Analysis
-
max time kernel
136s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
01-10-2021 01:04
Static task
static1
Behavioral task
behavioral1
Sample
1110626324.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
1110626324.exe
Resource
win10v20210408
General
-
Target
1110626324.exe
-
Size
1.3MB
-
MD5
1330be0f9459506cfd3d972082f3cb0e
-
SHA1
116815a43e5d9c6ae9dc998e93948e274209711a
-
SHA256
c0da5841ddfc29dc9eea7d8d9e42d981385602f21025ec47798d302c3ef50096
-
SHA512
0d865e09ca6ab65f617ad43d7badfbd80db79354e73178555ea2a37d9a51f40db94f7ff3c791b00da8ff84c91397a761d03b06ddac787f162b8edc23eabda1bc
Malware Config
Extracted
redline
new1
185.180.220.105:11915
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/340-65-0x0000000000090000-0x00000000000E6000-memory.dmp family_redline behavioral1/memory/340-70-0x00000000000AC5F2-mapping.dmp family_redline behavioral1/memory/340-71-0x0000000000090000-0x00000000000E6000-memory.dmp family_redline behavioral1/memory/340-72-0x0000000000090000-0x00000000000E6000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
foto.exepid process 1108 foto.exe -
Loads dropped DLL 4 IoCs
Processes:
1110626324.exepid process 2016 1110626324.exe 2016 1110626324.exe 2016 1110626324.exe 2016 1110626324.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
foto.exedescription pid process target process PID 1108 set thread context of 340 1108 foto.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 340 RegSvcs.exe 340 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 340 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1544 DllHost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
1110626324.exefoto.exedescription pid process target process PID 2016 wrote to memory of 1108 2016 1110626324.exe foto.exe PID 2016 wrote to memory of 1108 2016 1110626324.exe foto.exe PID 2016 wrote to memory of 1108 2016 1110626324.exe foto.exe PID 2016 wrote to memory of 1108 2016 1110626324.exe foto.exe PID 1108 wrote to memory of 340 1108 foto.exe RegSvcs.exe PID 1108 wrote to memory of 340 1108 foto.exe RegSvcs.exe PID 1108 wrote to memory of 340 1108 foto.exe RegSvcs.exe PID 1108 wrote to memory of 340 1108 foto.exe RegSvcs.exe PID 1108 wrote to memory of 340 1108 foto.exe RegSvcs.exe PID 1108 wrote to memory of 340 1108 foto.exe RegSvcs.exe PID 1108 wrote to memory of 340 1108 foto.exe RegSvcs.exe PID 1108 wrote to memory of 340 1108 foto.exe RegSvcs.exe PID 1108 wrote to memory of 340 1108 foto.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1110626324.exe"C:\Users\Admin\AppData\Local\Temp\1110626324.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMG00213.jpgMD5
99e797779c2e243187de9d98ab687481
SHA1a44456a0f4ca3e3cc13c2744853416073ce24a0f
SHA256d80f7f0dbdc51723329e7f720176f2972edc2ed25d58b979063269db2ac592cc
SHA512bf33780551cd03e623d3f73c1279e569a541f4057f3eeb6ab0a3060eb4f3aa0bb4ee7d9474eb2dd0ae5349b303016daab1f82e6e9b2bac4d0c172e0e5aa49d9d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exeMD5
4da64a00d7ff89c04d675f50c32ee458
SHA1505f39f4039bf5cba0009ea7b7d856f57d31a592
SHA256610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3
SHA512d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4
-
\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exeMD5
4da64a00d7ff89c04d675f50c32ee458
SHA1505f39f4039bf5cba0009ea7b7d856f57d31a592
SHA256610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3
SHA512d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4
-
\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exeMD5
4da64a00d7ff89c04d675f50c32ee458
SHA1505f39f4039bf5cba0009ea7b7d856f57d31a592
SHA256610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3
SHA512d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4
-
\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exeMD5
4da64a00d7ff89c04d675f50c32ee458
SHA1505f39f4039bf5cba0009ea7b7d856f57d31a592
SHA256610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3
SHA512d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4
-
\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exeMD5
4da64a00d7ff89c04d675f50c32ee458
SHA1505f39f4039bf5cba0009ea7b7d856f57d31a592
SHA256610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3
SHA512d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4
-
memory/340-70-0x00000000000AC5F2-mapping.dmp
-
memory/340-75-0x0000000001FE0000-0x0000000001FE1000-memory.dmpFilesize
4KB
-
memory/340-73-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/340-72-0x0000000000090000-0x00000000000E6000-memory.dmpFilesize
344KB
-
memory/340-71-0x0000000000090000-0x00000000000E6000-memory.dmpFilesize
344KB
-
memory/340-65-0x0000000000090000-0x00000000000E6000-memory.dmpFilesize
344KB
-
memory/1108-61-0x0000000000000000-mapping.dmp
-
memory/1544-63-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1544-56-0x00000000000B0000-0x00000000000B2000-memory.dmpFilesize
8KB
-
memory/2016-55-0x0000000000A20000-0x0000000000A22000-memory.dmpFilesize
8KB
-
memory/2016-53-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB