Analysis
-
max time kernel
41s -
max time network
42s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 10:54
Static task
static1
Behavioral task
behavioral1
Sample
file3.exe
Resource
win7v20210408
General
-
Target
file3.exe
-
Size
723KB
-
MD5
5c7a96e9e751658f051daa79ac1e4cf0
-
SHA1
786f93d12910979c125ae6de7335d1aa80b5ed3e
-
SHA256
a6d3f74228ee18a19579010cd5fe3cc98f2c53dc43452325ba57a69f1253d7a5
-
SHA512
e624b68903efab2b7cd287b8c48e8afb08399770d0533238de2d0e17944dde9d8587041de81499b8c8b737bdbfb9e87f06539cdfff5c0d8da2713916512e0de9
Malware Config
Extracted
redline
stanntinab.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/784-109-0x0000000001FE0000-0x0000000001FFC000-memory.dmp family_redline behavioral1/memory/784-113-0x0000000002150000-0x000000000216B000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
hock.exesid.exesid.exepid process 664 hock.exe 1504 sid.exe 784 sid.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.execmd.exesid.exepid process 1320 cmd.exe 1020 cmd.exe 1020 cmd.exe 1504 sid.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
sid.exedescription pid process target process PID 1504 set thread context of 784 1504 sid.exe sid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1544 timeout.exe 464 timeout.exe 1100 timeout.exe 1016 timeout.exe 1264 timeout.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1768 taskkill.exe 1684 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sid.exepid process 784 sid.exe 784 sid.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exetaskkill.exesid.exedescription pid process Token: SeDebugPrivilege 1768 taskkill.exe Token: SeDebugPrivilege 1684 taskkill.exe Token: SeDebugPrivilege 784 sid.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file3.exeWScript.execmd.exeWScript.execmd.exedescription pid process target process PID 1028 wrote to memory of 1756 1028 file3.exe WScript.exe PID 1028 wrote to memory of 1756 1028 file3.exe WScript.exe PID 1028 wrote to memory of 1756 1028 file3.exe WScript.exe PID 1028 wrote to memory of 1756 1028 file3.exe WScript.exe PID 1028 wrote to memory of 1756 1028 file3.exe WScript.exe PID 1028 wrote to memory of 1756 1028 file3.exe WScript.exe PID 1028 wrote to memory of 1756 1028 file3.exe WScript.exe PID 1756 wrote to memory of 1320 1756 WScript.exe cmd.exe PID 1756 wrote to memory of 1320 1756 WScript.exe cmd.exe PID 1756 wrote to memory of 1320 1756 WScript.exe cmd.exe PID 1756 wrote to memory of 1320 1756 WScript.exe cmd.exe PID 1756 wrote to memory of 1320 1756 WScript.exe cmd.exe PID 1756 wrote to memory of 1320 1756 WScript.exe cmd.exe PID 1756 wrote to memory of 1320 1756 WScript.exe cmd.exe PID 1320 wrote to memory of 464 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 464 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 464 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 464 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 464 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 464 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 464 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 664 1320 cmd.exe hock.exe PID 1320 wrote to memory of 664 1320 cmd.exe hock.exe PID 1320 wrote to memory of 664 1320 cmd.exe hock.exe PID 1320 wrote to memory of 664 1320 cmd.exe hock.exe PID 1320 wrote to memory of 664 1320 cmd.exe hock.exe PID 1320 wrote to memory of 664 1320 cmd.exe hock.exe PID 1320 wrote to memory of 664 1320 cmd.exe hock.exe PID 1320 wrote to memory of 1100 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1100 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1100 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1100 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1100 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1100 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1100 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 932 1320 cmd.exe WScript.exe PID 1320 wrote to memory of 932 1320 cmd.exe WScript.exe PID 1320 wrote to memory of 932 1320 cmd.exe WScript.exe PID 1320 wrote to memory of 932 1320 cmd.exe WScript.exe PID 1320 wrote to memory of 932 1320 cmd.exe WScript.exe PID 1320 wrote to memory of 932 1320 cmd.exe WScript.exe PID 1320 wrote to memory of 932 1320 cmd.exe WScript.exe PID 1320 wrote to memory of 1016 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1016 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1016 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1016 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1016 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1016 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1016 1320 cmd.exe timeout.exe PID 932 wrote to memory of 1020 932 WScript.exe cmd.exe PID 932 wrote to memory of 1020 932 WScript.exe cmd.exe PID 932 wrote to memory of 1020 932 WScript.exe cmd.exe PID 932 wrote to memory of 1020 932 WScript.exe cmd.exe PID 932 wrote to memory of 1020 932 WScript.exe cmd.exe PID 932 wrote to memory of 1020 932 WScript.exe cmd.exe PID 932 wrote to memory of 1020 932 WScript.exe cmd.exe PID 1020 wrote to memory of 1752 1020 cmd.exe attrib.exe PID 1020 wrote to memory of 1752 1020 cmd.exe attrib.exe PID 1020 wrote to memory of 1752 1020 cmd.exe attrib.exe PID 1020 wrote to memory of 1752 1020 cmd.exe attrib.exe PID 1020 wrote to memory of 1752 1020 cmd.exe attrib.exe PID 1020 wrote to memory of 1752 1020 cmd.exe attrib.exe PID 1020 wrote to memory of 1752 1020 cmd.exe attrib.exe PID 1020 wrote to memory of 1264 1020 cmd.exe timeout.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1752 attrib.exe 584 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file3.exe"C:\Users\Admin\AppData\Local\Temp\file3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\inst1\datapjgf\5g56656161.vbs" /f=CREATE_NO_WINDOW install.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\inst1\datapjgf\yui.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 74⤵
- Delays execution with timeout.exe
-
C:\inst1\datapjgf\hock.exe"hock.exe" e -pfile kool.rar4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\inst1\datapjgf\als.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\inst1\datapjgf\fsp.bat" "5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\inst1"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
-
C:\inst1\datapjgf\sid.exesid.exe /start6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\inst1\datapjgf\sid.exesid.exe /start7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im hock.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im hock.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\inst1\datapjgf"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 84⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\inst1\datapjgf\5g56656161.vbsMD5
bb1e59925a7580229b8f56259a5b7e35
SHA11f65cc2d37d3e135c9f92d9630deae8d0c75d19b
SHA256347d11816b9cf30654204cfcf51b2907cfb3e64e89426d6eb0f1cb73159fdc7d
SHA5121e584c8ab1780672e34999e9a003a21254586f7712f7d70774f35b7e42fab424938d6ea1f36057ca9c831ea6bcfbca4649b5bfe6f65610b7f6629977730aace9
-
C:\inst1\datapjgf\als.vbsMD5
9859b8c66ab773327318fb4af69b4ff0
SHA19960966652d6b1921329d667e667964cdc933cd1
SHA25677ce3e4459c8af542dab9039f0ac1a0ce72592a484f91dfe10042e260f9b4d40
SHA512f4a76570459b53b6dac4680b6ee0957a4bebc491fc88807f534a8123c248b26135e4c81287af6f922924fd3ad64fe4068d9133fd874506887ff2692b20f8c190
-
C:\inst1\datapjgf\fsp.batMD5
ef5de4e87f37e047ba668f5f4497a25e
SHA15df4086a8c8a0ac457c5fd2e0884ceacecee19e0
SHA256069700f16b8c2ff3f22a7c4a0448c5d128effcf2c0917534672eb56dd7404721
SHA512e4daf66258467a54da7654428f2a47dc58c3de106df9a2a62ebbf75984a2123c0d14e24cae81c9f2973d61aea85a4c1c3b439b6af45a720f3a10c933b367c742
-
C:\inst1\datapjgf\hock.exeMD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\inst1\datapjgf\hock.exeMD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\inst1\datapjgf\pzrklogMD5
431b2ef26e503e06a01587aaa7a2ee93
SHA158ef0a09f2464731f094775e8adc77379bfc5ffa
SHA256dfaa5c996d8afaf498bcb58d6ac1348cf959e8a008f3b572ddd6a60951426de6
SHA5122990ab4d257aa81b037d4df58fa01f6d8229670a4d1f990d299ed6b205d869fe6c5076921f20bfdddd02b1e8d9f01b422a86dbd35e38a7d190eb3b798f6061d5
-
C:\inst1\datapjgf\sid.exeMD5
4eaa34aeca42bfe6cfd59179a76b266a
SHA1bd09f11f58fd289382c58cce6c30f55786c84b6e
SHA25603676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef
SHA51267d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4
-
C:\inst1\datapjgf\sid.exeMD5
4eaa34aeca42bfe6cfd59179a76b266a
SHA1bd09f11f58fd289382c58cce6c30f55786c84b6e
SHA25603676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef
SHA51267d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4
-
C:\inst1\datapjgf\sid.exeMD5
4eaa34aeca42bfe6cfd59179a76b266a
SHA1bd09f11f58fd289382c58cce6c30f55786c84b6e
SHA25603676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef
SHA51267d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4
-
C:\inst1\datapjgf\yui.batMD5
6233a53a9098887969c50d6ebb4fb984
SHA170ad25a824489083d2087ae08243f5540cde67b0
SHA256008932d95d072a0fe6be40db10f4a32c16e152138f61ed17d955f2b00f41f865
SHA512b978cf449bfb9ae3902ecc2e44b985d29f2b57087d22ebbc19a800e595fccb56f089baa32c71e4c533dbb829b1643c7d770f2637016a4d43851f5f69f5012a56
-
\inst1\datapjgf\hock.exeMD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
\inst1\datapjgf\sid.exeMD5
4eaa34aeca42bfe6cfd59179a76b266a
SHA1bd09f11f58fd289382c58cce6c30f55786c84b6e
SHA25603676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef
SHA51267d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4
-
\inst1\datapjgf\sid.exeMD5
4eaa34aeca42bfe6cfd59179a76b266a
SHA1bd09f11f58fd289382c58cce6c30f55786c84b6e
SHA25603676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef
SHA51267d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4
-
\inst1\datapjgf\sid.exeMD5
4eaa34aeca42bfe6cfd59179a76b266a
SHA1bd09f11f58fd289382c58cce6c30f55786c84b6e
SHA25603676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef
SHA51267d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4
-
memory/464-67-0x0000000000000000-mapping.dmp
-
memory/584-105-0x0000000000000000-mapping.dmp
-
memory/664-72-0x0000000000000000-mapping.dmp
-
memory/784-102-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/784-110-0x0000000004941000-0x0000000004942000-memory.dmpFilesize
4KB
-
memory/784-96-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/784-114-0x0000000004944000-0x0000000004946000-memory.dmpFilesize
8KB
-
memory/784-111-0x0000000004942000-0x0000000004943000-memory.dmpFilesize
4KB
-
memory/784-97-0x000000000040CD2F-mapping.dmp
-
memory/784-112-0x0000000004943000-0x0000000004944000-memory.dmpFilesize
4KB
-
memory/784-113-0x0000000002150000-0x000000000216B000-memory.dmpFilesize
108KB
-
memory/784-109-0x0000000001FE0000-0x0000000001FFC000-memory.dmpFilesize
112KB
-
memory/932-78-0x0000000000000000-mapping.dmp
-
memory/1016-80-0x0000000000000000-mapping.dmp
-
memory/1020-83-0x0000000000000000-mapping.dmp
-
memory/1028-60-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1100-75-0x0000000000000000-mapping.dmp
-
memory/1264-87-0x0000000000000000-mapping.dmp
-
memory/1320-65-0x0000000000000000-mapping.dmp
-
memory/1504-92-0x0000000000000000-mapping.dmp
-
memory/1544-107-0x0000000000000000-mapping.dmp
-
memory/1684-103-0x0000000000000000-mapping.dmp
-
memory/1752-85-0x0000000000000000-mapping.dmp
-
memory/1756-61-0x0000000000000000-mapping.dmp
-
memory/1768-99-0x0000000000000000-mapping.dmp