Resubmissions
03/09/2021, 12:16
210903-pfn3ysdac4 1003/09/2021, 04:55
210903-fj6mqsfbfk 1002/09/2021, 19:23
210902-x37sksbef5 1002/09/2021, 15:02
210902-senycadeck 1002/09/2021, 11:29
210902-4b2x2c3ahj 1002/09/2021, 05:46
210902-lng5vcn31n 1002/09/2021, 04:57
210902-gp7zs88ann 1001/09/2021, 17:32
210901-sgcvvtysvs 1031/08/2021, 12:57
210831-1v8aywj16x 1031/08/2021, 07:34
210831-n7h9w45r3x 10Analysis
-
max time kernel
197s -
max time network
616s -
platform
windows7_x64 -
resource
win7-jp -
submitted
02/09/2021, 05:46
General
-
Target
Setup.exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Extracted
Family
redline
C2
193.56.146.60:16367
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 22 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 32 IoCs
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\twpGV5l7AeEoxYVzHcgkAz3I.exe"C:\Users\Admin\Documents\twpGV5l7AeEoxYVzHcgkAz3I.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\8c_lxHTPRVOn3newvAwpmLCm.exe"C:\Users\Admin\Documents\8c_lxHTPRVOn3newvAwpmLCm.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\r9LUux7eI4Btzvt5cKE8icJS.exe"C:\Users\Admin\Documents\r9LUux7eI4Btzvt5cKE8icJS.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\NSjiVNdIFmtuukfDSenGdz9K.exe"C:\Users\Admin\Documents\NSjiVNdIFmtuukfDSenGdz9K.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\nwSkdO9RUcFryWKX6cAlajm6.exe"C:\Users\Admin\Documents\nwSkdO9RUcFryWKX6cAlajm6.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\4Q0dbFa3NFMNsF3Yl5HJcQyd.exe"C:\Users\Admin\Documents\4Q0dbFa3NFMNsF3Yl5HJcQyd.exe"2⤵
-
-
C:\Users\Admin\Documents\kWrJO_fer5v8QUWNvdiwLuis.exe"C:\Users\Admin\Documents\kWrJO_fer5v8QUWNvdiwLuis.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "kWrJO_fer5v8QUWNvdiwLuis.exe" /f & erase "C:\Users\Admin\Documents\kWrJO_fer5v8QUWNvdiwLuis.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "kWrJO_fer5v8QUWNvdiwLuis.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\bi1JkZBqV93aPNwtaL4XGU1m.exe"C:\Users\Admin\Documents\bi1JkZBqV93aPNwtaL4XGU1m.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\hPuaj6lo2FvcEHGsoE3U9wM4.exe"C:\Users\Admin\Documents\hPuaj6lo2FvcEHGsoE3U9wM4.exe"2⤵
- Executes dropped EXE
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2128.0.1946924447\1001551879" -parentBuildID 20200403170909 -prefsHandle 1148 -prefMapHandle 1140 -prefsLen 1 -prefMapSize 218671 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2128 "\\.\pipe\gecko-crash-server-pipe.2128" 1212 gpu5⤵
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=93.0.4577.63 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fee826a380,0x7fee826a390,0x7fee826a3a04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1324 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\hPuaj6lo2FvcEHGsoE3U9wM4.exe"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 13244⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1324 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\hPuaj6lo2FvcEHGsoE3U9wM4.exe"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 13244⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\iT3BCkGR6xecZ4hPoCQXdJbL.exe"C:\Users\Admin\Documents\iT3BCkGR6xecZ4hPoCQXdJbL.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\9953380471.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\9953380471.exe"C:\Users\Admin\AppData\Local\Temp\9953380471.exe"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "iT3BCkGR6xecZ4hPoCQXdJbL.exe" /f & erase "C:\Users\Admin\Documents\iT3BCkGR6xecZ4hPoCQXdJbL.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "iT3BCkGR6xecZ4hPoCQXdJbL.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\QOE12Fgh7JKe9ieLhKDSa8Ne.exe"C:\Users\Admin\Documents\QOE12Fgh7JKe9ieLhKDSa8Ne.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "QOE12Fgh7JKe9ieLhKDSa8Ne.exe" /f & erase "C:\Users\Admin\Documents\QOE12Fgh7JKe9ieLhKDSa8Ne.exe" & exit3⤵
-
-
-
C:\Users\Admin\Documents\d88FCYt8jsbT5USFmEcqgfJL.exe"C:\Users\Admin\Documents\d88FCYt8jsbT5USFmEcqgfJL.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\YJNYjt4VSQScqdDgLPC1Riip.exe"C:\Users\Admin\Documents\YJNYjt4VSQScqdDgLPC1Riip.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScRipT: CLOSe ( CreATEoBjECT ( "wscrIpt.SheLL" ). RUn ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\YJNYjt4VSQScqdDgLPC1Riip.exe"" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF """" == """" for %N In ( ""C:\Users\Admin\Documents\YJNYjt4VSQScqdDgLPC1Riip.exe"" ) do taskkill -F /Im ""%~nXN"" " , 0, True ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\YJNYjt4VSQScqdDgLPC1Riip.exe" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF "" == "" for %N In ( "C:\Users\Admin\Documents\YJNYjt4VSQScqdDgLPC1Riip.exe" ) do taskkill -F /Im "%~nXN"4⤵
-
C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exEKRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScRipT: CLOSe ( CreATEoBjECT ( "wscrIpt.SheLL" ). RUn ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE"" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF ""-pA1IQsAATOS0kxrmeOcrgfdjncUG "" == """" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE"" ) do taskkill -F /Im ""%~nXN"" " , 0, True ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF "-pA1IQsAATOS0kxrmeOcrgfdjncUG " == "" for %N In ( "C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE" ) do taskkill -F /Im "%~nXN"7⤵
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F /Im "YJNYjt4VSQScqdDgLPC1Riip.exe"5⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Documents\6N7ugqzPJ_JnQE0jdRXd0_io.exe"C:\Users\Admin\Documents\6N7ugqzPJ_JnQE0jdRXd0_io.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\6N7ugqzPJ_JnQE0jdRXd0_io.exe"C:\Users\Admin\Documents\6N7ugqzPJ_JnQE0jdRXd0_io.exe" -u3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\o6TGr_8lWfLLrETUnumB0qvs.exe"C:\Users\Admin\Documents\o6TGr_8lWfLLrETUnumB0qvs.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 8803⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\P0n8J9Y4aMTBOfal0uEGJ7D2.exe"C:\Users\Admin\Documents\P0n8J9Y4aMTBOfal0uEGJ7D2.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7906583.exe"C:\Users\Admin\AppData\Roaming\7906583.exe"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2436 -s 17324⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\5820732.exe"C:\Users\Admin\AppData\Roaming\5820732.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\3987212.exe"C:\Users\Admin\AppData\Roaming\3987212.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\8618814.exe"C:\Users\Admin\AppData\Roaming\8618814.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 16924⤵
- Program crash
-
-
-
-
C:\Users\Admin\Documents\ZQhpdOkfAqba84FZOEerpM3U.exe"C:\Users\Admin\Documents\ZQhpdOkfAqba84FZOEerpM3U.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\3MxL3OcnRJGs8_kRFeyVFrnH.exe"C:\Users\Admin\Documents\3MxL3OcnRJGs8_kRFeyVFrnH.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-I70L4.tmp\3MxL3OcnRJGs8_kRFeyVFrnH.tmp"C:\Users\Admin\AppData\Local\Temp\is-I70L4.tmp\3MxL3OcnRJGs8_kRFeyVFrnH.tmp" /SL5="$101CE,138429,56832,C:\Users\Admin\Documents\3MxL3OcnRJGs8_kRFeyVFrnH.exe"3⤵
-
-
-
C:\Users\Admin\Documents\TKylJ_OPbbo8EP6gZDHLeLoi.exe"C:\Users\Admin\Documents\TKylJ_OPbbo8EP6gZDHLeLoi.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
116KB
-
Filesize
572KB
-
Filesize
828KB
-
Filesize
820KB
-
Filesize
44KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
244KB
-
Filesize
4KB
-
Filesize
4KB