Analysis
-
max time kernel
54s -
max time network
57s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
03-05-2021 23:37
Static task
static1
Behavioral task
behavioral1
Sample
320F0032704DEA1152C5880DEF04E61E.exe
Resource
win7v20210408
General
-
Target
320F0032704DEA1152C5880DEF04E61E.exe
-
Size
2.3MB
-
MD5
320f0032704dea1152c5880def04e61e
-
SHA1
6dd5462a765375ab6d8720263aebe4b37c9b17d2
-
SHA256
8d730630389f403985ddbff2c9617c9b9ca9fd4ad0c9ee5d9fceeecc44356340
-
SHA512
99ed916a76ecd3c898afff7d287e95cbd985f22b3c99999396de5e5c4ebc99c1e020309fede213cdb4a2a4c2523b521b4803c396089424ee21ac20a88eea701d
Malware Config
Extracted
redline
4/28
157.90.162.135:35200
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1964-116-0x0000000000400000-0x000000000041C000-memory.dmp family_redline behavioral1/memory/1964-117-0x00000000004171F2-mapping.dmp family_redline behavioral1/memory/1964-118-0x0000000000400000-0x000000000041C000-memory.dmp family_redline -
Nirsoft 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 1420 AdvancedRun.exe 856 AdvancedRun.exe -
Loads dropped DLL 4 IoCs
Processes:
320F0032704DEA1152C5880DEF04E61E.exeAdvancedRun.exepid process 864 320F0032704DEA1152C5880DEF04E61E.exe 864 320F0032704DEA1152C5880DEF04E61E.exe 1420 AdvancedRun.exe 1420 AdvancedRun.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
320F0032704DEA1152C5880DEF04E61E.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 320F0032704DEA1152C5880DEF04E61E.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 320F0032704DEA1152C5880DEF04E61E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe = "0" 320F0032704DEA1152C5880DEF04E61E.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection 320F0032704DEA1152C5880DEF04E61E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 320F0032704DEA1152C5880DEF04E61E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 320F0032704DEA1152C5880DEF04E61E.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 320F0032704DEA1152C5880DEF04E61E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 320F0032704DEA1152C5880DEF04E61E.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
320F0032704DEA1152C5880DEF04E61E.exedescription pid process target process PID 864 set thread context of 1964 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exe320F0032704DEA1152C5880DEF04E61E.exe320F0032704DEA1152C5880DEF04E61E.exepid process 1420 AdvancedRun.exe 1420 AdvancedRun.exe 856 AdvancedRun.exe 856 AdvancedRun.exe 544 powershell.exe 544 powershell.exe 864 320F0032704DEA1152C5880DEF04E61E.exe 864 320F0032704DEA1152C5880DEF04E61E.exe 1964 320F0032704DEA1152C5880DEF04E61E.exe 1964 320F0032704DEA1152C5880DEF04E61E.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exe320F0032704DEA1152C5880DEF04E61E.exe320F0032704DEA1152C5880DEF04E61E.exedescription pid process Token: SeDebugPrivilege 1420 AdvancedRun.exe Token: SeImpersonatePrivilege 1420 AdvancedRun.exe Token: SeDebugPrivilege 856 AdvancedRun.exe Token: SeImpersonatePrivilege 856 AdvancedRun.exe Token: SeDebugPrivilege 544 powershell.exe Token: SeDebugPrivilege 864 320F0032704DEA1152C5880DEF04E61E.exe Token: SeDebugPrivilege 1964 320F0032704DEA1152C5880DEF04E61E.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
320F0032704DEA1152C5880DEF04E61E.exeAdvancedRun.exedescription pid process target process PID 864 wrote to memory of 1420 864 320F0032704DEA1152C5880DEF04E61E.exe AdvancedRun.exe PID 864 wrote to memory of 1420 864 320F0032704DEA1152C5880DEF04E61E.exe AdvancedRun.exe PID 864 wrote to memory of 1420 864 320F0032704DEA1152C5880DEF04E61E.exe AdvancedRun.exe PID 864 wrote to memory of 1420 864 320F0032704DEA1152C5880DEF04E61E.exe AdvancedRun.exe PID 1420 wrote to memory of 856 1420 AdvancedRun.exe AdvancedRun.exe PID 1420 wrote to memory of 856 1420 AdvancedRun.exe AdvancedRun.exe PID 1420 wrote to memory of 856 1420 AdvancedRun.exe AdvancedRun.exe PID 1420 wrote to memory of 856 1420 AdvancedRun.exe AdvancedRun.exe PID 864 wrote to memory of 544 864 320F0032704DEA1152C5880DEF04E61E.exe powershell.exe PID 864 wrote to memory of 544 864 320F0032704DEA1152C5880DEF04E61E.exe powershell.exe PID 864 wrote to memory of 544 864 320F0032704DEA1152C5880DEF04E61E.exe powershell.exe PID 864 wrote to memory of 544 864 320F0032704DEA1152C5880DEF04E61E.exe powershell.exe PID 864 wrote to memory of 524 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 864 wrote to memory of 524 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 864 wrote to memory of 524 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 864 wrote to memory of 524 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 864 wrote to memory of 1964 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 864 wrote to memory of 1964 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 864 wrote to memory of 1964 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 864 wrote to memory of 1964 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 864 wrote to memory of 1964 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 864 wrote to memory of 1964 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 864 wrote to memory of 1964 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 864 wrote to memory of 1964 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 864 wrote to memory of 1964 864 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe"C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe"1⤵
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exe" /SpecialRun 4101d8 14203⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe"C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe"C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\2405bc59-1740-42fc-8a78-ff0484bb9c00\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/544-92-0x0000000006170000-0x0000000006171000-memory.dmpFilesize
4KB
-
memory/544-82-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/544-115-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/544-114-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/544-100-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/544-99-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/544-75-0x0000000000000000-mapping.dmp
-
memory/544-77-0x0000000001D90000-0x0000000001D91000-memory.dmpFilesize
4KB
-
memory/544-78-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/544-79-0x0000000001F90000-0x0000000002BDA000-memory.dmpFilesize
12.3MB
-
memory/544-81-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/544-91-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/544-85-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/544-90-0x0000000006040000-0x0000000006041000-memory.dmpFilesize
4KB
-
memory/856-72-0x0000000000000000-mapping.dmp
-
memory/864-60-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/864-62-0x00000000003E0000-0x0000000000446000-memory.dmpFilesize
408KB
-
memory/864-63-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/1420-68-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/1420-66-0x0000000000000000-mapping.dmp
-
memory/1964-116-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1964-117-0x00000000004171F2-mapping.dmp
-
memory/1964-118-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1964-120-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB