Overview

overview

10

Static

static

cf89ccd91a...9a.exe

windows7_x64

10

cf89ccd91a...9a.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    09-06-2021 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf89ccd91a0582286a6d6fbb4721c99a.exe

  • Size

    850KB

  • MD5

    cf89ccd91a0582286a6d6fbb4721c99a

  • SHA1

    8a1d9e9a449f81293e1c861c7fb495f265343d00

  • SHA256

    ab1b7bb6e9ab4d236af50fde41238818522f92ea990c2190af88b6514bf5559a

  • SHA512

    824f2c0c01d07268634449402a9ce0e9228304081823aa69da73e5e85b27cf04b62a2972ee137967fd6dd2a63ebc7aaaf7da6bb44ec1f9da346a9243da0aba1e

Score
10/10
redline3discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

3

C2

94.26.248.63:7447

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf89ccd91a0582286a6d6fbb4721c99a.exe
    "C:\Users\Admin\AppData\Local\Temp\cf89ccd91a0582286a6d6fbb4721c99a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\cf89ccd91a0582286a6d6fbb4721c99a.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:984
    • C:\Users\Admin\AppData\Local\Temp\cf89ccd91a0582286a6d6fbb4721c99a.exe
      "C:\Users\Admin\AppData\Local\Temp\cf89ccd91a0582286a6d6fbb4721c99a.exe"
      2⤵
        PID:1112
      • C:\Users\Admin\AppData\Local\Temp\cf89ccd91a0582286a6d6fbb4721c99a.exe
        "C:\Users\Admin\AppData\Local\Temp\cf89ccd91a0582286a6d6fbb4721c99a.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1064

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/984-86-0x0000000006060000-0x0000000006061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-87-0x00000000060A0000-0x00000000060A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-74-0x0000000002180000-0x0000000002181000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-111-0x000000007EF30000-0x000000007EF31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-110-0x0000000006310000-0x0000000006311000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-66-0x0000000000000000-mapping.dmp

      Download

    • memory/984-109-0x0000000006300000-0x0000000006301000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-77-0x0000000004A62000-0x0000000004A63000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-69-0x00000000765F1000-0x00000000765F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/984-95-0x00000000055D0000-0x00000000055D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-72-0x0000000001F20000-0x0000000001F21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-73-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-94-0x0000000006290000-0x0000000006291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-81-0x0000000005650000-0x0000000005651000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-78-0x0000000002810000-0x0000000002811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/984-76-0x0000000004A60000-0x0000000004A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1064-68-0x000000000041730A-mapping.dmp

      Download

    • memory/1064-70-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1064-67-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1064-75-0x0000000004280000-0x0000000004281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2028-65-0x00000000020F0000-0x000000000213B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2028-60-0x0000000000070000-0x0000000000071000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2028-62-0x0000000000470000-0x0000000000484000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2028-63-0x00000000042D0000-0x00000000042D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2028-64-0x0000000005000000-0x000000000508F000-memory.dmp

      Filesize

      572KB

      Download