Analysis

  • max time kernel
    7s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    21-07-2021 20:57

General

  • Target

    7ED02CA6683BAE4874C4C904866F2E96.exe

  • Size

    1.1MB

  • MD5

    7ed02ca6683bae4874c4c904866f2e96

  • SHA1

    b3ab594e008a7507a3b5b103de156c27e1ecdbbe

  • SHA256

    926d1980fcca74794210a126faebacadeeb1b81a328f1d382531945b703f8aae

  • SHA512

    799a8a8bdc3b7bdf8e9ad11cc0f8d6b773d97fdd2a763f70acdf514179d446f87017394c2c2b1483e80a06d0e5a0d502d8acd34be40d073b4b81ad62407b1e98

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ED02CA6683BAE4874C4C904866F2E96.exe
    "C:\Users\Admin\AppData\Local\Temp\7ED02CA6683BAE4874C4C904866F2E96.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C taskkill /F /PID 1180 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\7ED02CA6683BAE4874C4C904866F2E96.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 1180
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1636
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:808

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/808-65-0x0000000000000000-mapping.dmp

    • memory/1180-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

      Filesize

      8KB

    • memory/1180-60-0x0000000000A50000-0x0000000000A51000-memory.dmp

      Filesize

      4KB

    • memory/1180-62-0x0000000002E20000-0x0000000002E21000-memory.dmp

      Filesize

      4KB

    • memory/1508-63-0x0000000000000000-mapping.dmp

    • memory/1636-64-0x0000000000000000-mapping.dmp