Analysis

  • max time kernel
    30s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    11-08-2021 12:52

General

  • Target

    file3.exe

  • Size

    743KB

  • MD5

    4d4bc0c39fc901c1a86ef43fc3bf189a

  • SHA1

    4736a94c30917e695ebf58f674632575e383d571

  • SHA256

    1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494

  • SHA512

    62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6

Malware Config

Extracted

Family

redline

Botnet

RUZ

C2

sandedean.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 5 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file3.exe
    "C:\Users\Admin\AppData\Local\Temp\file3.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3856
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\NSpack\updIns\44t.bat" "
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\SysWOW64\timeout.exe
          timeout 7
          4⤵
          • Delays execution with timeout.exe
          PID:3916
        • C:\NSpack\updIns\Sgsmmodul.com
          "Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar
          4⤵
          • Executes dropped EXE
          PID:1540
        • C:\Windows\SysWOW64\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:3328
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1608
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\NSpack\updIns\gg4359.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1728
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\NSpack\updIns"
              6⤵
              • Views/modifies file attributes
              PID:3868
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • Delays execution with timeout.exe
              PID:1828
            • C:\NSpack\updIns\mmscx.exe
              mmscx.exe /start
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1796
              • C:\NSpack\updIns\mmscx.exe
                mmscx.exe /start
                7⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2572
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im Sgsmmodul.com
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2404
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im Sgsmmodul.com
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:344
            • C:\Windows\SysWOW64\attrib.exe
              attrib -s -h "C:\NSpack\updIns"
              6⤵
              • Views/modifies file attributes
              PID:2228
            • C:\Windows\SysWOW64\timeout.exe
              timeout 4
              6⤵
              • Delays execution with timeout.exe
              PID:3516
        • C:\Windows\SysWOW64\timeout.exe
          timeout 8
          4⤵
          • Delays execution with timeout.exe
          PID:3696

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\NSpack\updIns\44t.bat

    MD5

    96c69dbc1233bfa7c5e883658e0758d4

    SHA1

    613179fa74db9e71516bdb3a93341e9d90c4ecba

    SHA256

    deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde

    SHA512

    43d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3

  • C:\NSpack\updIns\Sgsmmodul.com

    MD5

    061f64173293969577916832be29b90d

    SHA1

    b05b80385de20463a80b6c9c39bd1d53123aab9b

    SHA256

    34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

    SHA512

    66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

  • C:\NSpack\updIns\Sgsmmodul.com

    MD5

    061f64173293969577916832be29b90d

    SHA1

    b05b80385de20463a80b6c9c39bd1d53123aab9b

    SHA256

    34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

    SHA512

    66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

  • C:\NSpack\updIns\dc.isi

    MD5

    fbd467e1613c53b03376e987f3dbf2da

    SHA1

    e2ca3ff625122f49e8a382dee32d0ca2f98648bf

    SHA256

    cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68

    SHA512

    e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05

  • C:\NSpack\updIns\gg4359.bat

    MD5

    b4be21a8f4bb91b11ccaf08b39b679d5

    SHA1

    b3da567bb1072168b54866ee29301bde61bdc45e

    SHA256

    35e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d

    SHA512

    a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c

  • C:\NSpack\updIns\mmscx.exe

    MD5

    3e79f72a8ae481ac76a69ccf1213d24d

    SHA1

    de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

    SHA256

    1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

    SHA512

    2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

  • C:\NSpack\updIns\mmscx.exe

    MD5

    3e79f72a8ae481ac76a69ccf1213d24d

    SHA1

    de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

    SHA256

    1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

    SHA512

    2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

  • C:\NSpack\updIns\mmscx.exe

    MD5

    3e79f72a8ae481ac76a69ccf1213d24d

    SHA1

    de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

    SHA256

    1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

    SHA512

    2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

  • C:\NSpack\updIns\sevenup.vbs

    MD5

    6a551928353982ab64107a4929c91c91

    SHA1

    b68ee5e77a722638f184d0fbf6a4834bb8cc188e

    SHA256

    0281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3

    SHA512

    870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d

  • C:\NSpack\updIns\tetracom.vbs

    MD5

    bdc0fb5cada9a89f074961224aaf4e63

    SHA1

    9284fe4ecc0fde705fc596dd89191c02915fd7a4

    SHA256

    b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db

    SHA512

    83cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28

  • memory/344-138-0x0000000000000000-mapping.dmp

  • memory/1540-120-0x0000000000000000-mapping.dmp

  • memory/1608-124-0x0000000000000000-mapping.dmp

  • memory/1728-127-0x0000000000000000-mapping.dmp

  • memory/1796-130-0x0000000000000000-mapping.dmp

  • memory/1828-129-0x0000000000000000-mapping.dmp

  • memory/2228-140-0x0000000000000000-mapping.dmp

  • memory/2404-136-0x0000000000000000-mapping.dmp

  • memory/2404-114-0x0000000000000000-mapping.dmp

  • memory/2572-147-0x0000000005570000-0x0000000005571000-memory.dmp

    Filesize

    4KB

  • memory/2572-152-0x0000000005700000-0x0000000005701000-memory.dmp

    Filesize

    4KB

  • memory/2572-133-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2572-159-0x0000000007170000-0x0000000007171000-memory.dmp

    Filesize

    4KB

  • memory/2572-137-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2572-158-0x00000000071A0000-0x00000000071A1000-memory.dmp

    Filesize

    4KB

  • memory/2572-139-0x00000000020C0000-0x00000000020DD000-memory.dmp

    Filesize

    116KB

  • memory/2572-157-0x0000000007050000-0x0000000007051000-memory.dmp

    Filesize

    4KB

  • memory/2572-141-0x0000000004980000-0x0000000004981000-memory.dmp

    Filesize

    4KB

  • memory/2572-156-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

    Filesize

    4KB

  • memory/2572-143-0x0000000004910000-0x000000000492B000-memory.dmp

    Filesize

    108KB

  • memory/2572-144-0x0000000004E80000-0x0000000004E81000-memory.dmp

    Filesize

    4KB

  • memory/2572-145-0x00000000054F0000-0x00000000054F1000-memory.dmp

    Filesize

    4KB

  • memory/2572-146-0x0000000005510000-0x0000000005511000-memory.dmp

    Filesize

    4KB

  • memory/2572-155-0x00000000064B0000-0x00000000064B1000-memory.dmp

    Filesize

    4KB

  • memory/2572-148-0x0000000004970000-0x0000000004971000-memory.dmp

    Filesize

    4KB

  • memory/2572-149-0x0000000004972000-0x0000000004973000-memory.dmp

    Filesize

    4KB

  • memory/2572-150-0x0000000004973000-0x0000000004974000-memory.dmp

    Filesize

    4KB

  • memory/2572-151-0x0000000004974000-0x0000000004976000-memory.dmp

    Filesize

    8KB

  • memory/2572-134-0x000000000040CD2F-mapping.dmp

  • memory/2572-154-0x00000000062E0000-0x00000000062E1000-memory.dmp

    Filesize

    4KB

  • memory/2752-117-0x0000000000000000-mapping.dmp

  • memory/3328-122-0x0000000000000000-mapping.dmp

  • memory/3516-142-0x0000000000000000-mapping.dmp

  • memory/3696-125-0x0000000000000000-mapping.dmp

  • memory/3868-128-0x0000000000000000-mapping.dmp

  • memory/3916-118-0x0000000000000000-mapping.dmp