Overview
overview
10Static
static
7Bird.exe
windows7_x64
10Bird.exe
windows10_x64
10Crystal.exe
windows7_x64
10Crystal.exe
windows10_x64
10Install.exe
windows7_x64
10Install.exe
windows10_x64
10Minecraft_v4.4.exe
windows7_x64
10Minecraft_v4.4.exe
windows10_x64
10NewHacks.exe
windows7_x64
10NewHacks.exe
windows10_x64
10Setup.exe
windows7_x64
10Setup.exe
windows10_x64
10Software p....5.exe
windows7_x64
10Software p....5.exe
windows10_x64
10file3.exe
windows7_x64
10file3.exe
windows10_x64
10forcenitro2.4.1.exe
windows7_x64
7forcenitro2.4.1.exe
windows10_x64
7nitro_gen.exe
windows7_x64
8nitro_gen.exe
windows10_x64
8Analysis
-
max time kernel
30s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-08-2021 12:52
Static task
static1
Behavioral task
behavioral1
Sample
Bird.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Bird.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
Crystal.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
Crystal.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
Install.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
Install.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
Minecraft_v4.4.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
Minecraft_v4.4.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
NewHacks.exe
Resource
win7v20210410
Behavioral task
behavioral10
Sample
NewHacks.exe
Resource
win10v20210408
Behavioral task
behavioral11
Sample
Setup.exe
Resource
win7v20210410
Behavioral task
behavioral12
Sample
Setup.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
Software patch v2.0.5.exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
Software patch v2.0.5.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
file3.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
file3.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
forcenitro2.4.1.exe
Resource
win7v20210408
Behavioral task
behavioral18
Sample
forcenitro2.4.1.exe
Resource
win10v20210410
Behavioral task
behavioral19
Sample
nitro_gen.exe
Resource
win7v20210408
Behavioral task
behavioral20
Sample
nitro_gen.exe
Resource
win10v20210410
General
-
Target
file3.exe
-
Size
743KB
-
MD5
4d4bc0c39fc901c1a86ef43fc3bf189a
-
SHA1
4736a94c30917e695ebf58f674632575e383d571
-
SHA256
1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494
-
SHA512
62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6
Malware Config
Extracted
redline
RUZ
sandedean.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral16/memory/2572-139-0x00000000020C0000-0x00000000020DD000-memory.dmp family_redline behavioral16/memory/2572-143-0x0000000004910000-0x000000000492B000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Sgsmmodul.commmscx.exemmscx.exepid process 1540 Sgsmmodul.com 1796 mmscx.exe 2572 mmscx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
mmscx.exedescription pid process target process PID 1796 set thread context of 2572 1796 mmscx.exe mmscx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1828 timeout.exe 3516 timeout.exe 3916 timeout.exe 3328 timeout.exe 3696 timeout.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2404 taskkill.exe 344 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
file3.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings file3.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mmscx.exepid process 2572 mmscx.exe 2572 mmscx.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exetaskkill.exemmscx.exedescription pid process Token: SeDebugPrivilege 2404 taskkill.exe Token: SeDebugPrivilege 344 taskkill.exe Token: SeDebugPrivilege 2572 mmscx.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
file3.exeWScript.execmd.exeWScript.execmd.exemmscx.exedescription pid process target process PID 3856 wrote to memory of 2404 3856 file3.exe WScript.exe PID 3856 wrote to memory of 2404 3856 file3.exe WScript.exe PID 3856 wrote to memory of 2404 3856 file3.exe WScript.exe PID 2404 wrote to memory of 2752 2404 WScript.exe cmd.exe PID 2404 wrote to memory of 2752 2404 WScript.exe cmd.exe PID 2404 wrote to memory of 2752 2404 WScript.exe cmd.exe PID 2752 wrote to memory of 3916 2752 cmd.exe timeout.exe PID 2752 wrote to memory of 3916 2752 cmd.exe timeout.exe PID 2752 wrote to memory of 3916 2752 cmd.exe timeout.exe PID 2752 wrote to memory of 1540 2752 cmd.exe Sgsmmodul.com PID 2752 wrote to memory of 1540 2752 cmd.exe Sgsmmodul.com PID 2752 wrote to memory of 1540 2752 cmd.exe Sgsmmodul.com PID 2752 wrote to memory of 3328 2752 cmd.exe timeout.exe PID 2752 wrote to memory of 3328 2752 cmd.exe timeout.exe PID 2752 wrote to memory of 3328 2752 cmd.exe timeout.exe PID 2752 wrote to memory of 1608 2752 cmd.exe WScript.exe PID 2752 wrote to memory of 1608 2752 cmd.exe WScript.exe PID 2752 wrote to memory of 1608 2752 cmd.exe WScript.exe PID 2752 wrote to memory of 3696 2752 cmd.exe timeout.exe PID 2752 wrote to memory of 3696 2752 cmd.exe timeout.exe PID 2752 wrote to memory of 3696 2752 cmd.exe timeout.exe PID 1608 wrote to memory of 1728 1608 WScript.exe cmd.exe PID 1608 wrote to memory of 1728 1608 WScript.exe cmd.exe PID 1608 wrote to memory of 1728 1608 WScript.exe cmd.exe PID 1728 wrote to memory of 3868 1728 cmd.exe attrib.exe PID 1728 wrote to memory of 3868 1728 cmd.exe attrib.exe PID 1728 wrote to memory of 3868 1728 cmd.exe attrib.exe PID 1728 wrote to memory of 1828 1728 cmd.exe timeout.exe PID 1728 wrote to memory of 1828 1728 cmd.exe timeout.exe PID 1728 wrote to memory of 1828 1728 cmd.exe timeout.exe PID 1728 wrote to memory of 1796 1728 cmd.exe mmscx.exe PID 1728 wrote to memory of 1796 1728 cmd.exe mmscx.exe PID 1728 wrote to memory of 1796 1728 cmd.exe mmscx.exe PID 1796 wrote to memory of 2572 1796 mmscx.exe mmscx.exe PID 1796 wrote to memory of 2572 1796 mmscx.exe mmscx.exe PID 1796 wrote to memory of 2572 1796 mmscx.exe mmscx.exe PID 1796 wrote to memory of 2572 1796 mmscx.exe mmscx.exe PID 1796 wrote to memory of 2572 1796 mmscx.exe mmscx.exe PID 1728 wrote to memory of 2404 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2404 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2404 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 344 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 344 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 344 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2228 1728 cmd.exe attrib.exe PID 1728 wrote to memory of 2228 1728 cmd.exe attrib.exe PID 1728 wrote to memory of 2228 1728 cmd.exe attrib.exe PID 1728 wrote to memory of 3516 1728 cmd.exe timeout.exe PID 1728 wrote to memory of 3516 1728 cmd.exe timeout.exe PID 1728 wrote to memory of 3516 1728 cmd.exe timeout.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3868 attrib.exe 2228 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file3.exe"C:\Users\Admin\AppData\Local\Temp\file3.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\NSpack\updIns\44t.bat" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\timeout.exetimeout 74⤵
- Delays execution with timeout.exe
PID:3916 -
C:\NSpack\updIns\Sgsmmodul.com"Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar4⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:3328 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\NSpack\updIns\gg4359.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\NSpack\updIns"6⤵
- Views/modifies file attributes
PID:3868 -
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:1828 -
C:\NSpack\updIns\mmscx.exemmscx.exe /start6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\NSpack\updIns\mmscx.exemmscx.exe /start7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Sgsmmodul.com6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Sgsmmodul.com6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:344 -
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\NSpack\updIns"6⤵
- Views/modifies file attributes
PID:2228 -
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
PID:3516 -
C:\Windows\SysWOW64\timeout.exetimeout 84⤵
- Delays execution with timeout.exe
PID:3696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
96c69dbc1233bfa7c5e883658e0758d4
SHA1613179fa74db9e71516bdb3a93341e9d90c4ecba
SHA256deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde
SHA51243d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3
-
MD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
MD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
MD5
fbd467e1613c53b03376e987f3dbf2da
SHA1e2ca3ff625122f49e8a382dee32d0ca2f98648bf
SHA256cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68
SHA512e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05
-
MD5
b4be21a8f4bb91b11ccaf08b39b679d5
SHA1b3da567bb1072168b54866ee29301bde61bdc45e
SHA25635e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d
SHA512a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c
-
MD5
3e79f72a8ae481ac76a69ccf1213d24d
SHA1de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2
SHA2561776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4
SHA5122271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90
-
MD5
3e79f72a8ae481ac76a69ccf1213d24d
SHA1de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2
SHA2561776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4
SHA5122271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90
-
MD5
3e79f72a8ae481ac76a69ccf1213d24d
SHA1de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2
SHA2561776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4
SHA5122271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90
-
MD5
6a551928353982ab64107a4929c91c91
SHA1b68ee5e77a722638f184d0fbf6a4834bb8cc188e
SHA2560281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3
SHA512870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d
-
MD5
bdc0fb5cada9a89f074961224aaf4e63
SHA19284fe4ecc0fde705fc596dd89191c02915fd7a4
SHA256b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db
SHA51283cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28