Analysis
-
max time kernel
48s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-07-2021 07:19
Static task
static1
Behavioral task
behavioral1
Sample
mixazed_20210722-085032.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
mixazed_20210722-085032.exe
Resource
win10v20210410
General
-
Target
mixazed_20210722-085032.exe
-
Size
1.1MB
-
MD5
ff6f0a35a5c1198e8b0f72822acf90c0
-
SHA1
1a26b1307b1a9c4ca699eeffe316ca5ee696b4bd
-
SHA256
5d3c164a69533582e2fcaaf4d39165a1eeba9c63d1b4a81971e5f2f7ab19513a
-
SHA512
c1f4469570c7b2a899615a9099f5eecdc284d879d26b11ab599e76257c2c7e823c01d64fb864588ecd98ab2ef610cd3d34a2f4c2e1ccf2378bfdbe49568654b8
Malware Config
Extracted
redline
Nerino 10k
salanoajalio.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3256-131-0x0000000000420000-0x000000000043E000-memory.dmp family_redline behavioral2/memory/3256-140-0x00000000049F0000-0x0000000004FF6000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Riflettere.exe.comRiflettere.exe.comRegAsm.exepid process 3672 Riflettere.exe.com 3156 Riflettere.exe.com 3256 RegAsm.exe -
Drops startup file 1 IoCs
Processes:
Riflettere.exe.comdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sMPymSRdde.url Riflettere.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Riflettere.exe.comdescription pid process target process PID 3156 set thread context of 3256 3156 Riflettere.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Riflettere.exe.comRegAsm.exepid process 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3156 Riflettere.exe.com 3256 RegAsm.exe 3256 RegAsm.exe 3256 RegAsm.exe 3256 RegAsm.exe 3256 RegAsm.exe 3256 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3256 RegAsm.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
mixazed_20210722-085032.execmd.execmd.exeRiflettere.exe.comRiflettere.exe.comdescription pid process target process PID 4060 wrote to memory of 2420 4060 mixazed_20210722-085032.exe cmd.exe PID 4060 wrote to memory of 2420 4060 mixazed_20210722-085032.exe cmd.exe PID 4060 wrote to memory of 2420 4060 mixazed_20210722-085032.exe cmd.exe PID 2420 wrote to memory of 2880 2420 cmd.exe cmd.exe PID 2420 wrote to memory of 2880 2420 cmd.exe cmd.exe PID 2420 wrote to memory of 2880 2420 cmd.exe cmd.exe PID 2880 wrote to memory of 2888 2880 cmd.exe findstr.exe PID 2880 wrote to memory of 2888 2880 cmd.exe findstr.exe PID 2880 wrote to memory of 2888 2880 cmd.exe findstr.exe PID 2880 wrote to memory of 3672 2880 cmd.exe Riflettere.exe.com PID 2880 wrote to memory of 3672 2880 cmd.exe Riflettere.exe.com PID 2880 wrote to memory of 3672 2880 cmd.exe Riflettere.exe.com PID 2880 wrote to memory of 3656 2880 cmd.exe PING.EXE PID 2880 wrote to memory of 3656 2880 cmd.exe PING.EXE PID 2880 wrote to memory of 3656 2880 cmd.exe PING.EXE PID 3672 wrote to memory of 3156 3672 Riflettere.exe.com Riflettere.exe.com PID 3672 wrote to memory of 3156 3672 Riflettere.exe.com Riflettere.exe.com PID 3672 wrote to memory of 3156 3672 Riflettere.exe.com Riflettere.exe.com PID 3156 wrote to memory of 3256 3156 Riflettere.exe.com RegAsm.exe PID 3156 wrote to memory of 3256 3156 Riflettere.exe.com RegAsm.exe PID 3156 wrote to memory of 3256 3156 Riflettere.exe.com RegAsm.exe PID 3156 wrote to memory of 3256 3156 Riflettere.exe.com RegAsm.exe PID 4060 wrote to memory of 2840 4060 mixazed_20210722-085032.exe cmd.exe PID 4060 wrote to memory of 2840 4060 mixazed_20210722-085032.exe cmd.exe PID 4060 wrote to memory of 2840 4060 mixazed_20210722-085032.exe cmd.exe PID 3156 wrote to memory of 3256 3156 Riflettere.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210722-085032.exe"C:\Users\Admin\AppData\Local\Temp\mixazed_20210722-085032.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Turbamento.vstm2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^hNdVJZVWpvpxZESWIqQkxENNmvhdviIwPmhAAYtASQCtHpazVhBEhjrIZCvjLFmeNiFmsacJWdzDeJufrUcpGrODcFAXCROhdAdAETeDRSHXSmGf$" Dall.vstm4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riflettere.exe.comRiflettere.exe.com e4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riflettere.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riflettere.exe.com e5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdMD5
57db6339bf01bb586eb9df30a4b2c5cd
SHA19423ef97b4ec1d231a06b85deaf7ed6c732f7677
SHA25637fbea0447bf4aba5e2b0b2c3ab59fe99b2c4dbfe3dc12a6904d8658fba143da
SHA512530b25f920e682c99c93f4ae2b8fb8c0dc30539c64432f6b7039bd05963df49606ea3a6f60f13f924de877e9f4e9f6b364c25687bf3b1820b5ed8760e00cea08
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dall.vstmMD5
6b13e966110ee6e64ccb974759bcbb9c
SHA1b16222d128e4ddbdf3d7e186b44d411c16ea592c
SHA2566ba1cae5717e6842405f1ba06661c9df37ca5a79ae7d9fa35459fe38f6e65af2
SHA51251ada73bf7f81a87b71d3e772f195ed91cdf992ece565213bcc4504d08cad6dc8db8ea3b844dbbb534236d82a095f5c85ea6dc5a3d40f468fa324575ecb39de7
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenga.vstmMD5
1d909c5d5af918d424db0cd799ddfbc1
SHA132a190c07db8573e7e393c3e358f148a755944f1
SHA25619c779f7cc2972c2b4baa8e67142d71dbc14da72c5855ab1d035babb59f082b8
SHA5129937dfc59a83a2a3d08138a97a2c5e9707a63a11c9f99afd8dd699538b78cb97396c58271bd3303a83eae8808f0ddbaece303fa39f67013289e4a2d04167ffdd
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puo.vstmMD5
979131f1f9a50d2ecb059c6078b188af
SHA118a535e0b35dddb22d9242553491eb909d77f46c
SHA2560acdedd5b3469a6372d76de6de9435e38a098ef157453728b5090baf7228361d
SHA512c3677e96345ce5da150bebcb54a508bfc814cc1c2d688a024318aa24d060e764dfd8338694e4cfef8580359bdb021e3130feb26f5faa92a4efc6ab072d07af56
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riflettere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riflettere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riflettere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Turbamento.vstmMD5
d01168146bbd77f8d20ae7cb2eea7e25
SHA15d7d4727c4e9d1d6e4ce66f370f37cbf78c5d61c
SHA256d54ce92e200a2e181865bc5c26dcef24d2f95bd47fa03c893ea6fcc91e761093
SHA512a37d5d1b2d77a4d6b49baf50f82926be3bdf82a5061bc488e07aefd4d171ee274b7091d7b37bd25959b771712d7768ead80b071b63f1bd6ef7825e643336fdf8
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\eMD5
1d909c5d5af918d424db0cd799ddfbc1
SHA132a190c07db8573e7e393c3e358f148a755944f1
SHA25619c779f7cc2972c2b4baa8e67142d71dbc14da72c5855ab1d035babb59f082b8
SHA5129937dfc59a83a2a3d08138a97a2c5e9707a63a11c9f99afd8dd699538b78cb97396c58271bd3303a83eae8808f0ddbaece303fa39f67013289e4a2d04167ffdd
-
memory/2420-114-0x0000000000000000-mapping.dmp
-
memory/2840-129-0x0000000000000000-mapping.dmp
-
memory/2880-116-0x0000000000000000-mapping.dmp
-
memory/2888-117-0x0000000000000000-mapping.dmp
-
memory/3156-128-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/3156-124-0x0000000000000000-mapping.dmp
-
memory/3256-141-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/3256-140-0x00000000049F0000-0x0000000004FF6000-memory.dmpFilesize
6.0MB
-
memory/3256-146-0x0000000006340000-0x0000000006341000-memory.dmpFilesize
4KB
-
memory/3256-136-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/3256-137-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/3256-138-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/3256-139-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/3256-145-0x0000000006EA0000-0x0000000006EA1000-memory.dmpFilesize
4KB
-
memory/3256-131-0x0000000000420000-0x000000000043E000-memory.dmpFilesize
120KB
-
memory/3256-142-0x0000000005D70000-0x0000000005D71000-memory.dmpFilesize
4KB
-
memory/3256-143-0x0000000006470000-0x0000000006471000-memory.dmpFilesize
4KB
-
memory/3256-144-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/3656-122-0x0000000000000000-mapping.dmp
-
memory/3672-120-0x0000000000000000-mapping.dmp