Analysis
-
max time kernel
36s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-07-2021 17:34
Static task
static1
Behavioral task
behavioral1
Sample
mixazed_20210706-183043.exe
Resource
win7v20210410
General
-
Target
mixazed_20210706-183043.exe
-
Size
1.4MB
-
MD5
97afea1db16077be6b8d3a57f9b7a037
-
SHA1
540610e535d1a0cfac3725fd4d49fc2894665cf8
-
SHA256
97f6f4bd2bc1104bbe4c1b3cfe8ac386e8b4a35f0c9d2b63bcee04afea965965
-
SHA512
5938a2236cc6ac61977a42c4547ecc6e9c20c5cca29cb3e114970f90b28fe0daced06ee70490a604a0dbcee01565d5f6b1b49bf518ddcada1a50f9cc107d3a27
Malware Config
Extracted
redline
3
185.215.113.46:61707
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/200-128-0x00000000003E0000-0x00000000003FE000-memory.dmp family_redline behavioral2/memory/200-138-0x0000000004C70000-0x0000000005276000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Tuoi.exe.comTuoi.exe.comRegAsm.exepid process 2188 Tuoi.exe.com 2724 Tuoi.exe.com 200 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Tuoi.exe.comdescription pid process target process PID 2724 set thread context of 200 2724 Tuoi.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
RegAsm.exepid process 200 RegAsm.exe 200 RegAsm.exe 200 RegAsm.exe 200 RegAsm.exe 200 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 200 RegAsm.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
mixazed_20210706-183043.execmd.execmd.exeTuoi.exe.comTuoi.exe.comdescription pid process target process PID 3968 wrote to memory of 1508 3968 mixazed_20210706-183043.exe cmd.exe PID 3968 wrote to memory of 1508 3968 mixazed_20210706-183043.exe cmd.exe PID 3968 wrote to memory of 1508 3968 mixazed_20210706-183043.exe cmd.exe PID 1508 wrote to memory of 1832 1508 cmd.exe cmd.exe PID 1508 wrote to memory of 1832 1508 cmd.exe cmd.exe PID 1508 wrote to memory of 1832 1508 cmd.exe cmd.exe PID 1832 wrote to memory of 1932 1832 cmd.exe findstr.exe PID 1832 wrote to memory of 1932 1832 cmd.exe findstr.exe PID 1832 wrote to memory of 1932 1832 cmd.exe findstr.exe PID 1832 wrote to memory of 2188 1832 cmd.exe Tuoi.exe.com PID 1832 wrote to memory of 2188 1832 cmd.exe Tuoi.exe.com PID 1832 wrote to memory of 2188 1832 cmd.exe Tuoi.exe.com PID 1832 wrote to memory of 2356 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 2356 1832 cmd.exe PING.EXE PID 1832 wrote to memory of 2356 1832 cmd.exe PING.EXE PID 2188 wrote to memory of 2724 2188 Tuoi.exe.com Tuoi.exe.com PID 2188 wrote to memory of 2724 2188 Tuoi.exe.com Tuoi.exe.com PID 2188 wrote to memory of 2724 2188 Tuoi.exe.com Tuoi.exe.com PID 2724 wrote to memory of 200 2724 Tuoi.exe.com RegAsm.exe PID 2724 wrote to memory of 200 2724 Tuoi.exe.com RegAsm.exe PID 2724 wrote to memory of 200 2724 Tuoi.exe.com RegAsm.exe PID 2724 wrote to memory of 200 2724 Tuoi.exe.com RegAsm.exe PID 2724 wrote to memory of 200 2724 Tuoi.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210706-183043.exe"C:\Users\Admin\AppData\Local\Temp\mixazed_20210706-183043.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Via.pst2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^tlSemPfKKHtYeILMlybXZRBSYbGlJvqJVEjBXzlIAbUyXeesdcOhdyxhJqrwptqgHxrnclOQUPvBXvUWcfUgHMzPlZSXdomcbFbDZDVyGX$" Uso.pst4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.comTuoi.exe.com T4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.com T5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\TMD5
bc72287b7396eb41ec437a2685e09c1d
SHA1df0f741830a68d9fe1d8f2c157188026a7abbcef
SHA2561496f40769731ea8bbe1af9d61e392caa702ab51c4694b30292910bea5b0be6b
SHA512afd5d34df013e4a52f856b39586d3c0781a2b6e1bbffba175dde681c36dec76dd3ed8e87362610743d988db54f647e447be7e2f9d24c1d307ff20bc9684c48c3
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uccelli.pstMD5
bc72287b7396eb41ec437a2685e09c1d
SHA1df0f741830a68d9fe1d8f2c157188026a7abbcef
SHA2561496f40769731ea8bbe1af9d61e392caa702ab51c4694b30292910bea5b0be6b
SHA512afd5d34df013e4a52f856b39586d3c0781a2b6e1bbffba175dde681c36dec76dd3ed8e87362610743d988db54f647e447be7e2f9d24c1d307ff20bc9684c48c3
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Una.pstMD5
8065184ab7c576641f725d0a9d39b0bc
SHA1661a25cc092b92abe20bf2df865a93865d6fd7ef
SHA256cd871114e9c04e2bcb9563226f97457c598f857cd28720d4a41ec3c565bceb65
SHA5122baf87e133c4d6b467991b1f35b86b10f42aa7f2fcbc5a2ae2a34c240cfcafe40ad7059cb8cdb3527956b508648f43bf96ce1e5965be6a5c3572ceec56a1eb7e
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.pstMD5
4d799a18d42780d24ad3211887dc69ed
SHA1f870d1729622259270697ceea4d65f40238a6b6c
SHA256d7e4b6c6698e01bad54bf7151993e0270659fa2dba89917017556ec14ac69cdb
SHA512e01ac3b4d06fdfadca04bafd52c24c97bf0afb4124e69cf39f927c3d22d1c450a121d9fa20a6f5b78e2cf5fbe166568b0fe1b07c53d304d841724b84c42ad252
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Via.pstMD5
9c02ba86f93e6c82ced11eb4e58ae3b9
SHA18d230295fa1743420766af8428ff3789c6e4022a
SHA256ab37eb4611b1d38b4dc6628c6d2512585b443c34069e46482b8d3d4d8ae68de6
SHA51250cce62b5e9e8a7c1035bb9d13e281303fec7bd7bb3858b62eec71a151431df0df167719cf3b36fe1f004de5c031089987655475ae6fcd153a166ea9ef11e093
-
memory/200-128-0x00000000003E0000-0x00000000003FE000-memory.dmpFilesize
120KB
-
memory/200-138-0x0000000004C70000-0x0000000005276000-memory.dmpFilesize
6.0MB
-
memory/200-143-0x0000000006580000-0x0000000006581000-memory.dmpFilesize
4KB
-
memory/200-142-0x00000000072D0000-0x00000000072D1000-memory.dmpFilesize
4KB
-
memory/200-141-0x0000000006130000-0x0000000006131000-memory.dmpFilesize
4KB
-
memory/200-140-0x00000000068A0000-0x00000000068A1000-memory.dmpFilesize
4KB
-
memory/200-139-0x00000000061A0000-0x00000000061A1000-memory.dmpFilesize
4KB
-
memory/200-137-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/200-133-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/200-134-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/200-135-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/200-136-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/1508-114-0x0000000000000000-mapping.dmp
-
memory/1832-116-0x0000000000000000-mapping.dmp
-
memory/1932-117-0x0000000000000000-mapping.dmp
-
memory/2188-120-0x0000000000000000-mapping.dmp
-
memory/2356-122-0x0000000000000000-mapping.dmp
-
memory/2724-124-0x0000000000000000-mapping.dmp
-
memory/2724-127-0x00000000011F0000-0x00000000011F1000-memory.dmpFilesize
4KB