Overview

overview

10

Static

static

10

cbb62490f1...f6.exe

windows7_x64

10

cbb62490f1...f6.exe

windows10_x64

10

Analysis

  • max time kernel
    32s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    10-06-2021 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbb62490f144ce119dcbe5d1ef7f4ff6.exe

  • Size

    1.1MB

  • MD5

    cbb62490f144ce119dcbe5d1ef7f4ff6

  • SHA1

    4a153e0057673011a7fdc38eed71f11fc9708e90

  • SHA256

    9890b3cc84a7417c40435676f4e27e4a816143a4545a7c3cb75cc4b3819945e4

  • SHA512

    203111d011c842400f8cd5cdf8b9ee2ffabe7ef162535db1385f97843675b25400b52811d7d199cf2737148625b106f85b5ba6dc5244f394c55caf86bec77282

Score
10/10
redlinediscoveryinfostealerspywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • autoit_exe 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbb62490f144ce119dcbe5d1ef7f4ff6.exe
    "C:\Users\Admin\AppData\Local\Temp\cbb62490f144ce119dcbe5d1ef7f4ff6.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Users\Admin\AppData\Local\Temp\tempfl.exe
      "C:\Users\Admin\AppData\Local\Temp\tempfl.exe"
      2⤵
      • Executes dropped EXE
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
        C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3840
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3140
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
          4⤵
          • Creates scheduled task(s)
          PID:1004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\32.exe
    MD5

    be7e0a04a98992393ed7d9001b26ce7e

    SHA1

    70803643140ae2e6dfb11788a435aa5213061819

    SHA256

    61b8fe15a0ac98a6011d592d19a5a1f3e90583159b0025d01c734a3e3646738d

    SHA512

    ae4d2a87b57b8ea3b64cc1af45677893008557ff622098e6371762e5be2494b1418ad9f07c233a65df20aefdb53e2b3d1cff429b1844a7ed266886900f78c9cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\64.exe
    MD5

    4561b398282ef899552a80a28a943803

    SHA1

    a44ff5522fe7c7cee5d8dd473a9e5207d9363866

    SHA256

    eac46338f5978c42aaed22378f36c99184cfba6bee27bb6806db22efcd81d1e8

    SHA512

    573798c5316d75d4384608c9bf40a494233a3b516d70ec3677fa8187d514a65a68d6154d2de2db6277c20ba1aebad8a737734d263fe7ce92af873ad639be5743

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
    MD5

    43141e85e7c36e31b52b22ab94d5e574

    SHA1

    cfd7079a9b268d84b856dc668edbb9ab9ef35312

    SHA256

    ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

    SHA512

    9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt
    MD5

    a66d45cb4996918c5592a4f7d41cc1a3

    SHA1

    21ea8e6abce0613eda4cc6e69d8f436d972500c2

    SHA256

    c808b768710386a679e711f11af8b1813ec1fe354d221cd1032555191dc08555

    SHA512

    8ee234256f611397fda2776bf42d142ea002ebc913ec8fbba8a2aa029ee65d1c28c687095d63a34cf56b40b7308a8474d82683c836991aade33cb4b5b4bb0b71

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml
    MD5

    ed8adc90f2e04d496f18c24e72a91392

    SHA1

    4cc10c39e9d9ae112301b1dedbdae81dac7c8377

    SHA256

    2ca2030406125497e931a57dcd97d91d91c841fad7c8802997edd7a808df9a1c

    SHA512

    111aada5a535b7f57be344b2e56db85fb0fe92174b79381befa648aadd99ca5bbc21ac585da7fba9b552723c38a3d9e56b67c0470ff1563a9915dc3c0ab44f76

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tempfl.exe
    MD5

    12e441a02e461181c6a0155fd4f21ffc

    SHA1

    fb17ae09d164babf8f1aa457217fcc5e5d57b3ce

    SHA256

    63b21907d882f0d391145a8deb582b163527cf9b17a44704678a0897cd1eb632

    SHA512

    e0c29ff95dcf5caa697395dd82cfa766931c64158871f4080f960b90da712043a23bcd160c9c2bcd6c94b5a7ea9dbdbbcba31f0a36ab1a2fc6995eae62d1e1cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tempfl.exe
    MD5

    12e441a02e461181c6a0155fd4f21ffc

    SHA1

    fb17ae09d164babf8f1aa457217fcc5e5d57b3ce

    SHA256

    63b21907d882f0d391145a8deb582b163527cf9b17a44704678a0897cd1eb632

    SHA512

    e0c29ff95dcf5caa697395dd82cfa766931c64158871f4080f960b90da712043a23bcd160c9c2bcd6c94b5a7ea9dbdbbcba31f0a36ab1a2fc6995eae62d1e1cc

    Download Submit

  • memory/624-125-0x0000000006C70000-0x0000000006C71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-126-0x0000000007970000-0x0000000007971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-116-0x0000000005980000-0x0000000005981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-121-0x0000000005490000-0x0000000005491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-120-0x00000000052E0000-0x00000000052E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-114-0x0000000000920000-0x0000000000921000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-117-0x0000000005240000-0x0000000005241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-119-0x0000000005360000-0x0000000005361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-124-0x0000000006960000-0x0000000006961000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-123-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-122-0x00000000066E0000-0x00000000066E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/624-118-0x00000000052A0000-0x00000000052A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1004-139-0x0000000000000000-mapping.dmp

    Download

  • memory/2120-135-0x0000000004650000-0x0000000004651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-127-0x0000000000000000-mapping.dmp

    Download

  • memory/3140-134-0x0000000000000000-mapping.dmp

    Download

  • memory/3840-130-0x0000000000000000-mapping.dmp

    Download