Analysis
-
max time kernel
19s -
max time network
161s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-07-2021 02:17
Static task
static1
Behavioral task
behavioral1
Sample
921A229A73147A43676207D9E0DC39DD.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
921A229A73147A43676207D9E0DC39DD.exe
Resource
win10v20210408
General
-
Target
921A229A73147A43676207D9E0DC39DD.exe
-
Size
715KB
-
MD5
921a229a73147a43676207d9e0dc39dd
-
SHA1
c216d76ba1d80ddbe4613b10bdef18c968cfabf6
-
SHA256
82f6a605e4fda71d67a7f5a6a98fc2db5a9243f8521dd40e85acf89239156971
-
SHA512
de2e6cea9ac301c3c7b49a2ac57fbb8a6a018993d62d6622c727740ba9e7d59a5f471babcf0f86f0baa3014830ea09959731a2e8b775967c84b4b8a87f117fa9
Malware Config
Extracted
redline
@fx0321598
103.246.146.46:50702
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2164-289-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral2/memory/2164-291-0x0000000000417E46-mapping.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
conhost.exeRuntimeBroker.exeCourant.exeCourant.exepid process 2036 conhost.exe 3428 RuntimeBroker.exe 3688 Courant.exe 2164 Courant.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RuntimeBroker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ApplicationName = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker.exe" RuntimeBroker.exe -
Drops file in System32 directory 1 IoCs
Processes:
conhost.exedescription ioc process File created \??\c:\windows\system32\conhost.exe conhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Courant.exedescription pid process target process PID 3688 set thread context of 2164 3688 Courant.exe Courant.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.execonhost.exepid process 3316 powershell.exe 3316 powershell.exe 3316 powershell.exe 2304 powershell.exe 2304 powershell.exe 2304 powershell.exe 4388 powershell.exe 4388 powershell.exe 4388 powershell.exe 4500 powershell.exe 4500 powershell.exe 4500 powershell.exe 2036 conhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3316 powershell.exe Token: SeIncreaseQuotaPrivilege 3316 powershell.exe Token: SeSecurityPrivilege 3316 powershell.exe Token: SeTakeOwnershipPrivilege 3316 powershell.exe Token: SeLoadDriverPrivilege 3316 powershell.exe Token: SeSystemProfilePrivilege 3316 powershell.exe Token: SeSystemtimePrivilege 3316 powershell.exe Token: SeProfSingleProcessPrivilege 3316 powershell.exe Token: SeIncBasePriorityPrivilege 3316 powershell.exe Token: SeCreatePagefilePrivilege 3316 powershell.exe Token: SeBackupPrivilege 3316 powershell.exe Token: SeRestorePrivilege 3316 powershell.exe Token: SeShutdownPrivilege 3316 powershell.exe Token: SeDebugPrivilege 3316 powershell.exe Token: SeSystemEnvironmentPrivilege 3316 powershell.exe Token: SeRemoteShutdownPrivilege 3316 powershell.exe Token: SeUndockPrivilege 3316 powershell.exe Token: SeManageVolumePrivilege 3316 powershell.exe Token: 33 3316 powershell.exe Token: 34 3316 powershell.exe Token: 35 3316 powershell.exe Token: 36 3316 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeIncreaseQuotaPrivilege 2304 powershell.exe Token: SeSecurityPrivilege 2304 powershell.exe Token: SeTakeOwnershipPrivilege 2304 powershell.exe Token: SeLoadDriverPrivilege 2304 powershell.exe Token: SeSystemProfilePrivilege 2304 powershell.exe Token: SeSystemtimePrivilege 2304 powershell.exe Token: SeProfSingleProcessPrivilege 2304 powershell.exe Token: SeIncBasePriorityPrivilege 2304 powershell.exe Token: SeCreatePagefilePrivilege 2304 powershell.exe Token: SeBackupPrivilege 2304 powershell.exe Token: SeRestorePrivilege 2304 powershell.exe Token: SeShutdownPrivilege 2304 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeSystemEnvironmentPrivilege 2304 powershell.exe Token: SeRemoteShutdownPrivilege 2304 powershell.exe Token: SeUndockPrivilege 2304 powershell.exe Token: SeManageVolumePrivilege 2304 powershell.exe Token: 33 2304 powershell.exe Token: 34 2304 powershell.exe Token: 35 2304 powershell.exe Token: 36 2304 powershell.exe Token: SeDebugPrivilege 4388 powershell.exe Token: SeIncreaseQuotaPrivilege 4388 powershell.exe Token: SeSecurityPrivilege 4388 powershell.exe Token: SeTakeOwnershipPrivilege 4388 powershell.exe Token: SeLoadDriverPrivilege 4388 powershell.exe Token: SeSystemProfilePrivilege 4388 powershell.exe Token: SeSystemtimePrivilege 4388 powershell.exe Token: SeProfSingleProcessPrivilege 4388 powershell.exe Token: SeIncBasePriorityPrivilege 4388 powershell.exe Token: SeCreatePagefilePrivilege 4388 powershell.exe Token: SeBackupPrivilege 4388 powershell.exe Token: SeRestorePrivilege 4388 powershell.exe Token: SeShutdownPrivilege 4388 powershell.exe Token: SeDebugPrivilege 4388 powershell.exe Token: SeSystemEnvironmentPrivilege 4388 powershell.exe Token: SeRemoteShutdownPrivilege 4388 powershell.exe Token: SeUndockPrivilege 4388 powershell.exe Token: SeManageVolumePrivilege 4388 powershell.exe Token: 33 4388 powershell.exe Token: 34 4388 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
921A229A73147A43676207D9E0DC39DD.execonhost.execmd.exeCourant.execmd.exedescription pid process target process PID 4648 wrote to memory of 2036 4648 921A229A73147A43676207D9E0DC39DD.exe conhost.exe PID 4648 wrote to memory of 2036 4648 921A229A73147A43676207D9E0DC39DD.exe conhost.exe PID 4648 wrote to memory of 3428 4648 921A229A73147A43676207D9E0DC39DD.exe RuntimeBroker.exe PID 4648 wrote to memory of 3428 4648 921A229A73147A43676207D9E0DC39DD.exe RuntimeBroker.exe PID 4648 wrote to memory of 3688 4648 921A229A73147A43676207D9E0DC39DD.exe Courant.exe PID 4648 wrote to memory of 3688 4648 921A229A73147A43676207D9E0DC39DD.exe Courant.exe PID 4648 wrote to memory of 3688 4648 921A229A73147A43676207D9E0DC39DD.exe Courant.exe PID 2036 wrote to memory of 4260 2036 conhost.exe cmd.exe PID 2036 wrote to memory of 4260 2036 conhost.exe cmd.exe PID 4260 wrote to memory of 3316 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 3316 4260 cmd.exe powershell.exe PID 3688 wrote to memory of 2164 3688 Courant.exe Courant.exe PID 3688 wrote to memory of 2164 3688 Courant.exe Courant.exe PID 3688 wrote to memory of 2164 3688 Courant.exe Courant.exe PID 4260 wrote to memory of 2304 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 2304 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 4388 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 4388 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 4500 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 4500 4260 cmd.exe powershell.exe PID 3688 wrote to memory of 2164 3688 Courant.exe Courant.exe PID 3688 wrote to memory of 2164 3688 Courant.exe Courant.exe PID 3688 wrote to memory of 2164 3688 Courant.exe Courant.exe PID 3688 wrote to memory of 2164 3688 Courant.exe Courant.exe PID 3688 wrote to memory of 2164 3688 Courant.exe Courant.exe PID 2036 wrote to memory of 816 2036 conhost.exe cmd.exe PID 2036 wrote to memory of 816 2036 conhost.exe cmd.exe PID 816 wrote to memory of 1076 816 cmd.exe schtasks.exe PID 816 wrote to memory of 1076 816 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\921A229A73147A43676207D9E0DC39DD.exe"C:\Users\Admin\AppData\Local\Temp\921A229A73147A43676207D9E0DC39DD.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeC:\Users\Admin\AppData\Local\Temp\conhost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "conhost" /tr '"c:\windows\system32\conhost.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "conhost" /tr '"c:\windows\system32\conhost.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeC:\Users\Admin\AppData\Roaming\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\Courant.exeC:\Users\Admin\AppData\Local\Temp\Courant.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Courant.exeC:\Users\Admin\AppData\Local\Temp\Courant.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
34eb0c5d50560b6bfbd01ff6cb6c3a8b
SHA1451746cc68e90c46a0a595013484ae3e86d89332
SHA2560eb706e43ee3a84d0a2c2f4af0f149eacb2df34c12d6312ee295a15cca8baa11
SHA512bbff5ccccb6cd61799694834cddd9922e657338cda64a325fc81fef2ac899376c7a4475f7cf2f0fe044aa7cbe396a6bfbb3ffec739a9ccd70024904c83cea654
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
dbef3f1b873f4d0aeb34502ad824a4c5
SHA1d8305eb662b39e6f174ed43f2fc2379a8c7fab9a
SHA25604bea2dea36db7c27067d29b6b3b24b5753daa807590536959889d0b56aec5fd
SHA512c0af14d8d1e4ee4d68dcbff0ed61779c17a66ec5f8fb43d5bbfa6bd69acff32db80f8e36667959ba44232596d422ce5efb9ebeb7c10fee41661042b732f3c93b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2afab6b2f5e41b8116c072fdecd73d30
SHA149e6c496d93baeade25cee0f1e58001970e78346
SHA2563b10dcb051dc3c9eb9ef1b89853edcfe4a9b40f5daf3c56c83231f55a7b53478
SHA5129946ad1cd43d0eb21889774f9338a95ebe891bf2812b7f6dda4a2c12980439520cce7a67365dbc7bb8cc5006f8adc47259f21968fc0bfa8ab45b8c0422a91b9c
-
C:\Users\Admin\AppData\Local\Temp\Courant.exeMD5
00fb2a44b1e21b04abd23c1734a3c6bb
SHA129c4be57f69b47c7a3fb7dcc789a24c0bcd73730
SHA256639a69507d10a69d3e4634cff299f048ea44daf93ee5eb186f5b87e03981e9b9
SHA5125fc74f69618d8425b63fa95a1e24737909a3cf56420873ff2deaf9d03f49a6bd7ddca2f6216bf05e5e3a990587f5ddf20d7cf1f6d4aeffba319a533b5805fb72
-
C:\Users\Admin\AppData\Local\Temp\Courant.exeMD5
00fb2a44b1e21b04abd23c1734a3c6bb
SHA129c4be57f69b47c7a3fb7dcc789a24c0bcd73730
SHA256639a69507d10a69d3e4634cff299f048ea44daf93ee5eb186f5b87e03981e9b9
SHA5125fc74f69618d8425b63fa95a1e24737909a3cf56420873ff2deaf9d03f49a6bd7ddca2f6216bf05e5e3a990587f5ddf20d7cf1f6d4aeffba319a533b5805fb72
-
C:\Users\Admin\AppData\Local\Temp\Courant.exeMD5
00fb2a44b1e21b04abd23c1734a3c6bb
SHA129c4be57f69b47c7a3fb7dcc789a24c0bcd73730
SHA256639a69507d10a69d3e4634cff299f048ea44daf93ee5eb186f5b87e03981e9b9
SHA5125fc74f69618d8425b63fa95a1e24737909a3cf56420873ff2deaf9d03f49a6bd7ddca2f6216bf05e5e3a990587f5ddf20d7cf1f6d4aeffba319a533b5805fb72
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeMD5
9788e8293bda5e0e9798cc842b446490
SHA1b8fe5d2129d70ce0d5f3d736f61e985a28c015b9
SHA25637d94c0ffea439a338a4c5a5267d07ac1aa1f6cf230bc2986f95e4e6d80cf365
SHA5129b08c521d7a1f12b9bbc4dd578d5263decf1a648ac49a44473358007975daf95a1a25ccad0dd75a116911972d5a3ef4a45c3e1061a0b4a7b6cd03db874489a27
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeMD5
9788e8293bda5e0e9798cc842b446490
SHA1b8fe5d2129d70ce0d5f3d736f61e985a28c015b9
SHA25637d94c0ffea439a338a4c5a5267d07ac1aa1f6cf230bc2986f95e4e6d80cf365
SHA5129b08c521d7a1f12b9bbc4dd578d5263decf1a648ac49a44473358007975daf95a1a25ccad0dd75a116911972d5a3ef4a45c3e1061a0b4a7b6cd03db874489a27
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
881f31a0c18dc646dd2112982754de4a
SHA10e0026c28dd8072045a8354becdefb439d5e53e0
SHA25628f4a775a412703de465d39a1415a671efdf4bf40f89b1fc2b35c817cd79402d
SHA512e8d047cb4ad61162f07c1c89ab911804fdf4494a60e71332e2dbcaa57e816c0f564bb0f3c111d02f1ca4ef01971384796cd809e2904b9ceab523b6b15d7e30d7
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
