Analysis
-
max time kernel
360s -
max time network
1705s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-07-2021 11:17
General
-
Target
0x00030000000130de-161.exe
-
Size
174KB
-
MD5
f12aa4983f77ed85b3a618f7656807c2
-
SHA1
ab29f2221d590d03756d89e63cf2802ee31ecbcf
-
SHA256
5db1d9e50f0e0e0ba0b15920e65a1b9e3b61bcc03d5930870e0b226b600a72e2
-
SHA512
9074af27996a11e988be7147cf387d8952b515d070ff49fec22f0e5b2d374563204eda56319447d9b5f49f056be1475f0a1a2c501fdf1a769d7d8a8077ccba8b
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x00030000000130de-161.exe"C:\Users\Admin\AppData\Local\Temp\0x00030000000130de-161.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\5926773.exe"C:\Users\Admin\AppData\Roaming\5926773.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8518282.exe"C:\Users\Admin\AppData\Roaming\8518282.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\5368910.exe"C:\Users\Admin\AppData\Roaming\5368910.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\5368910.exeMD5
c633c2d5eb87b3f3aff203f7802153fd
SHA11fa97cdcee7a605102d6152617afd3731fe0b0ca
SHA2560d4bc3de0df5e15ac2345776f78c2be22eaf3ac19706db4391cbaf0c633ec700
SHA51296f16b68ab8c0b5a1788f3aaad8bff09738d070792e1e27e9ab84a66bd776308b44c3a8d5d3e478a965ca6958d5e6f3ee76dbc7a2a38a81ea9d6a40773d9785a
-
C:\Users\Admin\AppData\Roaming\5368910.exeMD5
c633c2d5eb87b3f3aff203f7802153fd
SHA11fa97cdcee7a605102d6152617afd3731fe0b0ca
SHA2560d4bc3de0df5e15ac2345776f78c2be22eaf3ac19706db4391cbaf0c633ec700
SHA51296f16b68ab8c0b5a1788f3aaad8bff09738d070792e1e27e9ab84a66bd776308b44c3a8d5d3e478a965ca6958d5e6f3ee76dbc7a2a38a81ea9d6a40773d9785a
-
C:\Users\Admin\AppData\Roaming\5926773.exeMD5
8e1e11bba9787b31d4e17c72cfd78e67
SHA100a49bf8a404dd1fc84363bbcd8be046808cbfbb
SHA2569e55faf1ac1fd4de98a4c4bf022404507946b23ff14b4653b89c73c7c3d053e6
SHA5122d006885addd024614182f61887491c4a95f1ae18e1ed44e0bb3b20911cd2970b8c4f850cacb75cd6eba30f66e055b4703be1c4d9cd9ddd29e33f00c7b60d098
-
C:\Users\Admin\AppData\Roaming\5926773.exeMD5
8e1e11bba9787b31d4e17c72cfd78e67
SHA100a49bf8a404dd1fc84363bbcd8be046808cbfbb
SHA2569e55faf1ac1fd4de98a4c4bf022404507946b23ff14b4653b89c73c7c3d053e6
SHA5122d006885addd024614182f61887491c4a95f1ae18e1ed44e0bb3b20911cd2970b8c4f850cacb75cd6eba30f66e055b4703be1c4d9cd9ddd29e33f00c7b60d098
-
C:\Users\Admin\AppData\Roaming\8518282.exeMD5
c75cf058fa1b96eab7f838bc5baa4b4e
SHA15a4dc73ca19d26359d8bb74763bc8b19a0541ab9
SHA2562b780c598c8bf3cf83569f09a8e66450c3f4cc981e53719591cebcd505b12e3c
SHA512d92fe8b6111f85494228f7dc0d91dae695f488e81310e6d55cda68d03bdf431f38a354833d7a269c8986945b3eee00dd7e9757e1b69fa7e0bf5ec61df7644214
-
C:\Users\Admin\AppData\Roaming\8518282.exeMD5
c75cf058fa1b96eab7f838bc5baa4b4e
SHA15a4dc73ca19d26359d8bb74763bc8b19a0541ab9
SHA2562b780c598c8bf3cf83569f09a8e66450c3f4cc981e53719591cebcd505b12e3c
SHA512d92fe8b6111f85494228f7dc0d91dae695f488e81310e6d55cda68d03bdf431f38a354833d7a269c8986945b3eee00dd7e9757e1b69fa7e0bf5ec61df7644214
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
c75cf058fa1b96eab7f838bc5baa4b4e
SHA15a4dc73ca19d26359d8bb74763bc8b19a0541ab9
SHA2562b780c598c8bf3cf83569f09a8e66450c3f4cc981e53719591cebcd505b12e3c
SHA512d92fe8b6111f85494228f7dc0d91dae695f488e81310e6d55cda68d03bdf431f38a354833d7a269c8986945b3eee00dd7e9757e1b69fa7e0bf5ec61df7644214
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
c75cf058fa1b96eab7f838bc5baa4b4e
SHA15a4dc73ca19d26359d8bb74763bc8b19a0541ab9
SHA2562b780c598c8bf3cf83569f09a8e66450c3f4cc981e53719591cebcd505b12e3c
SHA512d92fe8b6111f85494228f7dc0d91dae695f488e81310e6d55cda68d03bdf431f38a354833d7a269c8986945b3eee00dd7e9757e1b69fa7e0bf5ec61df7644214
-
memory/3432-137-0x00000000029D0000-0x00000000029D1000-memory.dmpFilesize
4KB
-
memory/3432-151-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/3432-148-0x0000000000FE0000-0x0000000001011000-memory.dmpFilesize
196KB
-
memory/3432-141-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/3432-119-0x0000000000000000-mapping.dmp
-
memory/3432-168-0x0000000009900000-0x0000000009901000-memory.dmpFilesize
4KB
-
memory/3432-129-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/3432-166-0x0000000009260000-0x0000000009261000-memory.dmpFilesize
4KB
-
memory/3592-154-0x0000000007470000-0x0000000007471000-memory.dmpFilesize
4KB
-
memory/3592-163-0x00000000075D0000-0x00000000075D1000-memory.dmpFilesize
4KB
-
memory/3592-125-0x0000000000000000-mapping.dmp
-
memory/3592-169-0x0000000008A50000-0x0000000008A51000-memory.dmpFilesize
4KB
-
memory/3592-135-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/3592-131-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/3592-140-0x0000000000F30000-0x0000000000F68000-memory.dmpFilesize
224KB
-
memory/3592-143-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/3592-170-0x0000000009150000-0x0000000009151000-memory.dmpFilesize
4KB
-
memory/3592-157-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/3592-147-0x0000000007430000-0x0000000007431000-memory.dmpFilesize
4KB
-
memory/3592-145-0x0000000007A00000-0x0000000007A01000-memory.dmpFilesize
4KB
-
memory/3592-146-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/3600-136-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/3600-138-0x0000000005690000-0x000000000569E000-memory.dmpFilesize
56KB
-
memory/3600-121-0x0000000000000000-mapping.dmp
-
memory/3600-130-0x0000000000F30000-0x0000000000F31000-memory.dmpFilesize
4KB
-
memory/3600-144-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/3600-142-0x000000000AD50000-0x000000000AD51000-memory.dmpFilesize
4KB
-
memory/3600-139-0x000000000B250000-0x000000000B251000-memory.dmpFilesize
4KB
-
memory/4264-165-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/4264-164-0x000000000AAA0000-0x000000000AAA1000-memory.dmpFilesize
4KB
-
memory/4264-150-0x0000000000000000-mapping.dmp
-
memory/4648-122-0x0000000000E10000-0x0000000000E12000-memory.dmpFilesize
8KB
-
memory/4648-114-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/4648-116-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/4648-117-0x0000000000BD0000-0x0000000000BEF000-memory.dmpFilesize
124KB
-
memory/4648-118-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB