Resubmissions

14-07-2021 13:01

210714-w4kvm4debj 10

13-07-2021 10:45

210713-9ptm893yfs 10

Analysis

  • max time kernel
    1792s
  • max time network
    1797s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-07-2021 10:45

General

  • Target

    Install.EXE

  • Size

    1.3MB

  • MD5

    eadac911eb5d946a0dbb7ac77887abfc

  • SHA1

    0d20d32fc2bcf8663af5a140179e95364ac48543

  • SHA256

    261923e2c95ef441a2f1f8e62572b57ed774b249db4d7a24ea06690e68fe381f

  • SHA512

    40648c500c7659f9213e8687f8b2bc1c61970dfb2b7a4444588c93d2a858c388f1975fc5045054047b6b75357d14f6c86dcfe128fc0615efd748eee61f646f81

Malware Config

Extracted

Family

redline

Botnet

Build1

C2

45.142.213.135:30058

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Install.EXE
    "C:\Users\Admin\AppData\Local\Temp\Install.EXE"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3492
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install1.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS9224.tmp\Install.cmd" "
        3⤵
        • Checks computer location settings
        PID:3024
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:604
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:508
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3672
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4080

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zS9224.tmp\Install.cmd
    MD5

    010c7779e83876c22f45f754962d0685

    SHA1

    3dc920d75918c952aa23ef94db66a1bafd514665

    SHA256

    3746731d0dec1f85576eb810f06dcfc763624ef13a306ec5dcd1b5ed00e3beb9

    SHA512

    2f5e06598ce7ea29cdedfd5e8306ab2a7e916a36a1430bf4fcb5a28fd2d73fd8a6aafcc1bcde6c28a7e3d09227761e2004b0e23f7e8a67b434f3ddc4ad9d6cfd

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install1.exe
    MD5

    dc8a248e89370a0aa5f00b0724146b64

    SHA1

    49f639b4182eac5afbb245d1c30d37bb86e8251c

    SHA256

    207a10eb249d3c413f441a8b53080ecb8e0cb08acaf5df56b9bf274c0cc5f5f9

    SHA512

    a4c89ff18885ed67777e2e4e8760e2312bf4a9d722cae63bf9ffa56d0953e42c401f92cd9ba2f0443537d435b5814e6097f0cda23b88388f811fa512c88dfe6f

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install1.exe
    MD5

    dc8a248e89370a0aa5f00b0724146b64

    SHA1

    49f639b4182eac5afbb245d1c30d37bb86e8251c

    SHA256

    207a10eb249d3c413f441a8b53080ecb8e0cb08acaf5df56b9bf274c0cc5f5f9

    SHA512

    a4c89ff18885ed67777e2e4e8760e2312bf4a9d722cae63bf9ffa56d0953e42c401f92cd9ba2f0443537d435b5814e6097f0cda23b88388f811fa512c88dfe6f

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
    MD5

    54db9520f3db0b612c492cd14b689b98

    SHA1

    cacba09c6883605d3918626c4a92cc4cb846bcda

    SHA256

    8b013095eac15ef06fd67f6c2f101dfe14c04a33a10d63e278ee5d506c862910

    SHA512

    3cf6bd666d66ac95ed4b601ac0990839edac41f12786b8201778930daf42a72d53768c0eabaf84357e5741e10b9e4bbd0a219773e31791df863e7d8a3a7d584e

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
    MD5

    54db9520f3db0b612c492cd14b689b98

    SHA1

    cacba09c6883605d3918626c4a92cc4cb846bcda

    SHA256

    8b013095eac15ef06fd67f6c2f101dfe14c04a33a10d63e278ee5d506c862910

    SHA512

    3cf6bd666d66ac95ed4b601ac0990839edac41f12786b8201778930daf42a72d53768c0eabaf84357e5741e10b9e4bbd0a219773e31791df863e7d8a3a7d584e

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
    MD5

    54db9520f3db0b612c492cd14b689b98

    SHA1

    cacba09c6883605d3918626c4a92cc4cb846bcda

    SHA256

    8b013095eac15ef06fd67f6c2f101dfe14c04a33a10d63e278ee5d506c862910

    SHA512

    3cf6bd666d66ac95ed4b601ac0990839edac41f12786b8201778930daf42a72d53768c0eabaf84357e5741e10b9e4bbd0a219773e31791df863e7d8a3a7d584e

  • memory/1840-119-0x00000000004A0000-0x00000000004A1000-memory.dmp
    Filesize

    4KB

  • memory/1840-123-0x0000000004E10000-0x0000000004E11000-memory.dmp
    Filesize

    4KB

  • memory/1840-122-0x0000000004E30000-0x0000000004E31000-memory.dmp
    Filesize

    4KB

  • memory/1840-116-0x0000000000000000-mapping.dmp
  • memory/1840-121-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
    Filesize

    4KB

  • memory/3024-137-0x0000000000000000-mapping.dmp
  • memory/3184-130-0x0000000000000000-mapping.dmp
  • memory/3492-129-0x0000000005510000-0x0000000005511000-memory.dmp
    Filesize

    4KB

  • memory/3492-133-0x0000000002970000-0x0000000002971000-memory.dmp
    Filesize

    4KB

  • memory/3492-134-0x0000000004F40000-0x0000000004F41000-memory.dmp
    Filesize

    4KB

  • memory/3492-135-0x0000000004F80000-0x0000000004F81000-memory.dmp
    Filesize

    4KB

  • memory/3492-136-0x0000000004F00000-0x0000000005506000-memory.dmp
    Filesize

    6.0MB

  • memory/3492-125-0x0000000000417E9A-mapping.dmp
  • memory/3492-138-0x00000000051D0000-0x00000000051D1000-memory.dmp
    Filesize

    4KB

  • memory/3492-124-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB