Overview

overview

10

Static

static

d7cfcefabc...48.exe

windows7_x64

10

d7cfcefabc...48.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    08-05-2021 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7cfcefabc22cecb94af7cc290bef648.exe

  • Size

    188KB

  • MD5

    d7cfcefabc22cecb94af7cc290bef648

  • SHA1

    45844bd2f247d3e62e6d90762c84187e7f6c83cc

  • SHA256

    76919d1b955f642d02652b03274a9d447d386b8071d1f51f41a22cc708a7db31

  • SHA512

    19b78fb987fc585559489e75bb4e9c9a9ee43b2c2a32d7c8dc329cd02d3ca62fa8c0787c2bef6f7c3138ab6d0969a31591c493f8fb77a63aed7880307bda1630

Score
10/10
redlinefirstmadiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

firstma

C2

45.67.231.56:3214

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7cfcefabc22cecb94af7cc290bef648.exe
    "C:\Users\Admin\AppData\Local\Temp\d7cfcefabc22cecb94af7cc290bef648.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Local\Temp\servs.exe
      "C:\Users\Admin\AppData\Local\Temp\servs.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4428
    • C:\Users\Admin\AppData\Local\Temp\rvs.exe
      "C:\Users\Admin\AppData\Local\Temp\rvs.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4548
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3524
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:4004
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:740
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
      PID:4140
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4240
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:4644
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x3b8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:5060
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:4792
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:5112

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\4STTKXGU.cookie
      MD5

      0518e5b90b9315908cc9560db5ef8575

      SHA1

      b82e97d87f8ca1289edb84b22333a014e5f9cbb8

      SHA256

      594266e943d75df077e3de9dfedb7a4940af245f662e1727bf5813d452bd6c55

      SHA512

      6f97dd0c5a1049dbb2cfa6de7b4ce9c8f0097d4551773d92c80b58cf6250740e26ecffca845a73eb9449d19e5a49c80783dab2b7ccbd7794e8daf3a95f2abfc4

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\DZGWV7B6.cookie
      MD5

      10be0046b4a8b6ddfd91f60cce01fb6a

      SHA1

      60817767b698bbf4ccccc9cf8bdda0f9c26d92ff

      SHA256

      116e00ce8d18df133e102e333aca4c0c1ae4a97f06c20bbdf350b54bc12fe656

      SHA512

      6c316a4e073212a2102c7ce475aacc9dc4d269b2b67aa971cf31803bdd0f4f203679697a562333ba4807413bde09c78f1b4bf1a9479087f6fe883edfcb156c09

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\QU1J8OIC.cookie
      MD5

      12534468d236a77e6bc80c8ff603883f

      SHA1

      33bcf8a3d813a661bfdf073b287637686e527fa8

      SHA256

      559365863dc19fdd4b268a67d0a3017863956ceed6c2572123993f7d5ec3f32c

      SHA512

      3977f5257ac812575ef2d78beecc01b71dfa47a603d6f4d58c0e2c794b327f895372cc6b41ac9a17f633d861e441f501dc6d396fee83cf7c528ce89d2cb2489a

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      MD5

      4da169703a57baca38f256b2280faecd

      SHA1

      e87a670377f5d5467900e49f3f76dda55a132090

      SHA256

      b667c70765fde990bfbcd50d0142f6555751dc700d17c2ef67cb33154376e5cc

      SHA512

      1778fe73ac495141d11b13fb30d41e5bf233919df5060de5fb185a6b99f579efbfcb785e53179f8e43316023c2f1fa43db7a17edc638b5aa145f223032a29b67

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
      MD5

      f7dcb24540769805e5bb30d193944dce

      SHA1

      e26c583c562293356794937d9e2e6155d15449ee

      SHA256

      6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

      SHA512

      cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\5EE9003E3DC4134E8CF26DC55FD926FA
      MD5

      896448ad42085ea2a486ba8fd0ac0cae

      SHA1

      4d9abc283635aa9f7eb1bdb2231a0915c374cd8c

      SHA256

      4f7cce8f5074099dba71e1ec72394a0ca49e864bd93910a37adf5f97feacce3c

      SHA512

      b0ced50da82599839b5d46178f52e994e12cbcadd848a5f32788218493f4abb4e0fcb9eb1d908b17ddd0cd147e218146678cb556c72b52f5b947dc801726f871

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      MD5

      4520694ea0e43a9d965e80f78326d6f3

      SHA1

      18c3818ef4557df202a7bedc2926fbe0026b847a

      SHA256

      c36197ecfd61038295dfbdcbe6f8d00cbe6f535f48b5eeb053a38040dc85090d

      SHA512

      a63271a7346808ecd6c18add2e93d7870799f0d5365c68cfc5218bd328dcc93dea511c86515fba7116fcca0356e96c2292dee1e577303c3041faea940060ef3b

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      MD5

      bb5062aac7d4dd6317a029182b24c2e8

      SHA1

      febc31c844101893186232a37a0717e0aae66449

      SHA256

      46ac81d4aaeebf527bbb355f2fe916712ab9648f0facb288db220f9826fa337b

      SHA512

      cef5629ddd96887373cf191585a49dcd1e7772510524e0b67ced392d36c531a89167baedcb67764c76506bcf995fc72ae12ba215848b927e17a3026bb232c7c7

