Analysis
-
max time kernel
75s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en -
submitted
15-09-2021 07:11
Static task
static1
Behavioral task
behavioral1
Sample
671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe
Resource
win7v20210408
General
-
Target
671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe
-
Size
739KB
-
MD5
9b5c35af1cfbbd60500b69f830b51032
-
SHA1
a1053b4031ac666f846d056a08360e174b463344
-
SHA256
671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96
-
SHA512
f9ca0dd8a1c95a7e7593f3733d6db6969c362c5ccf351ad423bac38e2ca4adb016618f87f3da76a17549f981e1eb5f53d3e6b0308a6354457749bf1b2e16fa72
Malware Config
Extracted
redline
adsGOOGLE
95.217.152.142:43710
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3956-121-0x0000000000400000-0x000000000044A000-memory.dmp family_redline behavioral2/memory/3956-122-0x000000000041C8BE-mapping.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exedescription pid process target process PID 2248 set thread context of 3956 2248 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3300 2248 WerFault.exe 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
WerFault.exe671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exepid process 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3300 WerFault.exe 3956 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe 3956 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exeWerFault.exe671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exedescription pid process Token: SeDebugPrivilege 2248 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe Token: SeRestorePrivilege 3300 WerFault.exe Token: SeBackupPrivilege 3300 WerFault.exe Token: SeDebugPrivilege 3300 WerFault.exe Token: SeDebugPrivilege 3956 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exedescription pid process target process PID 2248 wrote to memory of 3956 2248 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe PID 2248 wrote to memory of 3956 2248 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe PID 2248 wrote to memory of 3956 2248 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe PID 2248 wrote to memory of 3956 2248 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe PID 2248 wrote to memory of 3956 2248 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe PID 2248 wrote to memory of 3956 2248 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe PID 2248 wrote to memory of 3956 2248 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe PID 2248 wrote to memory of 3956 2248 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe 671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe"C:\Users\Admin\AppData\Local\Temp\671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe"C:\Users\Admin\AppData\Local\Temp\671faba0eb9abca8a2548f6a522ce2949b655ad273dbe8cc8db61378f088bc96.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 9242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2248-123-0x0000000004C40000-0x0000000004C43000-memory.dmpFilesize
12KB
-
memory/2248-116-0x0000000005160000-0x0000000005161000-memory.dmpFilesize
4KB
-
memory/2248-117-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/2248-118-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/2248-119-0x0000000004AF0000-0x0000000004B82000-memory.dmpFilesize
584KB
-
memory/2248-120-0x0000000004B20000-0x0000000004B46000-memory.dmpFilesize
152KB
-
memory/2248-115-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/3956-127-0x0000000006160000-0x0000000006161000-memory.dmpFilesize
4KB
-
memory/3956-132-0x0000000005150000-0x000000000564E000-memory.dmpFilesize
4MB
-
memory/3956-124-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/3956-121-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/3956-129-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/3956-130-0x0000000005EE0000-0x0000000005EE1000-memory.dmpFilesize
4KB
-
memory/3956-131-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/3956-122-0x000000000041C8BE-mapping.dmp
-
memory/3956-133-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/3956-134-0x00000000085F0000-0x00000000085F1000-memory.dmpFilesize
4KB
-
memory/3956-135-0x0000000008CF0000-0x0000000008CF1000-memory.dmpFilesize
4KB
-
memory/3956-136-0x0000000008560000-0x0000000008561000-memory.dmpFilesize
4KB
-
memory/3956-137-0x0000000008940000-0x0000000008941000-memory.dmpFilesize
4KB
-
memory/3956-138-0x0000000008C50000-0x0000000008C51000-memory.dmpFilesize
4KB
-
memory/3956-139-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB