Analysis
-
max time kernel
150s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-03-2021 17:05
Static task
static1
Behavioral task
behavioral1
Sample
clr3.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
clr3.exe
Resource
win10v20201028
General
-
Target
clr3.exe
-
Size
1.1MB
-
MD5
b2c1396260a5bf7289fbd08cdb3cc96d
-
SHA1
349ead630fb0f7f12fae208b573a255f12095ed1
-
SHA256
1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445
-
SHA512
23f9135d969bfae5ade2ac4eb1cc4597ad646fcaa814f737422eb6479ef030fc9e19591dc0595684c853104d7b7ada0f0460f8f69067f47e6f09c16e2a665c46
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
Processes:
srvs.exeswnetwork.exesrvs.tmppid process 1084 srvs.exe 328 swnetwork.exe 1620 srvs.tmp -
Loads dropped DLL 3 IoCs
Processes:
clr3.exesrvs.exepid process 1552 clr3.exe 1552 clr3.exe 1084 srvs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
clr3.exedescription pid process target process PID 1944 set thread context of 1552 1944 clr3.exe clr3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1828 timeout.exe -
Processes:
clr3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 clr3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a clr3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a clr3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
clr3.exesrvs.tmpswnetwork.exepid process 1552 clr3.exe 1552 clr3.exe 1620 srvs.tmp 1620 srvs.tmp 328 swnetwork.exe 328 swnetwork.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
clr3.exeswnetwork.exedescription pid process Token: SeDebugPrivilege 1552 clr3.exe Token: SeDebugPrivilege 328 swnetwork.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
srvs.tmppid process 1620 srvs.tmp -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
clr3.execlr3.exesrvs.exesrvs.tmpcmd.exedescription pid process target process PID 1944 wrote to memory of 1552 1944 clr3.exe clr3.exe PID 1944 wrote to memory of 1552 1944 clr3.exe clr3.exe PID 1944 wrote to memory of 1552 1944 clr3.exe clr3.exe PID 1944 wrote to memory of 1552 1944 clr3.exe clr3.exe PID 1944 wrote to memory of 1552 1944 clr3.exe clr3.exe PID 1944 wrote to memory of 1552 1944 clr3.exe clr3.exe PID 1944 wrote to memory of 1552 1944 clr3.exe clr3.exe PID 1944 wrote to memory of 1552 1944 clr3.exe clr3.exe PID 1944 wrote to memory of 1552 1944 clr3.exe clr3.exe PID 1552 wrote to memory of 1084 1552 clr3.exe srvs.exe PID 1552 wrote to memory of 1084 1552 clr3.exe srvs.exe PID 1552 wrote to memory of 1084 1552 clr3.exe srvs.exe PID 1552 wrote to memory of 1084 1552 clr3.exe srvs.exe PID 1552 wrote to memory of 1084 1552 clr3.exe srvs.exe PID 1552 wrote to memory of 1084 1552 clr3.exe srvs.exe PID 1552 wrote to memory of 1084 1552 clr3.exe srvs.exe PID 1552 wrote to memory of 328 1552 clr3.exe swnetwork.exe PID 1552 wrote to memory of 328 1552 clr3.exe swnetwork.exe PID 1552 wrote to memory of 328 1552 clr3.exe swnetwork.exe PID 1552 wrote to memory of 328 1552 clr3.exe swnetwork.exe PID 1084 wrote to memory of 1620 1084 srvs.exe srvs.tmp PID 1084 wrote to memory of 1620 1084 srvs.exe srvs.tmp PID 1084 wrote to memory of 1620 1084 srvs.exe srvs.tmp PID 1084 wrote to memory of 1620 1084 srvs.exe srvs.tmp PID 1084 wrote to memory of 1620 1084 srvs.exe srvs.tmp PID 1084 wrote to memory of 1620 1084 srvs.exe srvs.tmp PID 1084 wrote to memory of 1620 1084 srvs.exe srvs.tmp PID 1620 wrote to memory of 1748 1620 srvs.tmp cmd.exe PID 1620 wrote to memory of 1748 1620 srvs.tmp cmd.exe PID 1620 wrote to memory of 1748 1620 srvs.tmp cmd.exe PID 1620 wrote to memory of 1748 1620 srvs.tmp cmd.exe PID 1748 wrote to memory of 1828 1748 cmd.exe timeout.exe PID 1748 wrote to memory of 1828 1748 cmd.exe timeout.exe PID 1748 wrote to memory of 1828 1748 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\clr3.exe"C:\Users\Admin\AppData\Local\Temp\clr3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\clr3.exe"{path}"2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\srvs.exe"C:\Users\Admin\AppData\Local\Temp\srvs.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\is-16J1L.tmp\srvs.tmp"C:\Users\Admin\AppData\Local\Temp\is-16J1L.tmp\srvs.tmp" /SL5="$40154,9285237,79360,C:\Users\Admin\AppData\Local\Temp\srvs.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\uacwev.bat""5⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\timeout.exeTIMEOUT /T 86⤵
- Delays execution with timeout.exe
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\swnetwork.exe"C:\Users\Admin\AppData\Local\Temp\swnetwork.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fe66a84c175bcd25b2a6221fa3c74976
SHA169745ac398f3cbbb61fa253625faff2c5e7defe0
SHA2562984d41816d24e4f00f4aabead77f558d25134f70099d0da610adcefce82126c
SHA512654842bb119f67163332887d9fe8e7f84ad24b1f3077acc49e830bec095b4fa7cac1d4d3168e626f5cadad3d6e5696cbac4d2700f7af2396a6c130e4c28f0c36
-
MD5
ace1a6c2ea9446d1bd4b645d00bc2c46
SHA1a9c41e189775db5a507785c1c527ff9fb7a07bd6
SHA2562b875f4d5f0722425969fd5963fa0276a101ce63ddb91e5960f2860ab0aedbf4
SHA5121fba8400d354a46fe3e1b19f8a4d817df1ef4c1289d42a8a2257af45838b6b468a0632b9f31239fc45de11771aa9d9fb0b803a6cda359b14c24fb05f71bddbb2
-
MD5
ab2dfff902a3396c2d829fc5f47d0f96
SHA18c89f1d3080419a23fc83d999d711923fd3d4c09
SHA2567c7c1ab434c6d26365624712c833374ed1dee19f548b3386e64972bdda925694
SHA512369ed24927506980e1c72d5476bcf98c8ec87b13d755fb301312ceb2d187993a06de8361dd6ed11dea34302f8703378815c94bd416448a1ce49bb3457ce2b0a7
-
MD5
025b645d99b2eed57b669c7287d24c9e
SHA16883b676e66a277f43cb4d2eca130c6c47cfed51
SHA2563acef212e738893efc7451c2a7c321ab0f48352b76c46bd6a14b5aeb054453a0
SHA5126db459efe993f1321264168c262fe47a6b91ac2567ab0e417af361ecf2d911e47955478790591846b1840f92013536b5538c0cc528cec99782164f49ee00ba5e
-
MD5
79143f8bb899f89ad0a244017e4934dd
SHA1ac491a1e24185677ac59eb1d937b990941e4acd9
SHA256c1fe973ec51d405df053a593909e50a2f6929e95966557e0b5188861ca983c56
SHA512864972c955955114cf6df157c482bcb9a26b6b5179c549e4aebb25c41731b693a1eb9fb2f88b487ddf7a6421f31b7cfe80f516ca4f8db1d0655a6b587bae0b70
-
MD5
79143f8bb899f89ad0a244017e4934dd
SHA1ac491a1e24185677ac59eb1d937b990941e4acd9
SHA256c1fe973ec51d405df053a593909e50a2f6929e95966557e0b5188861ca983c56
SHA512864972c955955114cf6df157c482bcb9a26b6b5179c549e4aebb25c41731b693a1eb9fb2f88b487ddf7a6421f31b7cfe80f516ca4f8db1d0655a6b587bae0b70
-
MD5
3a7d2f1815f84f8f678af316d2475e34
SHA1f13b3cfee8d1f65583a9dd7fc98362e105f19d8e
SHA256848d04f917e919caaf01ce7d1210a92c8516f1df5832d7a78d72f9c3b9aa4973
SHA512df1cd6b0423594b5b0794e6505dc858cd77b66aa10b5a810d780c1ae16ad000aa85045171b464f4deef4e2783b8c824c48208ba000fa3b3d18f4b57030530eb2
-
MD5
025b645d99b2eed57b669c7287d24c9e
SHA16883b676e66a277f43cb4d2eca130c6c47cfed51
SHA2563acef212e738893efc7451c2a7c321ab0f48352b76c46bd6a14b5aeb054453a0
SHA5126db459efe993f1321264168c262fe47a6b91ac2567ab0e417af361ecf2d911e47955478790591846b1840f92013536b5538c0cc528cec99782164f49ee00ba5e
-
MD5
79143f8bb899f89ad0a244017e4934dd
SHA1ac491a1e24185677ac59eb1d937b990941e4acd9
SHA256c1fe973ec51d405df053a593909e50a2f6929e95966557e0b5188861ca983c56
SHA512864972c955955114cf6df157c482bcb9a26b6b5179c549e4aebb25c41731b693a1eb9fb2f88b487ddf7a6421f31b7cfe80f516ca4f8db1d0655a6b587bae0b70
-
MD5
3a7d2f1815f84f8f678af316d2475e34
SHA1f13b3cfee8d1f65583a9dd7fc98362e105f19d8e
SHA256848d04f917e919caaf01ce7d1210a92c8516f1df5832d7a78d72f9c3b9aa4973
SHA512df1cd6b0423594b5b0794e6505dc858cd77b66aa10b5a810d780c1ae16ad000aa85045171b464f4deef4e2783b8c824c48208ba000fa3b3d18f4b57030530eb2