Setup[1].exe

General
Target

Setup[1].exe

Filesize

1MB

Completed

03-04-2021 06:02

Score
10 /10
MD5

0657125b7850a7b5796bf6979da502f0

SHA1

686d1ad201f0706daec7dd9bfa60fd1144a7b876

SHA256

c1a85afd7acdaf7ab0d6839cc68d67ca75455fa9fb3d62a95f6579f07899df49

Malware Config

Extracted

Family redline
Botnet 010402
C2

194.135.20.72:3214

Signatures 7

Filter: none

Collection
Credential Access
Discovery
  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious use of SetThreadContext
    Setup[1].exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1056 set thread context of 12521056Setup[1].exeSetup[1].exe
  • Suspicious behavior: EnumeratesProcesses
    Setup[1].exeSetup[1].exe

    Reported IOCs

    pidprocess
    1056Setup[1].exe
    1056Setup[1].exe
    1252Setup[1].exe
    1252Setup[1].exe
  • Suspicious use of AdjustPrivilegeToken
    Setup[1].exeSetup[1].exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1056Setup[1].exe
    Token: SeDebugPrivilege1252Setup[1].exe
  • Suspicious use of WriteProcessMemory
    Setup[1].exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1056 wrote to memory of 12521056Setup[1].exeSetup[1].exe
    PID 1056 wrote to memory of 12521056Setup[1].exeSetup[1].exe
    PID 1056 wrote to memory of 12521056Setup[1].exeSetup[1].exe
    PID 1056 wrote to memory of 12521056Setup[1].exeSetup[1].exe
    PID 1056 wrote to memory of 12521056Setup[1].exeSetup[1].exe
    PID 1056 wrote to memory of 12521056Setup[1].exeSetup[1].exe
    PID 1056 wrote to memory of 12521056Setup[1].exeSetup[1].exe
    PID 1056 wrote to memory of 12521056Setup[1].exeSetup[1].exe
    PID 1056 wrote to memory of 12521056Setup[1].exeSetup[1].exe
    PID 1056 wrote to memory of 12521056Setup[1].exeSetup[1].exe
    PID 1056 wrote to memory of 12521056Setup[1].exeSetup[1].exe
    PID 1056 wrote to memory of 12521056Setup[1].exeSetup[1].exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\Setup[1].exe
    "C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Local\Temp\Setup[1].exe
      "C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1252
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/1056-2-0x0000000073C60000-0x000000007434E000-memory.dmp

                    • memory/1056-3-0x0000000001110000-0x0000000001111000-memory.dmp

                    • memory/1056-5-0x00000000004F0000-0x00000000004FC000-memory.dmp

                    • memory/1056-6-0x0000000004F60000-0x0000000004F61000-memory.dmp

                    • memory/1056-7-0x0000000005020000-0x0000000005091000-memory.dmp

                    • memory/1056-8-0x0000000000C30000-0x0000000000C61000-memory.dmp

                    • memory/1252-9-0x0000000000400000-0x0000000000430000-memory.dmp

                    • memory/1252-10-0x000000000042977E-mapping.dmp

                    • memory/1252-11-0x0000000073C60000-0x000000007434E000-memory.dmp

                    • memory/1252-12-0x0000000000400000-0x0000000000430000-memory.dmp

                    • memory/1252-14-0x00000000010D0000-0x00000000010D1000-memory.dmp