Resubmissions

14-07-2021 13:01

210714-w4kvm4debj 10

13-07-2021 10:45

210713-9ptm893yfs 10

Analysis

  • max time kernel
    1779s
  • max time network
    1791s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13-07-2021 10:45

General

  • Target

    Install.EXE

  • Size

    1.3MB

  • MD5

    eadac911eb5d946a0dbb7ac77887abfc

  • SHA1

    0d20d32fc2bcf8663af5a140179e95364ac48543

  • SHA256

    261923e2c95ef441a2f1f8e62572b57ed774b249db4d7a24ea06690e68fe381f

  • SHA512

    40648c500c7659f9213e8687f8b2bc1c61970dfb2b7a4444588c93d2a858c388f1975fc5045054047b6b75357d14f6c86dcfe128fc0615efd748eee61f646f81

Malware Config

Extracted

Family

redline

Botnet

Build1

C2

45.142.213.135:30058

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Install.EXE
    "C:\Users\Admin\AppData\Local\Temp\Install.EXE"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install1.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS1A35.tmp\Install.cmd" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:592
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1C2ka7
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:388
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:388 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    2902de11e30dcc620b184e3bb0f0c1cb

    SHA1

    5d11d14a2558801a2688dc2d6dfad39ac294f222

    SHA256

    e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

    SHA512

    efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    cfdbd838d5aea382bda582e41782273e

    SHA1

    c29954b3aecbe857a2e754a7105495c5755f3b95

    SHA256

    cc91bd77933fbe31463092c348b8173b2997e23291622d4b6e50290f30d6afe5

    SHA512

    264c4f9dcc307258ff633c69a9b1f3b8ee6d4fc533a26102c0ea84d8d5f4aff95429f000e80e3661614a90e27dea035d6d9d01f11419e17915abb013ebf9ab5c

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
    MD5

    6e72fa9a2bbe1765339fd7831b71e2bf

    SHA1

    c3bc9c5662b7705aba6e2da6b24928e0e426f656

    SHA256

    6179707893f09e44ea522170d6ff7af529f27cb4c1323211a97aedff1045edf2

    SHA512

    b6685b9b6f2dad882a91856a56362b492fe8898fb78200f707277f4e390ffaa718786061765f36c47de9af739fa172fb07382830a2aafb47dd72234c9741605c

  • C:\Users\Admin\AppData\Local\Temp\7zS1A35.tmp\Install.cmd
    MD5

    010c7779e83876c22f45f754962d0685

    SHA1

    3dc920d75918c952aa23ef94db66a1bafd514665

    SHA256

    3746731d0dec1f85576eb810f06dcfc763624ef13a306ec5dcd1b5ed00e3beb9

    SHA512

    2f5e06598ce7ea29cdedfd5e8306ab2a7e916a36a1430bf4fcb5a28fd2d73fd8a6aafcc1bcde6c28a7e3d09227761e2004b0e23f7e8a67b434f3ddc4ad9d6cfd

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install1.exe
    MD5

    dc8a248e89370a0aa5f00b0724146b64

    SHA1

    49f639b4182eac5afbb245d1c30d37bb86e8251c

    SHA256

    207a10eb249d3c413f441a8b53080ecb8e0cb08acaf5df56b9bf274c0cc5f5f9

    SHA512

    a4c89ff18885ed67777e2e4e8760e2312bf4a9d722cae63bf9ffa56d0953e42c401f92cd9ba2f0443537d435b5814e6097f0cda23b88388f811fa512c88dfe6f

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install1.exe
    MD5

    dc8a248e89370a0aa5f00b0724146b64

    SHA1

    49f639b4182eac5afbb245d1c30d37bb86e8251c

    SHA256

    207a10eb249d3c413f441a8b53080ecb8e0cb08acaf5df56b9bf274c0cc5f5f9

    SHA512

    a4c89ff18885ed67777e2e4e8760e2312bf4a9d722cae63bf9ffa56d0953e42c401f92cd9ba2f0443537d435b5814e6097f0cda23b88388f811fa512c88dfe6f

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
    MD5

    54db9520f3db0b612c492cd14b689b98

    SHA1

    cacba09c6883605d3918626c4a92cc4cb846bcda

    SHA256

    8b013095eac15ef06fd67f6c2f101dfe14c04a33a10d63e278ee5d506c862910

    SHA512

    3cf6bd666d66ac95ed4b601ac0990839edac41f12786b8201778930daf42a72d53768c0eabaf84357e5741e10b9e4bbd0a219773e31791df863e7d8a3a7d584e

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
    MD5

    54db9520f3db0b612c492cd14b689b98

    SHA1

    cacba09c6883605d3918626c4a92cc4cb846bcda

    SHA256

    8b013095eac15ef06fd67f6c2f101dfe14c04a33a10d63e278ee5d506c862910

    SHA512

    3cf6bd666d66ac95ed4b601ac0990839edac41f12786b8201778930daf42a72d53768c0eabaf84357e5741e10b9e4bbd0a219773e31791df863e7d8a3a7d584e

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
    MD5

    54db9520f3db0b612c492cd14b689b98

    SHA1

    cacba09c6883605d3918626c4a92cc4cb846bcda

    SHA256

    8b013095eac15ef06fd67f6c2f101dfe14c04a33a10d63e278ee5d506c862910

    SHA512

    3cf6bd666d66ac95ed4b601ac0990839edac41f12786b8201778930daf42a72d53768c0eabaf84357e5741e10b9e4bbd0a219773e31791df863e7d8a3a7d584e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F833ERC3.txt
    MD5

    a4907e562304a9100f1f263652b02cea

    SHA1

    125b99bdf5bb241f9671c0e254278bc5ac8f98a1

    SHA256

    1d281ef18b44c1aa88a700be2100c7debd68e71bdcb00f22115628befcac4335

    SHA512

    f8b47ac13402d2646e67b48bfff99bf87e031a1a922387eda96fdde9337cd2a64db484a9c78db29bbe6dab1235f29daa041a9d1f72a8f2205b9b210d15cbe540

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
    MD5

    54db9520f3db0b612c492cd14b689b98

    SHA1

    cacba09c6883605d3918626c4a92cc4cb846bcda

    SHA256

    8b013095eac15ef06fd67f6c2f101dfe14c04a33a10d63e278ee5d506c862910

    SHA512

    3cf6bd666d66ac95ed4b601ac0990839edac41f12786b8201778930daf42a72d53768c0eabaf84357e5741e10b9e4bbd0a219773e31791df863e7d8a3a7d584e

  • memory/388-79-0x0000000000000000-mapping.dmp
  • memory/592-76-0x0000000000000000-mapping.dmp
  • memory/756-74-0x0000000075721000-0x0000000075723000-memory.dmp
    Filesize

    8KB

  • memory/756-70-0x0000000000000000-mapping.dmp
  • memory/1048-59-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp
    Filesize

    8KB

  • memory/1520-82-0x0000000000000000-mapping.dmp
  • memory/1964-71-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/1964-68-0x0000000000417E9A-mapping.dmp
  • memory/1964-80-0x0000000004390000-0x0000000004391000-memory.dmp
    Filesize

    4KB

  • memory/1964-67-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/2020-65-0x0000000004A40000-0x0000000004A41000-memory.dmp
    Filesize

    4KB

  • memory/2020-63-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
    Filesize

    4KB

  • memory/2020-60-0x0000000000000000-mapping.dmp