Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-08-2021 23:03
Static task
static1
Behavioral task
behavioral1
Sample
0d52fa8c79bf1d4da433a9b179dce597.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0d52fa8c79bf1d4da433a9b179dce597.exe
Resource
win10v20210410
General
-
Target
0d52fa8c79bf1d4da433a9b179dce597.exe
-
Size
602KB
-
MD5
0d52fa8c79bf1d4da433a9b179dce597
-
SHA1
ef030808356b4d042982c357ef9d67560cbc9b6b
-
SHA256
c786f20d3e96a3c55f01d4c6b63b08f8b45bb4799303a15eaf0086e4d2ae87e6
-
SHA512
12872958a86345c48095d5c4ddfe9bd453c08cd6b8fd9b415ee2612e63faeea0bc574d02af66ff36209abe6621508916afdd7fd2b9a2d604482ccb624e1926c1
Malware Config
Extracted
redline
2021
82.202.161.192:10683
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3912-119-0x0000000000360000-0x0000000000390000-memory.dmp family_redline behavioral2/memory/3912-124-0x000000000037A6A2-mapping.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2464 created 2408 2464 WerFault.exe 3jkfaje0grh.exe -
Executes dropped EXE 1 IoCs
Processes:
3jkfaje0grh.exepid process 2408 3jkfaje0grh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3jkfaje0grh.exedescription pid process target process PID 2408 set thread context of 3912 2408 3jkfaje0grh.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2464 2408 WerFault.exe 3jkfaje0grh.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
WerFault.exepid process 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe 2464 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2464 WerFault.exe Token: SeBackupPrivilege 2464 WerFault.exe Token: SeDebugPrivilege 2464 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0d52fa8c79bf1d4da433a9b179dce597.exe3jkfaje0grh.exedescription pid process target process PID 3944 wrote to memory of 2408 3944 0d52fa8c79bf1d4da433a9b179dce597.exe 3jkfaje0grh.exe PID 3944 wrote to memory of 2408 3944 0d52fa8c79bf1d4da433a9b179dce597.exe 3jkfaje0grh.exe PID 3944 wrote to memory of 2408 3944 0d52fa8c79bf1d4da433a9b179dce597.exe 3jkfaje0grh.exe PID 2408 wrote to memory of 3912 2408 3jkfaje0grh.exe RegSvcs.exe PID 2408 wrote to memory of 3912 2408 3jkfaje0grh.exe RegSvcs.exe PID 2408 wrote to memory of 3912 2408 3jkfaje0grh.exe RegSvcs.exe PID 2408 wrote to memory of 3912 2408 3jkfaje0grh.exe RegSvcs.exe PID 2408 wrote to memory of 3912 2408 3jkfaje0grh.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d52fa8c79bf1d4da433a9b179dce597.exe"C:\Users\Admin\AppData\Local\Temp\0d52fa8c79bf1d4da433a9b179dce597.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\3jkfaje0grh.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\3jkfaje0grh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 2323⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\3jkfaje0grh.exeMD5
89e021eb9258919db4e26b246cce6c75
SHA1e45ae378883fef76811c47f67730f4b7cd334ca0
SHA256d4524dc686e9a0081a93fc4ec357e19ae12a66322b557be18d99db84d2b50648
SHA512545867e48b31d31a9279d95f9e005e1be2c59cd8e324ba02abff99161f062982daac8411362e8903ea5827cd939b5fec8fde944da0c36c89aa4c0ca1dd337839
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\3jkfaje0grh.exeMD5
89e021eb9258919db4e26b246cce6c75
SHA1e45ae378883fef76811c47f67730f4b7cd334ca0
SHA256d4524dc686e9a0081a93fc4ec357e19ae12a66322b557be18d99db84d2b50648
SHA512545867e48b31d31a9279d95f9e005e1be2c59cd8e324ba02abff99161f062982daac8411362e8903ea5827cd939b5fec8fde944da0c36c89aa4c0ca1dd337839
-
memory/2408-116-0x0000000000000000-mapping.dmp
-
memory/3912-119-0x0000000000360000-0x0000000000390000-memory.dmpFilesize
192KB
-
memory/3912-124-0x000000000037A6A2-mapping.dmp
-
memory/3912-125-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/3912-127-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/3912-128-0x0000000002550000-0x0000000002551000-memory.dmpFilesize
4KB
-
memory/3912-129-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/3912-130-0x00000000025B0000-0x00000000025B1000-memory.dmpFilesize
4KB
-
memory/3912-131-0x00000000025F0000-0x00000000025F1000-memory.dmpFilesize
4KB
-
memory/3912-132-0x0000000004C10000-0x0000000005216000-memory.dmpFilesize
6.0MB