881f31a0c18dc646dd2112982754de4a
SHA10e0026c28dd8072045a8354becdefb439d5e53e0
SHA25628f4a775a412703de465d39a1415a671efdf4bf40f89b1fc2b35c817cd79402d
SHA512e8d047cb4ad61162f07c1c89ab911804fdf4494a60e71332e2dbcaa57e816c0f564bb0f3c111d02f1ca4ef01971384796cd809e2904b9ceab523b6b15d7e30d7
-
memory/816-332-0x0000000000000000-mapping.dmp
-
memory/1076-333-0x0000000000000000-mapping.dmp
-
memory/2036-331-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/2036-127-0x0000000000A30000-0x0000000000A51000-memory.dmpFilesize
132KB
-
memory/2036-120-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/2036-137-0x000000001BD20000-0x000000001BD22000-memory.dmpFilesize
8KB
-
memory/2036-114-0x0000000000000000-mapping.dmp
-
memory/2036-329-0x0000000000A80000-0x0000000000AA1000-memory.dmpFilesize
132KB
-
memory/2036-330-0x0000000000F30000-0x0000000000F41000-memory.dmpFilesize
68KB
-
memory/2164-325-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/2164-314-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/2164-291-0x0000000000417E46-mapping.dmp
-
memory/2164-289-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2164-328-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/2164-319-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/2164-297-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/2164-327-0x0000000005080000-0x0000000005686000-memory.dmpFilesize
6.0MB
-
memory/2304-198-0x000002E05DC43000-0x000002E05DC45000-memory.dmpFilesize
8KB
-
memory/2304-197-0x000002E05DC40000-0x000002E05DC42000-memory.dmpFilesize
8KB
-
memory/2304-180-0x0000000000000000-mapping.dmp
-
memory/2304-236-0x000002E05DC46000-0x000002E05DC48000-memory.dmpFilesize
8KB
-
memory/2304-238-0x000002E05DC48000-0x000002E05DC49000-memory.dmpFilesize
4KB
-
memory/3316-140-0x000001BDF7330000-0x000001BDF7332000-memory.dmpFilesize
8KB
-
memory/3316-153-0x000001BDF7336000-0x000001BDF7338000-memory.dmpFilesize
8KB
-
memory/3316-196-0x000001BDF7338000-0x000001BDF7339000-memory.dmpFilesize
4KB
-
memory/3316-145-0x000001BDF7F10000-0x000001BDF7F11000-memory.dmpFilesize
4KB
-
memory/3316-130-0x0000000000000000-mapping.dmp
-
memory/3316-136-0x000001BDDEC60000-0x000001BDDEC61000-memory.dmpFilesize
4KB
-
memory/3316-141-0x000001BDF7333000-0x000001BDF7335000-memory.dmpFilesize
8KB
-
memory/3428-117-0x0000000000000000-mapping.dmp
-
memory/3428-139-0x000000001C202000-0x000000001C203000-memory.dmpFilesize
4KB
-
memory/3428-126-0x0000000001310000-0x0000000001311000-memory.dmpFilesize
4KB
-
memory/3428-122-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/3688-174-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/3688-168-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/3688-149-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/3688-175-0x00000000029D0000-0x00000000029D1000-memory.dmpFilesize
4KB
-
memory/3688-123-0x0000000000000000-mapping.dmp
-
memory/4260-129-0x0000000000000000-mapping.dmp
-
memory/4388-276-0x0000018F66E56000-0x0000018F66E58000-memory.dmpFilesize
8KB
-
memory/4388-241-0x0000018F66E53000-0x0000018F66E55000-memory.dmpFilesize
8KB
-
memory/4388-240-0x0000018F66E50000-0x0000018F66E52000-memory.dmpFilesize
8KB
-
memory/4388-278-0x0000018F66E58000-0x0000018F66E59000-memory.dmpFilesize
4KB
-
memory/4388-226-0x0000000000000000-mapping.dmp
-
memory/4500-321-0x000002541A726000-0x000002541A728000-memory.dmpFilesize
8KB
-
memory/4500-326-0x000002541A728000-0x000002541A729000-memory.dmpFilesize
4KB
-
memory/4500-271-0x0000000000000000-mapping.dmp
-
memory/4500-277-0x000002541A723000-0x000002541A725000-memory.dmpFilesize
8KB
-
memory/4500-279-0x000002541A720000-0x000002541A722000-memory.dmpFilesize
8KB