Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-07-2021 17:34
Static task
static1
Behavioral task
behavioral1
Sample
mixazed_20210706-183043.exe
Resource
win7v20210410
General
-
Target
mixazed_20210706-183043.exe
-
Size
1.4MB
-
MD5
97afea1db16077be6b8d3a57f9b7a037
-
SHA1
540610e535d1a0cfac3725fd4d49fc2894665cf8
-
SHA256
97f6f4bd2bc1104bbe4c1b3cfe8ac386e8b4a35f0c9d2b63bcee04afea965965
-
SHA512
5938a2236cc6ac61977a42c4547ecc6e9c20c5cca29cb3e114970f90b28fe0daced06ee70490a604a0dbcee01565d5f6b1b49bf518ddcada1a50f9cc107d3a27
Malware Config
Extracted
redline
3
185.215.113.46:61707
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1556-80-0x0000000000090000-0x00000000000AE000-memory.dmp family_redline behavioral1/memory/1556-85-0x0000000000090000-0x00000000000AE000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Tuoi.exe.comTuoi.exe.comRegAsm.exepid process 1524 Tuoi.exe.com 648 Tuoi.exe.com 1556 RegAsm.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.exeTuoi.exe.comTuoi.exe.comRegAsm.exepid process 1320 cmd.exe 1524 Tuoi.exe.com 648 Tuoi.exe.com 1556 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Tuoi.exe.comdescription pid process target process PID 648 set thread context of 1556 648 Tuoi.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
RegAsm.exepid process 1556 RegAsm.exe 1556 RegAsm.exe 1556 RegAsm.exe 1556 RegAsm.exe 1556 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1556 RegAsm.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
mixazed_20210706-183043.execmd.execmd.exeTuoi.exe.comTuoi.exe.comdescription pid process target process PID 368 wrote to memory of 1720 368 mixazed_20210706-183043.exe cmd.exe PID 368 wrote to memory of 1720 368 mixazed_20210706-183043.exe cmd.exe PID 368 wrote to memory of 1720 368 mixazed_20210706-183043.exe cmd.exe PID 368 wrote to memory of 1720 368 mixazed_20210706-183043.exe cmd.exe PID 1720 wrote to memory of 1320 1720 cmd.exe cmd.exe PID 1720 wrote to memory of 1320 1720 cmd.exe cmd.exe PID 1720 wrote to memory of 1320 1720 cmd.exe cmd.exe PID 1720 wrote to memory of 1320 1720 cmd.exe cmd.exe PID 1320 wrote to memory of 1232 1320 cmd.exe findstr.exe PID 1320 wrote to memory of 1232 1320 cmd.exe findstr.exe PID 1320 wrote to memory of 1232 1320 cmd.exe findstr.exe PID 1320 wrote to memory of 1232 1320 cmd.exe findstr.exe PID 1320 wrote to memory of 1524 1320 cmd.exe Tuoi.exe.com PID 1320 wrote to memory of 1524 1320 cmd.exe Tuoi.exe.com PID 1320 wrote to memory of 1524 1320 cmd.exe Tuoi.exe.com PID 1320 wrote to memory of 1524 1320 cmd.exe Tuoi.exe.com PID 1320 wrote to memory of 1420 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 1420 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 1420 1320 cmd.exe PING.EXE PID 1320 wrote to memory of 1420 1320 cmd.exe PING.EXE PID 1524 wrote to memory of 648 1524 Tuoi.exe.com Tuoi.exe.com PID 1524 wrote to memory of 648 1524 Tuoi.exe.com Tuoi.exe.com PID 1524 wrote to memory of 648 1524 Tuoi.exe.com Tuoi.exe.com PID 1524 wrote to memory of 648 1524 Tuoi.exe.com Tuoi.exe.com PID 648 wrote to memory of 1556 648 Tuoi.exe.com RegAsm.exe PID 648 wrote to memory of 1556 648 Tuoi.exe.com RegAsm.exe PID 648 wrote to memory of 1556 648 Tuoi.exe.com RegAsm.exe PID 648 wrote to memory of 1556 648 Tuoi.exe.com RegAsm.exe PID 648 wrote to memory of 1556 648 Tuoi.exe.com RegAsm.exe PID 648 wrote to memory of 1556 648 Tuoi.exe.com RegAsm.exe PID 648 wrote to memory of 1556 648 Tuoi.exe.com RegAsm.exe PID 648 wrote to memory of 1556 648 Tuoi.exe.com RegAsm.exe PID 648 wrote to memory of 1556 648 Tuoi.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210706-183043.exe"C:\Users\Admin\AppData\Local\Temp\mixazed_20210706-183043.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Via.pst2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^tlSemPfKKHtYeILMlybXZRBSYbGlJvqJVEjBXzlIAbUyXeesdcOhdyxhJqrwptqgHxrnclOQUPvBXvUWcfUgHMzPlZSXdomcbFbDZDVyGX$" Uso.pst4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.comTuoi.exe.com T4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.com T5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\TMD5
bc72287b7396eb41ec437a2685e09c1d
SHA1df0f741830a68d9fe1d8f2c157188026a7abbcef
SHA2561496f40769731ea8bbe1af9d61e392caa702ab51c4694b30292910bea5b0be6b
SHA512afd5d34df013e4a52f856b39586d3c0781a2b6e1bbffba175dde681c36dec76dd3ed8e87362610743d988db54f647e447be7e2f9d24c1d307ff20bc9684c48c3
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uccelli.pstMD5
bc72287b7396eb41ec437a2685e09c1d
SHA1df0f741830a68d9fe1d8f2c157188026a7abbcef
SHA2561496f40769731ea8bbe1af9d61e392caa702ab51c4694b30292910bea5b0be6b
SHA512afd5d34df013e4a52f856b39586d3c0781a2b6e1bbffba175dde681c36dec76dd3ed8e87362610743d988db54f647e447be7e2f9d24c1d307ff20bc9684c48c3
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Una.pstMD5
8065184ab7c576641f725d0a9d39b0bc
SHA1661a25cc092b92abe20bf2df865a93865d6fd7ef
SHA256cd871114e9c04e2bcb9563226f97457c598f857cd28720d4a41ec3c565bceb65
SHA5122baf87e133c4d6b467991b1f35b86b10f42aa7f2fcbc5a2ae2a34c240cfcafe40ad7059cb8cdb3527956b508648f43bf96ce1e5965be6a5c3572ceec56a1eb7e
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.pstMD5
4d799a18d42780d24ad3211887dc69ed
SHA1f870d1729622259270697ceea4d65f40238a6b6c
SHA256d7e4b6c6698e01bad54bf7151993e0270659fa2dba89917017556ec14ac69cdb
SHA512e01ac3b4d06fdfadca04bafd52c24c97bf0afb4124e69cf39f927c3d22d1c450a121d9fa20a6f5b78e2cf5fbe166568b0fe1b07c53d304d841724b84c42ad252
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Via.pstMD5
9c02ba86f93e6c82ced11eb4e58ae3b9
SHA18d230295fa1743420766af8428ff3789c6e4022a
SHA256ab37eb4611b1d38b4dc6628c6d2512585b443c34069e46482b8d3d4d8ae68de6
SHA51250cce62b5e9e8a7c1035bb9d13e281303fec7bd7bb3858b62eec71a151431df0df167719cf3b36fe1f004de5c031089987655475ae6fcd153a166ea9ef11e093
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/368-59-0x0000000076661000-0x0000000076663000-memory.dmpFilesize
8KB
-
memory/648-79-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/648-74-0x0000000000000000-mapping.dmp
-
memory/1232-63-0x0000000000000000-mapping.dmp
-
memory/1320-62-0x0000000000000000-mapping.dmp
-
memory/1420-69-0x0000000000000000-mapping.dmp
-
memory/1524-67-0x0000000000000000-mapping.dmp
-
memory/1556-80-0x0000000000090000-0x00000000000AE000-memory.dmpFilesize
120KB
-
memory/1556-85-0x0000000000090000-0x00000000000AE000-memory.dmpFilesize
120KB
-
memory/1556-87-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/1720-60-0x0000000000000000-mapping.dmp