Overview
overview
10Static
static
101214e5f9de...98.exe
windows7_x64
101214e5f9de...98.exe
windows10_x64
7236020bb91...f6.exe
windows7_x64
10236020bb91...f6.exe
windows10_x64
1025dc70a3de...60.exe
windows7_x64
1025dc70a3de...60.exe
windows10_x64
1054de718b63...d9.exe
windows7_x64
154de718b63...d9.exe
windows10_x64
17ae9504811...a4.exe
windows7_x64
107ae9504811...a4.exe
windows10_x64
109c2554e79b...a0.exe
windows7_x64
109c2554e79b...a0.exe
windows10_x64
10a568f22004...3b.exe
windows7_x64
8a568f22004...3b.exe
windows10_x64
8aefd0c7794...37.exe
windows7_x64
10aefd0c7794...37.exe
windows10_x64
10d68b4d6cec...27.exe
windows7_x64
10d68b4d6cec...27.exe
windows10_x64
10Analysis
-
max time kernel
123s -
max time network
160s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-07-2021 07:06
Behavioral task
behavioral1
Sample
1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Resource
win7v20210410
Behavioral task
behavioral10
Sample
7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Resource
win10v20210408
Behavioral task
behavioral11
Sample
9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
Resource
win7v20210410
Behavioral task
behavioral12
Sample
9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe
Resource
win7v20210408
General
-
Target
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
-
Size
541KB
-
MD5
616b97038b6328ae6e45a08077df4a7a
-
SHA1
11473c1f0515f06579e7704dc036bbc620c7510a
-
SHA256
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6
-
SHA512
4730733b4be691840fa1905fc4bfeeeba7ebb06e10d24cfe78a285a3e518a2f2ba31bbc378cda68edf4311df322fd137ed1f65d4b844737e9f0df547506c04e0
Malware Config
Extracted
redline
@Seno_47
45.81.227.32:22625
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe family_redline C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe family_redline C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe family_redline -
Executes dropped EXE 2 IoCs
Processes:
output.exedzoqJSDcPbIwOOKTjoecqmXX.exepid process 1996 output.exe 588 dzoqJSDcPbIwOOKTjoecqmXX.exe -
Loads dropped DLL 5 IoCs
Processes:
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exeoutput.exepid process 1832 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe 1832 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe 1832 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe 1832 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe 1996 output.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 checkip.amazonaws.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dzoqJSDcPbIwOOKTjoecqmXX.exedescription pid process Token: SeDebugPrivilege 588 dzoqJSDcPbIwOOKTjoecqmXX.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exeoutput.exedescription pid process target process PID 1832 wrote to memory of 1996 1832 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe output.exe PID 1832 wrote to memory of 1996 1832 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe output.exe PID 1832 wrote to memory of 1996 1832 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe output.exe PID 1832 wrote to memory of 1996 1832 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe output.exe PID 1996 wrote to memory of 588 1996 output.exe dzoqJSDcPbIwOOKTjoecqmXX.exe PID 1996 wrote to memory of 588 1996 output.exe dzoqJSDcPbIwOOKTjoecqmXX.exe PID 1996 wrote to memory of 588 1996 output.exe dzoqJSDcPbIwOOKTjoecqmXX.exe PID 1996 wrote to memory of 588 1996 output.exe dzoqJSDcPbIwOOKTjoecqmXX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe"C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\output.exe"C:\Users\Admin\AppData\Roaming\output.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe"C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exeMD5
f4bbbbd0c06b5b5f46386ad1db6227b0
SHA15a026b7ed8c49b1213a6393e938c91399ff33eb8
SHA2563783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d
SHA5123a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48
-
C:\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exeMD5
f4bbbbd0c06b5b5f46386ad1db6227b0
SHA15a026b7ed8c49b1213a6393e938c91399ff33eb8
SHA2563783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d
SHA5123a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48
-
C:\Users\Admin\AppData\Roaming\output.exeMD5
2f376ad2903620fd9f52c4d8af903777
SHA1726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA51275fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb
-
C:\Users\Admin\AppData\Roaming\output.exeMD5
2f376ad2903620fd9f52c4d8af903777
SHA1726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA51275fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb
-
\Users\Admin\AppData\Local\Temp\dzoqJSDcPbIwOOKTjoecqmXX.exeMD5
f4bbbbd0c06b5b5f46386ad1db6227b0
SHA15a026b7ed8c49b1213a6393e938c91399ff33eb8
SHA2563783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d
SHA5123a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48
-
\Users\Admin\AppData\Roaming\output.exeMD5
2f376ad2903620fd9f52c4d8af903777
SHA1726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA51275fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb
-
\Users\Admin\AppData\Roaming\output.exeMD5
2f376ad2903620fd9f52c4d8af903777
SHA1726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA51275fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb
-
\Users\Admin\AppData\Roaming\output.exeMD5
2f376ad2903620fd9f52c4d8af903777
SHA1726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA51275fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb
-
\Users\Admin\AppData\Roaming\output.exeMD5
2f376ad2903620fd9f52c4d8af903777
SHA1726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA51275fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb
-
memory/588-72-0x0000000000000000-mapping.dmp
-
memory/588-75-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/588-77-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1832-60-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB
-
memory/1996-70-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/1996-68-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1996-65-0x0000000000000000-mapping.dmp