Overview
overview
10Static
static
7Bird.exe
windows7_x64
10Bird.exe
windows10_x64
10Crystal.exe
windows7_x64
10Crystal.exe
windows10_x64
10Install.exe
windows7_x64
10Install.exe
windows10_x64
10Minecraft_v4.4.exe
windows7_x64
10Minecraft_v4.4.exe
windows10_x64
10NewHacks.exe
windows7_x64
10NewHacks.exe
windows10_x64
10Setup.exe
windows7_x64
10Setup.exe
windows10_x64
10Software p....5.exe
windows7_x64
10Software p....5.exe
windows10_x64
10file3.exe
windows7_x64
10file3.exe
windows10_x64
10forcenitro2.4.1.exe
windows7_x64
7forcenitro2.4.1.exe
windows10_x64
7nitro_gen.exe
windows7_x64
8nitro_gen.exe
windows10_x64
8Analysis
-
max time kernel
129s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-08-2021 12:52
Static task
static1
Behavioral task
behavioral1
Sample
Bird.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Bird.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
Crystal.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
Crystal.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
Install.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
Install.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
Minecraft_v4.4.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
Minecraft_v4.4.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
NewHacks.exe
Resource
win7v20210410
Behavioral task
behavioral10
Sample
NewHacks.exe
Resource
win10v20210408
Behavioral task
behavioral11
Sample
Setup.exe
Resource
win7v20210410
Behavioral task
behavioral12
Sample
Setup.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
Software patch v2.0.5.exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
Software patch v2.0.5.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
file3.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
file3.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
forcenitro2.4.1.exe
Resource
win7v20210408
Behavioral task
behavioral18
Sample
forcenitro2.4.1.exe
Resource
win10v20210410
Behavioral task
behavioral19
Sample
nitro_gen.exe
Resource
win7v20210408
Behavioral task
behavioral20
Sample
nitro_gen.exe
Resource
win10v20210410
General
-
Target
file3.exe
-
Size
743KB
-
MD5
4d4bc0c39fc901c1a86ef43fc3bf189a
-
SHA1
4736a94c30917e695ebf58f674632575e383d571
-
SHA256
1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494
-
SHA512
62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6
Malware Config
Extracted
redline
RUZ
sandedean.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral15/memory/744-109-0x00000000004B0000-0x00000000004CD000-memory.dmp family_redline behavioral15/memory/744-112-0x0000000001CC0000-0x0000000001CDB000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Sgsmmodul.commmscx.exemmscx.exepid Process 736 Sgsmmodul.com 1696 mmscx.exe 744 mmscx.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.execmd.exemmscx.exepid Process 1928 cmd.exe 920 cmd.exe 920 cmd.exe 1696 mmscx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
mmscx.exedescription pid Process procid_target PID 1696 set thread context of 744 1696 mmscx.exe 42 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 1256 timeout.exe 856 timeout.exe 1288 timeout.exe 368 timeout.exe 952 timeout.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 1604 taskkill.exe 1308 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mmscx.exepid Process 744 mmscx.exe 744 mmscx.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exetaskkill.exemmscx.exedescription pid Process Token: SeDebugPrivilege 1604 taskkill.exe Token: SeDebugPrivilege 1308 taskkill.exe Token: SeDebugPrivilege 744 mmscx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file3.exeWScript.execmd.exeWScript.execmd.exedescription pid Process procid_target PID 1820 wrote to memory of 2032 1820 file3.exe 26 PID 1820 wrote to memory of 2032 1820 file3.exe 26 PID 1820 wrote to memory of 2032 1820 file3.exe 26 PID 1820 wrote to memory of 2032 1820 file3.exe 26 PID 1820 wrote to memory of 2032 1820 file3.exe 26 PID 1820 wrote to memory of 2032 1820 file3.exe 26 PID 1820 wrote to memory of 2032 1820 file3.exe 26 PID 2032 wrote to memory of 1928 2032 WScript.exe 27 PID 2032 wrote to memory of 1928 2032 WScript.exe 27 PID 2032 wrote to memory of 1928 2032 WScript.exe 27 PID 2032 wrote to memory of 1928 2032 WScript.exe 27 PID 2032 wrote to memory of 1928 2032 WScript.exe 27 PID 2032 wrote to memory of 1928 2032 WScript.exe 27 PID 2032 wrote to memory of 1928 2032 WScript.exe 27 PID 1928 wrote to memory of 1256 1928 cmd.exe 29 PID 1928 wrote to memory of 1256 1928 cmd.exe 29 PID 1928 wrote to memory of 1256 1928 cmd.exe 29 PID 1928 wrote to memory of 1256 1928 cmd.exe 29 PID 1928 wrote to memory of 1256 1928 cmd.exe 29 PID 1928 wrote to memory of 1256 1928 cmd.exe 29 PID 1928 wrote to memory of 1256 1928 cmd.exe 29 PID 1928 wrote to memory of 736 1928 cmd.exe 33 PID 1928 wrote to memory of 736 1928 cmd.exe 33 PID 1928 wrote to memory of 736 1928 cmd.exe 33 PID 1928 wrote to memory of 736 1928 cmd.exe 33 PID 1928 wrote to memory of 736 1928 cmd.exe 33 PID 1928 wrote to memory of 736 1928 cmd.exe 33 PID 1928 wrote to memory of 736 1928 cmd.exe 33 PID 1928 wrote to memory of 856 1928 cmd.exe 34 PID 1928 wrote to memory of 856 1928 cmd.exe 34 PID 1928 wrote to memory of 856 1928 cmd.exe 34 PID 1928 wrote to memory of 856 1928 cmd.exe 34 PID 1928 wrote to memory of 856 1928 cmd.exe 34 PID 1928 wrote to memory of 856 1928 cmd.exe 34 PID 1928 wrote to memory of 856 1928 cmd.exe 34 PID 1928 wrote to memory of 1768 1928 cmd.exe 35 PID 1928 wrote to memory of 1768 1928 cmd.exe 35 PID 1928 wrote to memory of 1768 1928 cmd.exe 35 PID 1928 wrote to memory of 1768 1928 cmd.exe 35 PID 1928 wrote to memory of 1768 1928 cmd.exe 35 PID 1928 wrote to memory of 1768 1928 cmd.exe 35 PID 1928 wrote to memory of 1768 1928 cmd.exe 35 PID 1928 wrote to memory of 1288 1928 cmd.exe 36 PID 1928 wrote to memory of 1288 1928 cmd.exe 36 PID 1928 wrote to memory of 1288 1928 cmd.exe 36 PID 1928 wrote to memory of 1288 1928 cmd.exe 36 PID 1928 wrote to memory of 1288 1928 cmd.exe 36 PID 1928 wrote to memory of 1288 1928 cmd.exe 36 PID 1928 wrote to memory of 1288 1928 cmd.exe 36 PID 1768 wrote to memory of 920 1768 WScript.exe 37 PID 1768 wrote to memory of 920 1768 WScript.exe 37 PID 1768 wrote to memory of 920 1768 WScript.exe 37 PID 1768 wrote to memory of 920 1768 WScript.exe 37 PID 1768 wrote to memory of 920 1768 WScript.exe 37 PID 1768 wrote to memory of 920 1768 WScript.exe 37 PID 1768 wrote to memory of 920 1768 WScript.exe 37 PID 920 wrote to memory of 1088 920 cmd.exe 39 PID 920 wrote to memory of 1088 920 cmd.exe 39 PID 920 wrote to memory of 1088 920 cmd.exe 39 PID 920 wrote to memory of 1088 920 cmd.exe 39 PID 920 wrote to memory of 1088 920 cmd.exe 39 PID 920 wrote to memory of 1088 920 cmd.exe 39 PID 920 wrote to memory of 1088 920 cmd.exe 39 PID 920 wrote to memory of 368 920 cmd.exe 40 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 1028 attrib.exe 1088 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file3.exe"C:\Users\Admin\AppData\Local\Temp\file3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\NSpack\updIns\44t.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\timeout.exetimeout 74⤵
- Delays execution with timeout.exe
PID:1256
-
-
C:\NSpack\updIns\Sgsmmodul.com"Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar4⤵
- Executes dropped EXE
PID:736
-
-
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:856
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\NSpack\updIns\gg4359.bat" "5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\NSpack\updIns"6⤵
- Views/modifies file attributes
PID:1088
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:368
-
-
C:\NSpack\updIns\mmscx.exemmscx.exe /start6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1696 -
C:\NSpack\updIns\mmscx.exemmscx.exe /start7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Sgsmmodul.com6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Sgsmmodul.com6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\NSpack\updIns"6⤵
- Views/modifies file attributes
PID:1028
-
-
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
PID:952
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 84⤵
- Delays execution with timeout.exe
PID:1288
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
96c69dbc1233bfa7c5e883658e0758d4
SHA1613179fa74db9e71516bdb3a93341e9d90c4ecba
SHA256deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde
SHA51243d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3
-
MD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
MD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
MD5
fbd467e1613c53b03376e987f3dbf2da
SHA1e2ca3ff625122f49e8a382dee32d0ca2f98648bf
SHA256cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68
SHA512e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05
-
MD5
b4be21a8f4bb91b11ccaf08b39b679d5
SHA1b3da567bb1072168b54866ee29301bde61bdc45e
SHA25635e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d
SHA512a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c
-
MD5
3e79f72a8ae481ac76a69ccf1213d24d
SHA1de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2
SHA2561776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4
SHA5122271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90
-
MD5
3e79f72a8ae481ac76a69ccf1213d24d
SHA1de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2
SHA2561776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4
SHA5122271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90
-
MD5
3e79f72a8ae481ac76a69ccf1213d24d
SHA1de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2
SHA2561776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4
SHA5122271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90
-
MD5
6a551928353982ab64107a4929c91c91
SHA1b68ee5e77a722638f184d0fbf6a4834bb8cc188e
SHA2560281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3
SHA512870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d
-
MD5
bdc0fb5cada9a89f074961224aaf4e63
SHA19284fe4ecc0fde705fc596dd89191c02915fd7a4
SHA256b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db
SHA51283cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28
-
MD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
MD5
3e79f72a8ae481ac76a69ccf1213d24d
SHA1de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2
SHA2561776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4
SHA5122271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90
-
MD5
3e79f72a8ae481ac76a69ccf1213d24d
SHA1de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2
SHA2561776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4
SHA5122271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90
-
MD5
3e79f72a8ae481ac76a69ccf1213d24d
SHA1de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2
SHA2561776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4
SHA5122271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90