Analysis
-
max time kernel
26s -
max time network
68s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
25-07-2021 00:11
Static task
static1
Behavioral task
behavioral1
Sample
9E410393702B6902ABDE53FC8B588527.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
9E410393702B6902ABDE53FC8B588527.exe
Resource
win10v20210408
General
-
Target
9E410393702B6902ABDE53FC8B588527.exe
-
Size
2.3MB
-
MD5
9e410393702b6902abde53fc8b588527
-
SHA1
0a4d2250a4d47e4e9993e0e806545d8731fe5b35
-
SHA256
89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2
-
SHA512
66353988d7a905232f1a7462397c4cc1eba7eed1a819a6f5ed22ddff050f97624a702d3780c535eef08eac0bebde1b9d4a92f08c35fcab266e6a77ab3c5f5386
Malware Config
Extracted
redline
@menvzlomali
xetadycami.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@menvzlomali.exe family_redline C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe family_redline -
Executes dropped EXE 6 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe@menvzlomali.exepid process 4060 7z.exe 3768 7z.exe 2972 7z.exe 3824 7z.exe 3684 7z.exe 2060 @menvzlomali.exe -
Loads dropped DLL 5 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exepid process 4060 7z.exe 3768 7z.exe 2972 7z.exe 3824 7z.exe 3684 7z.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
@menvzlomali.exepid process 2060 @menvzlomali.exe 2060 @menvzlomali.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe@menvzlomali.exedescription pid process Token: SeRestorePrivilege 4060 7z.exe Token: 35 4060 7z.exe Token: SeSecurityPrivilege 4060 7z.exe Token: SeSecurityPrivilege 4060 7z.exe Token: SeRestorePrivilege 3768 7z.exe Token: 35 3768 7z.exe Token: SeSecurityPrivilege 3768 7z.exe Token: SeSecurityPrivilege 3768 7z.exe Token: SeRestorePrivilege 2972 7z.exe Token: 35 2972 7z.exe Token: SeSecurityPrivilege 2972 7z.exe Token: SeSecurityPrivilege 2972 7z.exe Token: SeRestorePrivilege 3824 7z.exe Token: 35 3824 7z.exe Token: SeSecurityPrivilege 3824 7z.exe Token: SeSecurityPrivilege 3824 7z.exe Token: SeRestorePrivilege 3684 7z.exe Token: 35 3684 7z.exe Token: SeSecurityPrivilege 3684 7z.exe Token: SeSecurityPrivilege 3684 7z.exe Token: SeDebugPrivilege 2060 @menvzlomali.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
9E410393702B6902ABDE53FC8B588527.execmd.exedescription pid process target process PID 628 wrote to memory of 3612 628 9E410393702B6902ABDE53FC8B588527.exe cmd.exe PID 628 wrote to memory of 3612 628 9E410393702B6902ABDE53FC8B588527.exe cmd.exe PID 3612 wrote to memory of 3048 3612 cmd.exe mode.com PID 3612 wrote to memory of 3048 3612 cmd.exe mode.com PID 3612 wrote to memory of 4060 3612 cmd.exe 7z.exe PID 3612 wrote to memory of 4060 3612 cmd.exe 7z.exe PID 3612 wrote to memory of 3768 3612 cmd.exe 7z.exe PID 3612 wrote to memory of 3768 3612 cmd.exe 7z.exe PID 3612 wrote to memory of 2972 3612 cmd.exe 7z.exe PID 3612 wrote to memory of 2972 3612 cmd.exe 7z.exe PID 3612 wrote to memory of 3824 3612 cmd.exe 7z.exe PID 3612 wrote to memory of 3824 3612 cmd.exe 7z.exe PID 3612 wrote to memory of 3684 3612 cmd.exe 7z.exe PID 3612 wrote to memory of 3684 3612 cmd.exe 7z.exe PID 3612 wrote to memory of 1344 3612 cmd.exe attrib.exe PID 3612 wrote to memory of 1344 3612 cmd.exe attrib.exe PID 3612 wrote to memory of 2060 3612 cmd.exe @menvzlomali.exe PID 3612 wrote to memory of 2060 3612 cmd.exe @menvzlomali.exe PID 3612 wrote to memory of 2060 3612 cmd.exe @menvzlomali.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9E410393702B6902ABDE53FC8B588527.exe"C:\Users\Admin\AppData\Local\Temp\9E410393702B6902ABDE53FC8B588527.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode 65,103⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e file.zip -p -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_4.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib +H "@menvzlomali.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe"@menvzlomali.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exeMD5
57212d78e3f10df15da4118f3af590c3
SHA1fd591b0771e0fb440a82c3f939443859360d55c9
SHA256071ad7bfefd2e0f0e6e5026f8753d4c02fbc3a6dceb66788677aa027d507c283
SHA5128fbbba63336485b32ad3b415fcf3d1b2992c9b34a5872ac12e6c5767c03be509d7b537838aa44d49f20c44ab515761f5377a89eec0d54ea237de989b2dc1607d
-
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@menvzlomali.exeMD5
57212d78e3f10df15da4118f3af590c3
SHA1fd591b0771e0fb440a82c3f939443859360d55c9
SHA256071ad7bfefd2e0f0e6e5026f8753d4c02fbc3a6dceb66788677aa027d507c283
SHA5128fbbba63336485b32ad3b415fcf3d1b2992c9b34a5872ac12e6c5767c03be509d7b537838aa44d49f20c44ab515761f5377a89eec0d54ea237de989b2dc1607d
-
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DATMD5
9c238b66e8e878add3c6d5ec2bb2b8ee
SHA101a129285a5738e6acf88d76e8861d7e4f66cf6d
SHA2560b17daf75f88addfa5ea28e546842453b6b8e8677c81e6af5bced446a7e7cd10
SHA512b00d7825e4da91645a3e723b0873ec98a96b40eacb4f3b070e8ddc46ecd6a3891dc62c835734e8fb3d26e82f18bd55813149f09c09f0b86d940c994f342b8092
-
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zipMD5
17c65e9dd39033b1498d5b7127235bdb
SHA13f91c363bc3ae2ccbd4bdda2b8e2a327738af446
SHA2564899f8459fa43698d043dd55347d7afde5529222dc09a9b5b46515d4dc78dbeb
SHA51258a64286a2964cd8ff4877f5f4895cec01ed3135568c945d2232295f33fc1b19a30dc7fd5567fa4db46ac5e55ba29bb811cf89bdb4e12e7312cf73576c01c133
-
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zipMD5
960172e158c04fe1a52ec200f8b603e3
SHA1f866ab4b93f39adecf47053f9c4150c67f159d45
SHA256b6fc5a261199c4cfbc37c61c26439a95bf2f302889e39e48b2926fd03270328d
SHA5129d07a9d90dd87ff49087c56cb33e533d487806afbb57a41a72ac1f68cd8736aaaa2660c2449204652928a5edca3da12518701e6e1adf731b37b82267d993017d
-
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zipMD5
b8ac7bef4565972b105784581c036b1f
SHA13b2e982bdfbddac1e34edc0e0e270f9280767dab
SHA256638e31294512e587d4f5f464ae12dd9319cbf0e29b17b0f69ff06c8c12c6549f
SHA512d3d566a5d3e731e1aed6b59086f2206b49512b1b99183dfb1e38f37f0ff1694aca66bb17c3ee2fd9fb65ebd7986479ec8af392683b3f45affe450604ba8c4c63
-
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zipMD5
6104565d86f6897d5598ca576d0cdb34
SHA15c6249bb6f5f4648549bebc9f6c27d27cc0cf470
SHA256b9badec8e882abe16db8a7b85e168cd712b99bb75cee0cc5c2b66fbeda07f4d8
SHA512b6f593d4ff0a4050b7fa907242298ec25dae653073b1a13a1ea13afaabc91d1db4a1c0857b4cccf93dc78d95156a8ca05fe1af95bab568e6720582f83607df3f
-
C:\Users\Admin\AppData\Local\Temp\svchost\payload.dataMD5
1db985429ea59b5e0ee3bf05de444e3f
SHA1f5a960489b8141fcf746db2e1b9cc899cc839db5
SHA2561b7c0b233b405bf1c9534319ddce9b72e61e6701c41287684e5f4f489d5f51bd
SHA512cf8758b04a3d924c4608df42d0eef538925bb86c26fc3918cf838f827380bbe891f28e13537fb4bdde340c020bbf347e65c5bc19efdc643ea1d3f8b87d8c5f33
-
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmdMD5
95e9d038587986bbfae1f3ff2703751c
SHA1f755fc147be4c89a8f4a8ef8303458a9c2f384c7
SHA256e94dc2d6675a9b0bef924a79e67e01107ac1725704c7c870939833c2e0ec7c22
SHA512472969d8183aad603ff6063aa69b233833fe193f3f06b6fbee2c032bafe031900cbc35251219c4b850584bd4721bb132252a3bbc695056ddf92fb0416d142e68
-
\Users\Admin\AppData\Local\Temp\svchost\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\svchost\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\svchost\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\svchost\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\svchost\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
memory/1344-140-0x0000000000000000-mapping.dmp
-
memory/2060-145-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/2060-146-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/2060-155-0x00000000072E0000-0x00000000072E1000-memory.dmpFilesize
4KB
-
memory/2060-150-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/2060-154-0x00000000066A0000-0x00000000066A1000-memory.dmpFilesize
4KB
-
memory/2060-153-0x0000000006380000-0x0000000006381000-memory.dmpFilesize
4KB
-
memory/2060-141-0x0000000000000000-mapping.dmp
-
memory/2060-149-0x0000000004B80000-0x0000000005186000-memory.dmpFilesize
6.0MB
-
memory/2060-143-0x0000000000420000-0x0000000000421000-memory.dmpFilesize
4KB
-
memory/2060-152-0x00000000068B0000-0x00000000068B1000-memory.dmpFilesize
4KB
-
memory/2060-151-0x00000000061B0000-0x00000000061B1000-memory.dmpFilesize
4KB
-
memory/2060-147-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/2060-148-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/2972-126-0x0000000000000000-mapping.dmp
-
memory/3048-116-0x0000000000000000-mapping.dmp
-
memory/3612-114-0x0000000000000000-mapping.dmp
-
memory/3684-134-0x0000000000000000-mapping.dmp
-
memory/3768-122-0x0000000000000000-mapping.dmp
-
memory/3824-130-0x0000000000000000-mapping.dmp
-
memory/4060-118-0x0000000000000000-mapping.dmp