Analysis
-
max time kernel
45s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-04-2021 21:01
Static task
static1
Behavioral task
behavioral1
Sample
3fa383ee84580d83880217fd61449698.exe
Resource
win7v20210408
General
-
Target
3fa383ee84580d83880217fd61449698.exe
-
Size
418KB
-
MD5
3fa383ee84580d83880217fd61449698
-
SHA1
aa78a35156892e68d6a0e93ff3f34c30faea0c1f
-
SHA256
08fa32b60c3a2d7c71e3be07021113e25eb9d13a79b34734f69efb341a88604f
-
SHA512
4b41615d89efe3cf63f680481e09003d67716c7b45c4ad3d02944e720a900008db166c5bc604f1dacbc5b6c0231b008c2825ceaf89408866a3223c18c038d265
Malware Config
Extracted
redline
v1
199.195.251.96:43073
Extracted
redline
PHO
87.251.71.8:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1120-121-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral2/memory/1120-122-0x000000000041622A-mapping.dmp family_redline behavioral2/memory/1120-130-0x0000000005340000-0x0000000005946000-memory.dmp family_redline behavioral2/memory/1864-148-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral2/memory/1864-149-0x0000000000416226-mapping.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
pho.exepho.exepid process 904 pho.exe 1864 pho.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
Processes:
pho.exepid process 904 pho.exe 904 pho.exe 904 pho.exe 904 pho.exe 904 pho.exe 904 pho.exe 904 pho.exe 904 pho.exe 904 pho.exe 904 pho.exe 904 pho.exe 904 pho.exe 904 pho.exe 904 pho.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3fa383ee84580d83880217fd61449698.exepho.exedescription pid process target process PID 3152 set thread context of 1120 3152 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 904 set thread context of 1864 904 pho.exe pho.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 636 904 WerFault.exe pho.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3976 timeout.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
AddInProcess32.exepho.exeWerFault.exepho.exepid process 1120 AddInProcess32.exe 1120 AddInProcess32.exe 904 pho.exe 904 pho.exe 904 pho.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 1864 pho.exe 1864 pho.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
3fa383ee84580d83880217fd61449698.exeAddInProcess32.exepho.exeWerFault.exepho.exedescription pid process Token: SeDebugPrivilege 3152 3fa383ee84580d83880217fd61449698.exe Token: SeDebugPrivilege 1120 AddInProcess32.exe Token: SeDebugPrivilege 904 pho.exe Token: SeRestorePrivilege 636 WerFault.exe Token: SeBackupPrivilege 636 WerFault.exe Token: SeDebugPrivilege 636 WerFault.exe Token: SeDebugPrivilege 1864 pho.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
3fa383ee84580d83880217fd61449698.exeAddInProcess32.exepho.execmd.exedescription pid process target process PID 3152 wrote to memory of 1120 3152 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 3152 wrote to memory of 1120 3152 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 3152 wrote to memory of 1120 3152 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 3152 wrote to memory of 1120 3152 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 3152 wrote to memory of 1120 3152 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 3152 wrote to memory of 1120 3152 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 3152 wrote to memory of 1120 3152 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 3152 wrote to memory of 1120 3152 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe PID 1120 wrote to memory of 904 1120 AddInProcess32.exe pho.exe PID 1120 wrote to memory of 904 1120 AddInProcess32.exe pho.exe PID 1120 wrote to memory of 904 1120 AddInProcess32.exe pho.exe PID 904 wrote to memory of 2020 904 pho.exe cmd.exe PID 904 wrote to memory of 2020 904 pho.exe cmd.exe PID 904 wrote to memory of 2020 904 pho.exe cmd.exe PID 2020 wrote to memory of 3976 2020 cmd.exe timeout.exe PID 2020 wrote to memory of 3976 2020 cmd.exe timeout.exe PID 2020 wrote to memory of 3976 2020 cmd.exe timeout.exe PID 904 wrote to memory of 1864 904 pho.exe pho.exe PID 904 wrote to memory of 1864 904 pho.exe pho.exe PID 904 wrote to memory of 1864 904 pho.exe pho.exe PID 904 wrote to memory of 1864 904 pho.exe pho.exe PID 904 wrote to memory of 1864 904 pho.exe pho.exe PID 904 wrote to memory of 1864 904 pho.exe pho.exe PID 904 wrote to memory of 1864 904 pho.exe pho.exe PID 904 wrote to memory of 1864 904 pho.exe pho.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fa383ee84580d83880217fd61449698.exe"C:\Users\Admin\AppData\Local\Temp\3fa383ee84580d83880217fd61449698.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pho.exe"C:\Users\Admin\AppData\Local\Temp\pho.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\pho.exe"C:\Users\Admin\AppData\Local\Temp\pho.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 18404⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pho.exeMD5
e6f1f62bd0db6df42195f962c83f1717
SHA14190bc898b0fe5b2200a0d5a8495c423969902aa
SHA2569d32eaeee59bfa3b4df9ebe0d9ab29b91892e30ec88d1b15609b7d841e453c0d
SHA512525574d19ffd88cf87e5777efb83cf21030fc6d5ae9805a9328e6b816e9f4d2bffe3bc1835ee552e57a23f15258c4c9c5c402e355448098b40af1b442fae2b8a
-
C:\Users\Admin\AppData\Local\Temp\pho.exeMD5
e6f1f62bd0db6df42195f962c83f1717
SHA14190bc898b0fe5b2200a0d5a8495c423969902aa
SHA2569d32eaeee59bfa3b4df9ebe0d9ab29b91892e30ec88d1b15609b7d841e453c0d
SHA512525574d19ffd88cf87e5777efb83cf21030fc6d5ae9805a9328e6b816e9f4d2bffe3bc1835ee552e57a23f15258c4c9c5c402e355448098b40af1b442fae2b8a
-
C:\Users\Admin\AppData\Local\Temp\pho.exeMD5
e6f1f62bd0db6df42195f962c83f1717
SHA14190bc898b0fe5b2200a0d5a8495c423969902aa
SHA2569d32eaeee59bfa3b4df9ebe0d9ab29b91892e30ec88d1b15609b7d841e453c0d
SHA512525574d19ffd88cf87e5777efb83cf21030fc6d5ae9805a9328e6b816e9f4d2bffe3bc1835ee552e57a23f15258c4c9c5c402e355448098b40af1b442fae2b8a
-
memory/904-137-0x0000000000000000-mapping.dmp
-
memory/904-145-0x0000000002280000-0x00000000022B3000-memory.dmpFilesize
204KB
-
memory/904-144-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/904-143-0x00000000048E0000-0x0000000004DDE000-memory.dmpFilesize
5.0MB
-
memory/904-140-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/1120-125-0x0000000005950000-0x0000000005951000-memory.dmpFilesize
4KB
-
memory/1120-122-0x000000000041622A-mapping.dmp
-
memory/1120-127-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/1120-128-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/1120-129-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/1120-130-0x0000000005340000-0x0000000005946000-memory.dmpFilesize
6.0MB
-
memory/1120-133-0x0000000006E70000-0x0000000006E71000-memory.dmpFilesize
4KB
-
memory/1120-134-0x0000000007570000-0x0000000007571000-memory.dmpFilesize
4KB
-
memory/1120-135-0x0000000006D90000-0x0000000006D91000-memory.dmpFilesize
4KB
-
memory/1120-136-0x0000000008850000-0x0000000008851000-memory.dmpFilesize
4KB
-
memory/1120-121-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1120-126-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/1864-148-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1864-149-0x0000000000416226-mapping.dmp
-
memory/1864-156-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/1864-158-0x0000000004880000-0x0000000004E86000-memory.dmpFilesize
6.0MB
-
memory/2020-146-0x0000000000000000-mapping.dmp
-
memory/3152-114-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/3152-120-0x0000000004E00000-0x0000000004E0B000-memory.dmpFilesize
44KB
-
memory/3152-119-0x00000000049B0000-0x0000000004EAE000-memory.dmpFilesize
5.0MB
-
memory/3152-118-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/3152-117-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/3152-116-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/3976-147-0x0000000000000000-mapping.dmp