436.exe
"C:\Users\Admin\AppData\Local\Temp\ce0f93d2bb7f18632d6695cf4800f436.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1196

C:\Users\Admin\AppData\Local\Temp\ce0f93d2bb7f18632d6695cf4800f436.exe
"C:\Users\Admin\AppData\Local\Temp\ce0f93d2bb7f18632d6695cf4800f436.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1464
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-10-0x0000000006730000-0x0000000006731000-memory.dmp

Filesize
4KB

Download
memory/644-3-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/644-5-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/644-6-0x0000000005520000-0x0000000005551000-memory.dmp

Filesize
196KB

Download
memory/644-7-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/644-2-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/1196-9-0x0000000000000000-mapping.dmp

Download
memory/1940-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1940-12-0x000000000041FA42-mapping.dmp

Download
memory/1940-13-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/1940-16-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/1940-17-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/1940-18-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/1940-20-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/1940-21-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/1940-22-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/2836-8-0x0000000000000000-mapping.dmp

Download
memory/3464-19-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads