Analysis

  • max time kernel
    129s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    11-08-2021 12:52

General

  • Target

    file3.exe

  • Size

    743KB

  • MD5

    4d4bc0c39fc901c1a86ef43fc3bf189a

  • SHA1

    4736a94c30917e695ebf58f674632575e383d571

  • SHA256

    1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494

  • SHA512

    62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6

Malware Config

Extracted

Family

redline

Botnet

RUZ

C2

sandedean.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 5 IoCs
  • Kills process with taskkill 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file3.exe
    "C:\Users\Admin\AppData\Local\Temp\file3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\NSpack\updIns\44t.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Windows\SysWOW64\timeout.exe
          timeout 7
          4⤵
          • Delays execution with timeout.exe
          PID:1256
        • C:\NSpack\updIns\Sgsmmodul.com
          "Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar
          4⤵
          • Executes dropped EXE
          PID:736
        • C:\Windows\SysWOW64\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:856
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\NSpack\updIns\gg4359.bat" "
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:920
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\NSpack\updIns"
              6⤵
              • Views/modifies file attributes
              PID:1088
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • Delays execution with timeout.exe
              PID:368
            • C:\NSpack\updIns\mmscx.exe
              mmscx.exe /start
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              PID:1696
              • C:\NSpack\updIns\mmscx.exe
                mmscx.exe /start
                7⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:744
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im Sgsmmodul.com
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1604
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im Sgsmmodul.com
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1308
            • C:\Windows\SysWOW64\attrib.exe
              attrib -s -h "C:\NSpack\updIns"
              6⤵
              • Views/modifies file attributes
              PID:1028
            • C:\Windows\SysWOW64\timeout.exe
              timeout 4
              6⤵
              • Delays execution with timeout.exe
              PID:952
        • C:\Windows\SysWOW64\timeout.exe
          timeout 8
          4⤵
          • Delays execution with timeout.exe
          PID:1288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\NSpack\updIns\44t.bat

    MD5

    96c69dbc1233bfa7c5e883658e0758d4

    SHA1

    613179fa74db9e71516bdb3a93341e9d90c4ecba

    SHA256

    deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde

    SHA512

    43d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3

  • C:\NSpack\updIns\Sgsmmodul.com

    MD5

    061f64173293969577916832be29b90d

    SHA1

    b05b80385de20463a80b6c9c39bd1d53123aab9b

    SHA256

    34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

    SHA512

    66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

  • C:\NSpack\updIns\Sgsmmodul.com

    MD5

    061f64173293969577916832be29b90d

    SHA1

    b05b80385de20463a80b6c9c39bd1d53123aab9b

    SHA256

    34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

    SHA512

    66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

  • C:\NSpack\updIns\dc.isi

    MD5

    fbd467e1613c53b03376e987f3dbf2da

    SHA1

    e2ca3ff625122f49e8a382dee32d0ca2f98648bf

    SHA256

    cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68

    SHA512

    e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05

  • C:\NSpack\updIns\gg4359.bat

    MD5

    b4be21a8f4bb91b11ccaf08b39b679d5

    SHA1

    b3da567bb1072168b54866ee29301bde61bdc45e

    SHA256

    35e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d

    SHA512

    a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c

  • C:\NSpack\updIns\mmscx.exe

    MD5

    3e79f72a8ae481ac76a69ccf1213d24d

    SHA1

    de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

    SHA256

    1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

    SHA512

    2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

  • C:\NSpack\updIns\mmscx.exe

    MD5

    3e79f72a8ae481ac76a69ccf1213d24d

    SHA1

    de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

    SHA256

    1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

    SHA512

    2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

  • C:\NSpack\updIns\mmscx.exe

    MD5

    3e79f72a8ae481ac76a69ccf1213d24d

    SHA1

    de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

    SHA256

    1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

    SHA512

    2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

  • C:\NSpack\updIns\sevenup.vbs

    MD5

    6a551928353982ab64107a4929c91c91

    SHA1

    b68ee5e77a722638f184d0fbf6a4834bb8cc188e

    SHA256

    0281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3

    SHA512

    870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d

  • C:\NSpack\updIns\tetracom.vbs

    MD5

    bdc0fb5cada9a89f074961224aaf4e63

    SHA1

    9284fe4ecc0fde705fc596dd89191c02915fd7a4

    SHA256

    b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db

    SHA512

    83cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28

  • \NSpack\updIns\Sgsmmodul.com

    MD5

    061f64173293969577916832be29b90d

    SHA1

    b05b80385de20463a80b6c9c39bd1d53123aab9b

    SHA256

    34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

    SHA512

    66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

  • \NSpack\updIns\mmscx.exe

    MD5

    3e79f72a8ae481ac76a69ccf1213d24d

    SHA1

    de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

    SHA256

    1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

    SHA512

    2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

  • \NSpack\updIns\mmscx.exe

    MD5

    3e79f72a8ae481ac76a69ccf1213d24d

    SHA1

    de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

    SHA256

    1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

    SHA512

    2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

  • \NSpack\updIns\mmscx.exe

    MD5

    3e79f72a8ae481ac76a69ccf1213d24d

    SHA1

    de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

    SHA256

    1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

    SHA512

    2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

  • memory/368-87-0x0000000000000000-mapping.dmp

  • memory/736-72-0x0000000000000000-mapping.dmp

  • memory/744-111-0x0000000004862000-0x0000000004863000-memory.dmp

    Filesize

    4KB

  • memory/744-114-0x0000000004864000-0x0000000004866000-memory.dmp

    Filesize

    8KB

  • memory/744-96-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/744-97-0x000000000040CD2F-mapping.dmp

  • memory/744-108-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/744-112-0x0000000001CC0000-0x0000000001CDB000-memory.dmp

    Filesize

    108KB

  • memory/744-110-0x0000000004861000-0x0000000004862000-memory.dmp

    Filesize

    4KB

  • memory/744-113-0x0000000004863000-0x0000000004864000-memory.dmp

    Filesize

    4KB

  • memory/744-109-0x00000000004B0000-0x00000000004CD000-memory.dmp

    Filesize

    116KB

  • memory/856-75-0x0000000000000000-mapping.dmp

  • memory/920-83-0x0000000000000000-mapping.dmp

  • memory/952-106-0x0000000000000000-mapping.dmp

  • memory/1028-104-0x0000000000000000-mapping.dmp

  • memory/1088-85-0x0000000000000000-mapping.dmp

  • memory/1256-67-0x0000000000000000-mapping.dmp

  • memory/1288-79-0x0000000000000000-mapping.dmp

  • memory/1308-102-0x0000000000000000-mapping.dmp

  • memory/1604-99-0x0000000000000000-mapping.dmp

  • memory/1696-92-0x0000000000000000-mapping.dmp

  • memory/1768-78-0x0000000000000000-mapping.dmp

  • memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmp

    Filesize

    8KB

  • memory/1928-65-0x0000000000000000-mapping.dmp

  • memory/2032-61-0x0000000000000000-mapping.dmp