Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-08-2021 13:51
Static task
static1
Behavioral task
behavioral1
Sample
a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
Resource
win10v20210408
General
-
Target
a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
-
Size
11KB
-
MD5
038bd2ee88ff4c4990fc6328229b7702
-
SHA1
7c80698a230be3c6733ded3ee7622fe356c3cb7d
-
SHA256
a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e
-
SHA512
6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e
Malware Config
Extracted
redline
Ayrelia1_installs
77.83.175.169:11490
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/580-120-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/580-121-0x000000000041A92A-mapping.dmp family_redline behavioral1/memory/580-129-0x0000000004E30000-0x0000000005436000-memory.dmp family_redline -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exedescription pid process target process PID 4796 set thread context of 580 4796 a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exedescription pid process Token: SeDebugPrivilege 4796 a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exedescription pid process target process PID 4796 wrote to memory of 580 4796 a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe PID 4796 wrote to memory of 580 4796 a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe PID 4796 wrote to memory of 580 4796 a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe PID 4796 wrote to memory of 580 4796 a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe PID 4796 wrote to memory of 580 4796 a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe PID 4796 wrote to memory of 580 4796 a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe PID 4796 wrote to memory of 580 4796 a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe PID 4796 wrote to memory of 580 4796 a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe"C:\Users\Admin\AppData\Local\Temp\a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe"C:\Users\Admin\AppData\Local\Temp\a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe.logMD5
f4bb5bd0b2282cf9cada18a90a50971a
SHA1c3954cfd8c8341a571eb49feb3ebf36f8ce46e43
SHA256cc64510ae8390b72dcdcbafb854e064821bfcebc4d8fa5bac960331fe915485d
SHA512396f5370479d685cc115612d5a42bccffe3d48f991d17c848aa758af64c177b3e30eaaa1d335422c8773a789fdc1236ee47835fa3b5235632c0e668dd31543a4
-
memory/580-129-0x0000000004E30000-0x0000000005436000-memory.dmpFilesize
6.0MB
-
memory/580-128-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/580-133-0x000000007EF10000-0x000000007EF11000-memory.dmpFilesize
4KB
-
memory/580-132-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/580-126-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/580-121-0x000000000041A92A-mapping.dmp
-
memory/580-131-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/580-130-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/580-120-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/580-127-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/580-125-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/4796-114-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/4796-116-0x0000000005D90000-0x0000000005D91000-memory.dmpFilesize
4KB
-
memory/4796-117-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/4796-119-0x0000000006800000-0x0000000006801000-memory.dmpFilesize
4KB
-
memory/4796-118-0x0000000006710000-0x000000000675E000-memory.dmpFilesize
312KB