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
      MD5

      8d2de965d2b9c97b54993ca30912e903

      SHA1

      afae3deb25735a51b12ea02f006f756e403fc38a

      SHA256

      afd3e03ec651c7062937193809523ea1cf6cb838901798cdc663c8722bb54f07

      SHA512

      d0ef0e150e5d8980e5e9d551319503fd14e583f8864d51d8fde1b54589fdc4ece3b56c9f128ea74726bf0725eb7b4802d644eeaa46fbc3b3369b18fc543acc32

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA
      MD5

      6220047a5e41c45f4e48ce8de4c2821f

      SHA1

      10cafccb4e0fefade1cc51e93f14bd44bbf2c944

      SHA256

      acb23647b323ace380df166f991f84ee726f1e367651c583ed8000ada94c04c0

      SHA512

      45b8c76ce8d24150ebc2d5ea9d6706b0ed721d86f79a21f8a41667ce4837c78e2b6909163cb35471e932fb883f5ee87600773f111da5e7c8fe7bf7597d09d892

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      MD5

      d709f6ed85535bb8c4c41b6f00dc2ca2

      SHA1

      e594e81952b53d26b02e5d94a72c2971fc12c4ee

      SHA256

      10c250e4d40cbceb1a298b192c525a754b7687636cf85be62772fbb53424a5ed

      SHA512

      877de6435f5d841e578349fbdcf0982778bb070c4cedae339475c63ac45f2de2cda5d84661a819940a7dc00e404bdd22223a243831327dc0915ae069138e9e6a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rvs.exe
      MD5

      830791e50ebd569c3169a7860455dde9

      SHA1

      decc913ea54066aca3bfd0e3bc791b3e10840eb5

      SHA256

      5b2c3cc04375edc534a731821cefd6563d358035ed737ceb66f69b0f54077a66

      SHA512

      b50ce56df27fb5dc8a8645e5131821e6d3d9cf4589510e004f0a9fb212e1a7fdc35831109a7f5067856aa0f0b901fbea112799a9badbdfa4100c51852004ed9e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rvs.exe
      MD5

      830791e50ebd569c3169a7860455dde9

      SHA1

      decc913ea54066aca3bfd0e3bc791b3e10840eb5

      SHA256

      5b2c3cc04375edc534a731821cefd6563d358035ed737ceb66f69b0f54077a66

      SHA512

      b50ce56df27fb5dc8a8645e5131821e6d3d9cf4589510e004f0a9fb212e1a7fdc35831109a7f5067856aa0f0b901fbea112799a9badbdfa4100c51852004ed9e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\servs.exe
      MD5

      14c4511f1f708818203e97f28adcb422

      SHA1

      e92fe1d751db00e1a78e62383884ed50ad7562b1

      SHA256

      4cd909b0c0733cb1191dcbb20ef2a62683873c902c0ae037f33c6cb779a34be5

      SHA512

      8d1907ebbbd6b856767a37ca385a74cfdd1265303e245ec4656a9f5812b79a0cc4730e4dec66fffca8346e32c80144ce724b118bed1f4a7acd92876d6f4ffcf2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\servs.exe
      MD5

      14c4511f1f708818203e97f28adcb422

      SHA1

      e92fe1d751db00e1a78e62383884ed50ad7562b1

      SHA256

      4cd909b0c0733cb1191dcbb20ef2a62683873c902c0ae037f33c6cb779a34be5

      SHA512

      8d1907ebbbd6b856767a37ca385a74cfdd1265303e245ec4656a9f5812b79a0cc4730e4dec66fffca8346e32c80144ce724b118bed1f4a7acd92876d6f4ffcf2

      Download Submit
    • memory/3212-120-0x00000000022C3000-0x00000000022C4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3212-124-0x00000000022C4000-0x00000000022C6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3212-128-0x00000000066A0000-0x00000000066A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3212-127-0x0000000006490000-0x0000000006491000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3212-126-0x0000000005F70000-0x0000000005F71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3212-114-0x0000000001FE0000-0x0000000001FFE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3212-125-0x0000000005710000-0x0000000005711000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3212-129-0x0000000006CB0000-0x0000000006CB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3212-123-0x0000000005580000-0x0000000005581000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3212-122-0x0000000005520000-0x0000000005521000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3212-121-0x0000000005500000-0x0000000005501000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3212-119-0x00000000022C2000-0x00000000022C3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3212-117-0x0000000004E60000-0x0000000004E61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3212-118-0x00000000022C0000-0x00000000022C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3212-116-0x0000000002390000-0x00000000023AD000-memory.dmp
      Filesize

      116KB

      Download
    • memory/3212-115-0x0000000004920000-0x0000000004921000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4428-137-0x0000000004920000-0x000000000493D000-memory.dmp
      Filesize

      116KB

      Download
    • memory/4428-158-0x0000000004A94000-0x0000000004A96000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4428-143-0x0000000004A93000-0x0000000004A94000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4428-141-0x0000000004A92000-0x0000000004A93000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4428-139-0x0000000004A90000-0x0000000004A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4428-135-0x0000000002340000-0x000000000235E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4428-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4548-159-0x00000000054C0000-0x00000000054C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4548-148-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4548-145-0x0000000000000000-mapping.dmp
      Download