Analysis
-
max time kernel
23s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
03-05-2021 23:37
Static task
static1
Behavioral task
behavioral1
Sample
320F0032704DEA1152C5880DEF04E61E.exe
Resource
win7v20210408
General
-
Target
320F0032704DEA1152C5880DEF04E61E.exe
-
Size
2.3MB
-
MD5
320f0032704dea1152c5880def04e61e
-
SHA1
6dd5462a765375ab6d8720263aebe4b37c9b17d2
-
SHA256
8d730630389f403985ddbff2c9617c9b9ca9fd4ad0c9ee5d9fceeecc44356340
-
SHA512
99ed916a76ecd3c898afff7d287e95cbd985f22b3c99999396de5e5c4ebc99c1e020309fede213cdb4a2a4c2523b521b4803c396089424ee21ac20a88eea701d
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/988-189-0x00000000004171F2-mapping.dmp family_redline -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Nirsoft 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\12defb9a-1f68-4bbe-9c74-aef1690feb72\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\12defb9a-1f68-4bbe-9c74-aef1690feb72\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\12defb9a-1f68-4bbe-9c74-aef1690feb72\AdvancedRun.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 2748 AdvancedRun.exe 3280 AdvancedRun.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
320F0032704DEA1152C5880DEF04E61E.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 320F0032704DEA1152C5880DEF04E61E.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet 320F0032704DEA1152C5880DEF04E61E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 320F0032704DEA1152C5880DEF04E61E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 320F0032704DEA1152C5880DEF04E61E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 320F0032704DEA1152C5880DEF04E61E.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 320F0032704DEA1152C5880DEF04E61E.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 320F0032704DEA1152C5880DEF04E61E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe = "0" 320F0032704DEA1152C5880DEF04E61E.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection 320F0032704DEA1152C5880DEF04E61E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 320F0032704DEA1152C5880DEF04E61E.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
320F0032704DEA1152C5880DEF04E61E.exedescription pid process target process PID 2208 set thread context of 988 2208 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exe320F0032704DEA1152C5880DEF04E61E.exe320F0032704DEA1152C5880DEF04E61E.exepid process 2748 AdvancedRun.exe 2748 AdvancedRun.exe 2748 AdvancedRun.exe 2748 AdvancedRun.exe 3280 AdvancedRun.exe 3280 AdvancedRun.exe 3280 AdvancedRun.exe 3280 AdvancedRun.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe 2208 320F0032704DEA1152C5880DEF04E61E.exe 2208 320F0032704DEA1152C5880DEF04E61E.exe 988 320F0032704DEA1152C5880DEF04E61E.exe 988 320F0032704DEA1152C5880DEF04E61E.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exe320F0032704DEA1152C5880DEF04E61E.exe320F0032704DEA1152C5880DEF04E61E.exedescription pid process Token: SeDebugPrivilege 2748 AdvancedRun.exe Token: SeImpersonatePrivilege 2748 AdvancedRun.exe Token: SeDebugPrivilege 3280 AdvancedRun.exe Token: SeImpersonatePrivilege 3280 AdvancedRun.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2208 320F0032704DEA1152C5880DEF04E61E.exe Token: SeDebugPrivilege 988 320F0032704DEA1152C5880DEF04E61E.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
320F0032704DEA1152C5880DEF04E61E.exeAdvancedRun.exedescription pid process target process PID 2208 wrote to memory of 2748 2208 320F0032704DEA1152C5880DEF04E61E.exe AdvancedRun.exe PID 2208 wrote to memory of 2748 2208 320F0032704DEA1152C5880DEF04E61E.exe AdvancedRun.exe PID 2208 wrote to memory of 2748 2208 320F0032704DEA1152C5880DEF04E61E.exe AdvancedRun.exe PID 2748 wrote to memory of 3280 2748 AdvancedRun.exe AdvancedRun.exe PID 2748 wrote to memory of 3280 2748 AdvancedRun.exe AdvancedRun.exe PID 2748 wrote to memory of 3280 2748 AdvancedRun.exe AdvancedRun.exe PID 2208 wrote to memory of 2820 2208 320F0032704DEA1152C5880DEF04E61E.exe powershell.exe PID 2208 wrote to memory of 2820 2208 320F0032704DEA1152C5880DEF04E61E.exe powershell.exe PID 2208 wrote to memory of 2820 2208 320F0032704DEA1152C5880DEF04E61E.exe powershell.exe PID 2208 wrote to memory of 2636 2208 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 2208 wrote to memory of 2636 2208 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 2208 wrote to memory of 2636 2208 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 2208 wrote to memory of 988 2208 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 2208 wrote to memory of 988 2208 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 2208 wrote to memory of 988 2208 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 2208 wrote to memory of 988 2208 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 2208 wrote to memory of 988 2208 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 2208 wrote to memory of 988 2208 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 2208 wrote to memory of 988 2208 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe PID 2208 wrote to memory of 988 2208 320F0032704DEA1152C5880DEF04E61E.exe 320F0032704DEA1152C5880DEF04E61E.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe"C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe"1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\12defb9a-1f68-4bbe-9c74-aef1690feb72\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\12defb9a-1f68-4bbe-9c74-aef1690feb72\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\12defb9a-1f68-4bbe-9c74-aef1690feb72\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\12defb9a-1f68-4bbe-9c74-aef1690feb72\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\12defb9a-1f68-4bbe-9c74-aef1690feb72\AdvancedRun.exe" /SpecialRun 4101d8 27483⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe"C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe"C:\Users\Admin\AppData\Local\Temp\320F0032704DEA1152C5880DEF04E61E.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\320F0032704DEA1152C5880DEF04E61E.exe.logMD5
c0ad7b531cb050d170ceb51110be64db
SHA11fc4ff77fe0838a1fec8723139c25d5708ed8c0b
SHA2562212589a88f2f3fa5c7127e548ea493b3ab2927e2417b54928ec82e3a42a424c
SHA512148ecaa1ee3259ab2ec63abb28af5daad10534bd48e9afec2984d343c8f9c361f8caed04b32bb0de85d41e3329935e6d100d5036e33bc8fadcda1f7dd1bde436
-
C:\Users\Admin\AppData\Local\Temp\12defb9a-1f68-4bbe-9c74-aef1690feb72\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\12defb9a-1f68-4bbe-9c74-aef1690feb72\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\12defb9a-1f68-4bbe-9c74-aef1690feb72\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/988-190-0x0000000005790000-0x0000000005D96000-memory.dmpFilesize
6.0MB
-
memory/988-189-0x00000000004171F2-mapping.dmp
-
memory/2208-114-0x0000000000FA0000-0x0000000000FA1000-memory.dmpFilesize
4KB
-
memory/2208-116-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/2208-117-0x00000000032F0000-0x0000000003356000-memory.dmpFilesize
408KB
-
memory/2208-118-0x0000000008550000-0x0000000008551000-memory.dmpFilesize
4KB
-
memory/2208-119-0x0000000006DF0000-0x0000000006DF1000-memory.dmpFilesize
4KB
-
memory/2748-120-0x0000000000000000-mapping.dmp
-
memory/2820-130-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/2820-138-0x0000000008410000-0x0000000008411000-memory.dmpFilesize
4KB
-
memory/2820-129-0x00000000073D0000-0x00000000073D1000-memory.dmpFilesize
4KB
-
memory/2820-132-0x00000000072A0000-0x00000000072A1000-memory.dmpFilesize
4KB
-
memory/2820-133-0x0000000007C90000-0x0000000007C91000-memory.dmpFilesize
4KB
-
memory/2820-134-0x0000000007B00000-0x0000000007B01000-memory.dmpFilesize
4KB
-
memory/2820-135-0x0000000007D00000-0x0000000007D01000-memory.dmpFilesize
4KB
-
memory/2820-136-0x0000000007B70000-0x0000000007B71000-memory.dmpFilesize
4KB
-
memory/2820-137-0x0000000008560000-0x0000000008561000-memory.dmpFilesize
4KB
-
memory/2820-131-0x00000000049C2000-0x00000000049C3000-memory.dmpFilesize
4KB
-
memory/2820-146-0x00000000090E0000-0x0000000009113000-memory.dmpFilesize
204KB
-
memory/2820-153-0x00000000090C0000-0x00000000090C1000-memory.dmpFilesize
4KB
-
memory/2820-158-0x0000000009440000-0x0000000009441000-memory.dmpFilesize
4KB
-
memory/2820-159-0x0000000009600000-0x0000000009601000-memory.dmpFilesize
4KB
-
memory/2820-187-0x000000007F510000-0x000000007F511000-memory.dmpFilesize
4KB
-
memory/2820-188-0x00000000049C3000-0x00000000049C4000-memory.dmpFilesize
4KB
-
memory/2820-128-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/2820-125-0x0000000000000000-mapping.dmp
-
memory/3280-123-0x0000000000000000-mapping.dmp