Analysis
-
max time kernel
65s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 12:05
Static task
static1
Behavioral task
behavioral1
Sample
usfive_20210926-140047.exe
Resource
win7v20210408
General
-
Target
usfive_20210926-140047.exe
-
Size
1.1MB
-
MD5
ee5b41fbd6ee965394116e2e1d5aa5a8
-
SHA1
70a648ca5622fbc16a96188671c6ba001c49fbf2
-
SHA256
d10544139ffbcd7ffc09da204db4afcb11d5895e6a6716dbb769dd935adaa700
-
SHA512
164b6676cc2e4c68fff428450bc9481d2c3698ef3f644f47c5901ca46c46d006c70b4a3496b57eadbf888dbb808ec5598cdfffed30386f6e4f946696886ecdad
Malware Config
Extracted
redline
qwe454
45.140.146.240:42628
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2508-129-0x0000000000390000-0x00000000003B2000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Vai.exe.comVai.exe.comRegAsm.exepid process 1336 Vai.exe.com 1708 Vai.exe.com 2508 RegAsm.exe -
Loads dropped DLL 1 IoCs
Processes:
usfive_20210926-140047.exepid process 644 usfive_20210926-140047.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Vai.exe.comdescription pid process target process PID 1708 set thread context of 2508 1708 Vai.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 2508 RegAsm.exe 2508 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2508 RegAsm.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
usfive_20210926-140047.execmd.execmd.exeVai.exe.comVai.exe.comdescription pid process target process PID 644 wrote to memory of 912 644 usfive_20210926-140047.exe cmd.exe PID 644 wrote to memory of 912 644 usfive_20210926-140047.exe cmd.exe PID 644 wrote to memory of 912 644 usfive_20210926-140047.exe cmd.exe PID 912 wrote to memory of 1072 912 cmd.exe cmd.exe PID 912 wrote to memory of 1072 912 cmd.exe cmd.exe PID 912 wrote to memory of 1072 912 cmd.exe cmd.exe PID 1072 wrote to memory of 1168 1072 cmd.exe findstr.exe PID 1072 wrote to memory of 1168 1072 cmd.exe findstr.exe PID 1072 wrote to memory of 1168 1072 cmd.exe findstr.exe PID 1072 wrote to memory of 1336 1072 cmd.exe Vai.exe.com PID 1072 wrote to memory of 1336 1072 cmd.exe Vai.exe.com PID 1072 wrote to memory of 1336 1072 cmd.exe Vai.exe.com PID 1072 wrote to memory of 1548 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1548 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1548 1072 cmd.exe PING.EXE PID 1336 wrote to memory of 1708 1336 Vai.exe.com Vai.exe.com PID 1336 wrote to memory of 1708 1336 Vai.exe.com Vai.exe.com PID 1336 wrote to memory of 1708 1336 Vai.exe.com Vai.exe.com PID 1708 wrote to memory of 2508 1708 Vai.exe.com RegAsm.exe PID 1708 wrote to memory of 2508 1708 Vai.exe.com RegAsm.exe PID 1708 wrote to memory of 2508 1708 Vai.exe.com RegAsm.exe PID 1708 wrote to memory of 2508 1708 Vai.exe.com RegAsm.exe PID 1708 wrote to memory of 2508 1708 Vai.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\usfive_20210926-140047.exe"C:\Users\Admin\AppData\Local\Temp\usfive_20210926-140047.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c cmd < Che.xlsm2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^AYnrWJykZnSQXrhxrJBDTgJUDeotbFpKxNHOFSXpSFcFooRJfQOCRSbjfEmUBwOzgivpvnOkLaKhSrLclnOGRHTBdcmwarIRResqLH$" Sue.xlsm4⤵
-
C:\Users\Admin\AppData\Roaming\Vai.exe.comVai.exe.com X4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Vai.exe.comC:\Users\Admin\AppData\Roaming\Vai.exe.com X5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegAsm.exeC:\Users\Admin\AppData\Roaming\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Che.xlsmMD5
a3c3a061e0598c85cc17b5231385cdb1
SHA1379e758aabecec0e2b4ef016d0a21a939a8c14f6
SHA256fcaff0cd994312bc7fb49a433d749658118c01a201a24cf6e54609d3ff6dd39f
SHA51239b2c7dbf316fd83e5bce31ebc012beba56264222740839d34b975c2391412a6d9ee681813eb306fa9b4e9d9e1e0b254509bb200f34309509d4c6f49f3ef7205
-
C:\Users\Admin\AppData\Roaming\Dal.xlsmMD5
fd1ec56817c1734242eb24728c949d8f
SHA13f7053f4c4eecb6f5224d00abd975f1c18abf310
SHA256ef241532605f8a0372fce0903ae9c73784e974ec6d7145d9b9fa67c7e60c6a6f
SHA51267cf0e3d9782e028753c447431825b71dc9402a21186df8eb86fd6f5f74867bd13450546dde3906afecf304c8468c9703ee0cbc37fcac4d274f711e99530d391
-
C:\Users\Admin\AppData\Roaming\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\Rombo.xlsmMD5
8836631ad7dad0d12394f4f915bf6b55
SHA1d449e17f572f02067169423e4550a7650ee0aa93
SHA2563efc31fa28d31a56777e163371e29eea33986f5e268d56fcc2f795c0834e7e45
SHA512234b336f95b9e51f07da52c811495163780c85ca341b94538de559cbf157b2d3787242af9923caedbb65a8833e7aed12fcb4ca058173a8188db3cdd069071199
-
C:\Users\Admin\AppData\Roaming\Sue.xlsmMD5
0fde1c27838817b17c98a2790b8582e3
SHA1c90da25d93cf4e35f563c0b5af08eeb099e3cc41
SHA256420e19a09aea1331f513003d96f8718b9b30596c2ef1e79216cc4baed986b82c
SHA512a21c2aee6af3e89d5c695656a79c3c30e1d4e5a646ad9288713b105a93dba4018f6449f0984ca0262506f7bf06e2baf9df9d39501e13f990a60dcef8d254cdc3
-
C:\Users\Admin\AppData\Roaming\Vai.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Roaming\Vai.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Roaming\XMD5
8836631ad7dad0d12394f4f915bf6b55
SHA1d449e17f572f02067169423e4550a7650ee0aa93
SHA2563efc31fa28d31a56777e163371e29eea33986f5e268d56fcc2f795c0834e7e45
SHA512234b336f95b9e51f07da52c811495163780c85ca341b94538de559cbf157b2d3787242af9923caedbb65a8833e7aed12fcb4ca058173a8188db3cdd069071199
-
\Users\Admin\AppData\Local\Temp\nsr81CE.tmp\nsExec.dllMD5
09c2e27c626d6f33018b8a34d3d98cb6
SHA18d6bf50218c8f201f06ecf98ca73b74752a2e453
SHA256114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1
SHA512883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954
-
memory/912-115-0x0000000000000000-mapping.dmp
-
memory/1072-117-0x0000000000000000-mapping.dmp
-
memory/1168-118-0x0000000000000000-mapping.dmp
-
memory/1336-121-0x0000000000000000-mapping.dmp
-
memory/1548-123-0x0000000000000000-mapping.dmp
-
memory/1708-128-0x00000000015D0000-0x000000000171A000-memory.dmpFilesize
1.3MB
-
memory/1708-125-0x0000000000000000-mapping.dmp
-
memory/2508-138-0x0000000004A80000-0x0000000005086000-memory.dmpFilesize
6.0MB
-
memory/2508-140-0x00000000062E0000-0x00000000062E1000-memory.dmpFilesize
4KB
-
memory/2508-135-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/2508-136-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/2508-137-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/2508-129-0x0000000000390000-0x00000000003B2000-memory.dmpFilesize
136KB
-
memory/2508-139-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/2508-134-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/2508-141-0x00000000069E0000-0x00000000069E1000-memory.dmpFilesize
4KB
-
memory/2508-142-0x0000000006F10000-0x0000000006F11000-memory.dmpFilesize
4KB
-
memory/2508-143-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB
-
memory/2508-144-0x00000000066D0000-0x00000000066D1000-memory.dmpFilesize
4KB
-
memory/2508-145-0x00000000067F0000-0x00000000067F1000-memory.dmpFilesize
4KB
-
memory/2508-146-0x0000000006750000-0x0000000006751000-memory.dmpFilesize
4KB
-
memory/2508-147-0x0000000006940000-0x0000000006941000-memory.dmpFilesize
4KB