Analysis
-
max time kernel
21s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-07-2021 03:02
Static task
static1
Behavioral task
behavioral1
Sample
921A229A73147A43676207D9E0DC39DD.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
921A229A73147A43676207D9E0DC39DD.exe
Resource
win10v20210408
General
-
Target
921A229A73147A43676207D9E0DC39DD.exe
-
Size
715KB
-
MD5
921a229a73147a43676207d9e0dc39dd
-
SHA1
c216d76ba1d80ddbe4613b10bdef18c968cfabf6
-
SHA256
82f6a605e4fda71d67a7f5a6a98fc2db5a9243f8521dd40e85acf89239156971
-
SHA512
de2e6cea9ac301c3c7b49a2ac57fbb8a6a018993d62d6622c727740ba9e7d59a5f471babcf0f86f0baa3014830ea09959731a2e8b775967c84b4b8a87f117fa9
Malware Config
Extracted
redline
@fx0321598
103.246.146.46:50702
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3756-270-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral2/memory/3756-272-0x0000000000417E46-mapping.dmp family_redline behavioral2/memory/3756-306-0x0000000005490000-0x0000000005A96000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
conhost.exeRuntimeBroker.exeCourant.exeCourant.exepid process 3176 conhost.exe 4044 RuntimeBroker.exe 412 Courant.exe 3756 Courant.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RuntimeBroker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ApplicationName = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker.exe" RuntimeBroker.exe -
Drops file in System32 directory 1 IoCs
Processes:
conhost.exedescription ioc process File created \??\c:\windows\system32\conhost.exe conhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Courant.exedescription pid process target process PID 412 set thread context of 3756 412 Courant.exe Courant.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.execonhost.exepid process 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 3232 powershell.exe 3232 powershell.exe 3232 powershell.exe 2100 powershell.exe 2100 powershell.exe 2100 powershell.exe 3660 powershell.exe 3660 powershell.exe 3660 powershell.exe 3176 conhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1356 powershell.exe Token: SeIncreaseQuotaPrivilege 1356 powershell.exe Token: SeSecurityPrivilege 1356 powershell.exe Token: SeTakeOwnershipPrivilege 1356 powershell.exe Token: SeLoadDriverPrivilege 1356 powershell.exe Token: SeSystemProfilePrivilege 1356 powershell.exe Token: SeSystemtimePrivilege 1356 powershell.exe Token: SeProfSingleProcessPrivilege 1356 powershell.exe Token: SeIncBasePriorityPrivilege 1356 powershell.exe Token: SeCreatePagefilePrivilege 1356 powershell.exe Token: SeBackupPrivilege 1356 powershell.exe Token: SeRestorePrivilege 1356 powershell.exe Token: SeShutdownPrivilege 1356 powershell.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeSystemEnvironmentPrivilege 1356 powershell.exe Token: SeRemoteShutdownPrivilege 1356 powershell.exe Token: SeUndockPrivilege 1356 powershell.exe Token: SeManageVolumePrivilege 1356 powershell.exe Token: 33 1356 powershell.exe Token: 34 1356 powershell.exe Token: 35 1356 powershell.exe Token: 36 1356 powershell.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeIncreaseQuotaPrivilege 3232 powershell.exe Token: SeSecurityPrivilege 3232 powershell.exe Token: SeTakeOwnershipPrivilege 3232 powershell.exe Token: SeLoadDriverPrivilege 3232 powershell.exe Token: SeSystemProfilePrivilege 3232 powershell.exe Token: SeSystemtimePrivilege 3232 powershell.exe Token: SeProfSingleProcessPrivilege 3232 powershell.exe Token: SeIncBasePriorityPrivilege 3232 powershell.exe Token: SeCreatePagefilePrivilege 3232 powershell.exe Token: SeBackupPrivilege 3232 powershell.exe Token: SeRestorePrivilege 3232 powershell.exe Token: SeShutdownPrivilege 3232 powershell.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeSystemEnvironmentPrivilege 3232 powershell.exe Token: SeRemoteShutdownPrivilege 3232 powershell.exe Token: SeUndockPrivilege 3232 powershell.exe Token: SeManageVolumePrivilege 3232 powershell.exe Token: 33 3232 powershell.exe Token: 34 3232 powershell.exe Token: 35 3232 powershell.exe Token: 36 3232 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeIncreaseQuotaPrivilege 2100 powershell.exe Token: SeSecurityPrivilege 2100 powershell.exe Token: SeTakeOwnershipPrivilege 2100 powershell.exe Token: SeLoadDriverPrivilege 2100 powershell.exe Token: SeSystemProfilePrivilege 2100 powershell.exe Token: SeSystemtimePrivilege 2100 powershell.exe Token: SeProfSingleProcessPrivilege 2100 powershell.exe Token: SeIncBasePriorityPrivilege 2100 powershell.exe Token: SeCreatePagefilePrivilege 2100 powershell.exe Token: SeBackupPrivilege 2100 powershell.exe Token: SeRestorePrivilege 2100 powershell.exe Token: SeShutdownPrivilege 2100 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeSystemEnvironmentPrivilege 2100 powershell.exe Token: SeRemoteShutdownPrivilege 2100 powershell.exe Token: SeUndockPrivilege 2100 powershell.exe Token: SeManageVolumePrivilege 2100 powershell.exe Token: 33 2100 powershell.exe Token: 34 2100 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
921A229A73147A43676207D9E0DC39DD.execonhost.execmd.exeCourant.execmd.exedescription pid process target process PID 664 wrote to memory of 3176 664 921A229A73147A43676207D9E0DC39DD.exe conhost.exe PID 664 wrote to memory of 3176 664 921A229A73147A43676207D9E0DC39DD.exe conhost.exe PID 664 wrote to memory of 4044 664 921A229A73147A43676207D9E0DC39DD.exe RuntimeBroker.exe PID 664 wrote to memory of 4044 664 921A229A73147A43676207D9E0DC39DD.exe RuntimeBroker.exe PID 664 wrote to memory of 412 664 921A229A73147A43676207D9E0DC39DD.exe Courant.exe PID 664 wrote to memory of 412 664 921A229A73147A43676207D9E0DC39DD.exe Courant.exe PID 664 wrote to memory of 412 664 921A229A73147A43676207D9E0DC39DD.exe Courant.exe PID 3176 wrote to memory of 3424 3176 conhost.exe cmd.exe PID 3176 wrote to memory of 3424 3176 conhost.exe cmd.exe PID 3424 wrote to memory of 1356 3424 cmd.exe powershell.exe PID 3424 wrote to memory of 1356 3424 cmd.exe powershell.exe PID 3424 wrote to memory of 3232 3424 cmd.exe powershell.exe PID 3424 wrote to memory of 3232 3424 cmd.exe powershell.exe PID 412 wrote to memory of 3756 412 Courant.exe Courant.exe PID 412 wrote to memory of 3756 412 Courant.exe Courant.exe PID 412 wrote to memory of 3756 412 Courant.exe Courant.exe PID 3424 wrote to memory of 2100 3424 cmd.exe powershell.exe PID 3424 wrote to memory of 2100 3424 cmd.exe powershell.exe PID 3424 wrote to memory of 3660 3424 cmd.exe powershell.exe PID 3424 wrote to memory of 3660 3424 cmd.exe powershell.exe PID 412 wrote to memory of 3756 412 Courant.exe Courant.exe PID 412 wrote to memory of 3756 412 Courant.exe Courant.exe PID 412 wrote to memory of 3756 412 Courant.exe Courant.exe PID 412 wrote to memory of 3756 412 Courant.exe Courant.exe PID 412 wrote to memory of 3756 412 Courant.exe Courant.exe PID 3176 wrote to memory of 3188 3176 conhost.exe cmd.exe PID 3176 wrote to memory of 3188 3176 conhost.exe cmd.exe PID 3188 wrote to memory of 3144 3188 cmd.exe schtasks.exe PID 3188 wrote to memory of 3144 3188 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\921A229A73147A43676207D9E0DC39DD.exe"C:\Users\Admin\AppData\Local\Temp\921A229A73147A43676207D9E0DC39DD.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeC:\Users\Admin\AppData\Local\Temp\conhost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "conhost" /tr '"c:\windows\system32\conhost.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "conhost" /tr '"c:\windows\system32\conhost.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeC:\Users\Admin\AppData\Roaming\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\Courant.exeC:\Users\Admin\AppData\Local\Temp\Courant.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Courant.exeC:\Users\Admin\AppData\Local\Temp\Courant.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
39f2d9ed0265007692e0ea291aeb217b
SHA1fa433a95a1138b259c5b639c178f0fcd0cec3ac4
SHA25689dfe748710e2b8bb77afadb0c18778718ea327129c210a72b497aa5f322ae1b
SHA512445a2659d5f80b63204f29b8db1c8ead436f35a2a183463c34080b319d7a29bbab2555646ee718cc047f7bcf6a498d57308015e05d75513519795fdcd12f2c14
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
77da44cffd2a5d63b79e9d84e3a11a73
SHA1cd6ea41b07ced73629a3217aa3829b2c5a992b1a
SHA256d3f86ffcba44437d76caa1682d5560a66a23cdcc248142031ceabd23c7a7d618
SHA51230b912f6b34e4857ea5253d15e0281446f92e8bd85ea2527d0b5f3af19493d5aa89e9444b4aed435c45560b533c92698c77e252952079c17ee7ad7692b4638a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
4e435f08215453f3eb16f1d7c4157582
SHA1c2cf779dad014d48c2a8ea691aa4534c999ec061
SHA256c05f47eea03cdfca22f8cfcdd61d4796bd34b3da7ceaabcb1fb2762d6224cf06
SHA51283e17278740f982f5f8471eaa16fbbbe466be0708da14dc49541f7f79e44caf6619f2a120d2eaa1cb794751332b83db6962c161b02c26ca0409fda4cb757daf9
-
C:\Users\Admin\AppData\Local\Temp\Courant.exeMD5
00fb2a44b1e21b04abd23c1734a3c6bb
SHA129c4be57f69b47c7a3fb7dcc789a24c0bcd73730
SHA256639a69507d10a69d3e4634cff299f048ea44daf93ee5eb186f5b87e03981e9b9
SHA5125fc74f69618d8425b63fa95a1e24737909a3cf56420873ff2deaf9d03f49a6bd7ddca2f6216bf05e5e3a990587f5ddf20d7cf1f6d4aeffba319a533b5805fb72
-
C:\Users\Admin\AppData\Local\Temp\Courant.exeMD5
00fb2a44b1e21b04abd23c1734a3c6bb
SHA129c4be57f69b47c7a3fb7dcc789a24c0bcd73730
SHA256639a69507d10a69d3e4634cff299f048ea44daf93ee5eb186f5b87e03981e9b9
SHA5125fc74f69618d8425b63fa95a1e24737909a3cf56420873ff2deaf9d03f49a6bd7ddca2f6216bf05e5e3a990587f5ddf20d7cf1f6d4aeffba319a533b5805fb72
-
C:\Users\Admin\AppData\Local\Temp\Courant.exeMD5
00fb2a44b1e21b04abd23c1734a3c6bb
SHA129c4be57f69b47c7a3fb7dcc789a24c0bcd73730
SHA256639a69507d10a69d3e4634cff299f048ea44daf93ee5eb186f5b87e03981e9b9
SHA5125fc74f69618d8425b63fa95a1e24737909a3cf56420873ff2deaf9d03f49a6bd7ddca2f6216bf05e5e3a990587f5ddf20d7cf1f6d4aeffba319a533b5805fb72
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeMD5
9788e8293bda5e0e9798cc842b446490
SHA1b8fe5d2129d70ce0d5f3d736f61e985a28c015b9
SHA25637d94c0ffea439a338a4c5a5267d07ac1aa1f6cf230bc2986f95e4e6d80cf365
SHA5129b08c521d7a1f12b9bbc4dd578d5263decf1a648ac49a44473358007975daf95a1a25ccad0dd75a116911972d5a3ef4a45c3e1061a0b4a7b6cd03db874489a27
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeMD5
9788e8293bda5e0e9798cc842b446490
SHA1b8fe5d2129d70ce0d5f3d736f61e985a28c015b9
SHA25637d94c0ffea439a338a4c5a5267d07ac1aa1f6cf230bc2986f95e4e6d80cf365
SHA5129b08c521d7a1f12b9bbc4dd578d5263decf1a648ac49a44473358007975daf95a1a25ccad0dd75a116911972d5a3ef4a45c3e1061a0b4a7b6cd03db874489a27
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
881f31a0c18dc646dd2112982754de4a
SHA10e0026c28dd8072045a8354becdefb439d5e53e0
SHA25628f4a775a412703de465d39a1415a671efdf4bf40f89b1fc2b35c817cd79402d
SHA512e8d047cb4ad61162f07c1c89ab911804fdf4494a60e71332e2dbcaa57e816c0f564bb0f3c111d02f1ca4ef01971384796cd809e2904b9ceab523b6b15d7e30d7
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
881f31a0c18dc646dd2112982754de4a
SHA10e0026c28dd8072045a8354becdefb439d5e53e0
SHA25628f4a775a412703de465d39a1415a671efdf4bf40f89b1fc2b35c817cd79402d
SHA512e8d047cb4ad61162f07c1c89ab911804fdf4494a60e71332e2dbcaa57e816c0f564bb0f3c111d02f1ca4ef01971384796cd809e2904b9ceab523b6b15d7e30d7
-
memory/412-123-0x0000000000000000-mapping.dmp
-
memory/412-148-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB
-
memory/412-173-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/412-171-0x00000000027F0000-0x00000000027F1000-memory.dmpFilesize
4KB
-
memory/412-169-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/1356-130-0x0000000000000000-mapping.dmp
-
memory/1356-145-0x0000025B7C936000-0x0000025B7C938000-memory.dmpFilesize
8KB
-
memory/1356-146-0x0000025B7C930000-0x0000025B7C932000-memory.dmpFilesize
8KB
-
memory/1356-147-0x0000025B7C933000-0x0000025B7C935000-memory.dmpFilesize
8KB
-
memory/1356-139-0x0000025B7D5F0000-0x0000025B7D5F1000-memory.dmpFilesize
4KB
-
memory/1356-136-0x0000025B7D240000-0x0000025B7D241000-memory.dmpFilesize
4KB
-
memory/1356-191-0x0000025B7C938000-0x0000025B7C939000-memory.dmpFilesize
4KB
-
memory/2100-267-0x000001A598248000-0x000001A598249000-memory.dmpFilesize
4KB
-
memory/2100-233-0x000001A598243000-0x000001A598245000-memory.dmpFilesize
8KB
-
memory/2100-266-0x000001A598246000-0x000001A598248000-memory.dmpFilesize
8KB
-
memory/2100-218-0x0000000000000000-mapping.dmp
-
memory/2100-232-0x000001A598240000-0x000001A598242000-memory.dmpFilesize
8KB
-
memory/3144-315-0x0000000000000000-mapping.dmp
-
memory/3176-311-0x00000000011C0000-0x00000000011E1000-memory.dmpFilesize
132KB
-
memory/3176-114-0x0000000000000000-mapping.dmp
-
memory/3176-143-0x0000000000C10000-0x0000000000C12000-memory.dmpFilesize
8KB
-
memory/3176-312-0x00000000011F0000-0x0000000001201000-memory.dmpFilesize
68KB
-
memory/3176-313-0x000000001D030000-0x000000001D031000-memory.dmpFilesize
4KB
-
memory/3176-126-0x0000000000B60000-0x0000000000B81000-memory.dmpFilesize
132KB
-
memory/3176-118-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/3188-314-0x0000000000000000-mapping.dmp
-
memory/3232-193-0x000002759B650000-0x000002759B652000-memory.dmpFilesize
8KB
-
memory/3232-198-0x000002759B656000-0x000002759B658000-memory.dmpFilesize
8KB
-
memory/3232-231-0x000002759B658000-0x000002759B659000-memory.dmpFilesize
4KB
-
memory/3232-196-0x000002759B653000-0x000002759B655000-memory.dmpFilesize
8KB
-
memory/3232-176-0x0000000000000000-mapping.dmp
-
memory/3424-128-0x0000000000000000-mapping.dmp
-
memory/3660-309-0x000001EE2B6A8000-0x000001EE2B6A9000-memory.dmpFilesize
4KB
-
memory/3660-304-0x000001EE2B6A6000-0x000001EE2B6A8000-memory.dmpFilesize
8KB
-
memory/3660-271-0x000001EE2B6A3000-0x000001EE2B6A5000-memory.dmpFilesize
8KB
-
memory/3660-269-0x000001EE2B6A0000-0x000001EE2B6A2000-memory.dmpFilesize
8KB
-
memory/3660-257-0x0000000000000000-mapping.dmp
-
memory/3756-307-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/3756-289-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/3756-281-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/3756-306-0x0000000005490000-0x0000000005A96000-memory.dmpFilesize
6.0MB
-
memory/3756-272-0x0000000000417E46-mapping.dmp
-
memory/3756-277-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/3756-310-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/3756-270-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4044-144-0x000000001BD02000-0x000000001BD03000-memory.dmpFilesize
4KB
-
memory/4044-127-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/4044-122-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/4044-117-0x0000000000000000-mapping.dmp