Analysis
-
max time kernel
145s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
18-10-2021 09:17
Static task
static1
General
-
Target
62a7d968bb42d9b157da63c1db333c38360da0dc86990cd751c3ec432d932809.exe
-
Size
840KB
-
MD5
ac6d326fe5a9783a0f80913cfe8d9147
-
SHA1
c6d9771b719c123adcd303d3bc7317e41e1cf179
-
SHA256
62a7d968bb42d9b157da63c1db333c38360da0dc86990cd751c3ec432d932809
-
SHA512
0faaa3ddc074820695e12c127507d038261b5d400f8ae8aa702971da67540faae051c485e916b649a71242122d1e8bcdc9a4d6407741540040b5cefad84a136d
Malware Config
Extracted
redline
Proliv2
176.57.71.68:37814
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2348-115-0x0000000000170000-0x00000000001A1000-memory.dmp family_redline behavioral1/memory/2348-121-0x0000000002AA0000-0x0000000002ABC000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
123.exeruntimeservice.exesihost32.exepid process 408 123.exe 2440 runtimeservice.exe 1980 sihost32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
62a7d968bb42d9b157da63c1db333c38360da0dc86990cd751c3ec432d932809.exe123.exeruntimeservice.exepid process 2348 62a7d968bb42d9b157da63c1db333c38360da0dc86990cd751c3ec432d932809.exe 408 123.exe 2440 runtimeservice.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
62a7d968bb42d9b157da63c1db333c38360da0dc86990cd751c3ec432d932809.exe123.exeruntimeservice.exedescription pid process Token: SeDebugPrivilege 2348 62a7d968bb42d9b157da63c1db333c38360da0dc86990cd751c3ec432d932809.exe Token: SeDebugPrivilege 408 123.exe Token: SeDebugPrivilege 2440 runtimeservice.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
62a7d968bb42d9b157da63c1db333c38360da0dc86990cd751c3ec432d932809.exe123.execmd.exeruntimeservice.execmd.exedescription pid process target process PID 2348 wrote to memory of 408 2348 62a7d968bb42d9b157da63c1db333c38360da0dc86990cd751c3ec432d932809.exe 123.exe PID 2348 wrote to memory of 408 2348 62a7d968bb42d9b157da63c1db333c38360da0dc86990cd751c3ec432d932809.exe 123.exe PID 408 wrote to memory of 3436 408 123.exe cmd.exe PID 408 wrote to memory of 3436 408 123.exe cmd.exe PID 3436 wrote to memory of 956 3436 cmd.exe schtasks.exe PID 3436 wrote to memory of 956 3436 cmd.exe schtasks.exe PID 408 wrote to memory of 2440 408 123.exe runtimeservice.exe PID 408 wrote to memory of 2440 408 123.exe runtimeservice.exe PID 2440 wrote to memory of 2032 2440 runtimeservice.exe cmd.exe PID 2440 wrote to memory of 2032 2440 runtimeservice.exe cmd.exe PID 2440 wrote to memory of 1980 2440 runtimeservice.exe sihost32.exe PID 2440 wrote to memory of 1980 2440 runtimeservice.exe sihost32.exe PID 2032 wrote to memory of 3336 2032 cmd.exe schtasks.exe PID 2032 wrote to memory of 3336 2032 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62a7d968bb42d9b157da63c1db333c38360da0dc86990cd751c3ec432d932809.exe"C:\Users\Admin\AppData\Local\Temp\62a7d968bb42d9b157da63c1db333c38360da0dc86990cd751c3ec432d932809.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\runtimeservice.exe"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
c4ab556b6a1dd537cc1942204fdfd6cd
SHA191c8f1c171c1710f78a53ab119959e15549c3931
SHA256fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79
SHA512997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
c4ab556b6a1dd537cc1942204fdfd6cd
SHA191c8f1c171c1710f78a53ab119959e15549c3931
SHA256fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79
SHA512997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
dbd399ad19db67986885ae73860583a1
SHA10981d845da6a8cde0913d08cdcdcacaced6d7141
SHA256b4563d2f26a78c16789c86d4aeff3a038832b6af46947fc5e79e51f0bce717f9
SHA512b3198db63958dbad486df7aa067c44b839d8af833f41b08b396ac5f728726428462b25452b82e5cb2500e046e0f7d81dc994808935eabae40ee2ac5d3e068134
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
dbd399ad19db67986885ae73860583a1
SHA10981d845da6a8cde0913d08cdcdcacaced6d7141
SHA256b4563d2f26a78c16789c86d4aeff3a038832b6af46947fc5e79e51f0bce717f9
SHA512b3198db63958dbad486df7aa067c44b839d8af833f41b08b396ac5f728726428462b25452b82e5cb2500e046e0f7d81dc994808935eabae40ee2ac5d3e068134
-
C:\Users\Admin\AppData\Roaming\runtimeservice.exeMD5
c4ab556b6a1dd537cc1942204fdfd6cd
SHA191c8f1c171c1710f78a53ab119959e15549c3931
SHA256fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79
SHA512997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f
-
C:\Users\Admin\AppData\Roaming\runtimeservice.exeMD5
c4ab556b6a1dd537cc1942204fdfd6cd
SHA191c8f1c171c1710f78a53ab119959e15549c3931
SHA256fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79
SHA512997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f
-
memory/408-140-0x0000000000000000-mapping.dmp
-
memory/408-147-0x000000001C3E0000-0x000000001C3E2000-memory.dmpFilesize
8KB
-
memory/408-146-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB
-
memory/408-145-0x0000000001160000-0x0000000001166000-memory.dmpFilesize
24KB
-
memory/408-143-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/956-149-0x0000000000000000-mapping.dmp
-
memory/1980-158-0x0000000000000000-mapping.dmp
-
memory/1980-161-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/1980-165-0x0000000003920000-0x0000000003922000-memory.dmpFilesize
8KB
-
memory/2032-157-0x0000000000000000-mapping.dmp
-
memory/2348-130-0x0000000006190000-0x0000000006191000-memory.dmpFilesize
4KB
-
memory/2348-115-0x0000000000170000-0x00000000001A1000-memory.dmpFilesize
196KB
-
memory/2348-139-0x0000000009DA0000-0x0000000009DA1000-memory.dmpFilesize
4KB
-
memory/2348-137-0x00000000094C0000-0x00000000094C1000-memory.dmpFilesize
4KB
-
memory/2348-136-0x0000000009370000-0x0000000009371000-memory.dmpFilesize
4KB
-
memory/2348-135-0x0000000008D60000-0x0000000008D61000-memory.dmpFilesize
4KB
-
memory/2348-134-0x0000000008B90000-0x0000000008B91000-memory.dmpFilesize
4KB
-
memory/2348-133-0x0000000007AF0000-0x0000000007AF1000-memory.dmpFilesize
4KB
-
memory/2348-132-0x0000000007A40000-0x0000000007A41000-memory.dmpFilesize
4KB
-
memory/2348-131-0x0000000002AE4000-0x0000000002AE5000-memory.dmpFilesize
4KB
-
memory/2348-121-0x0000000002AA0000-0x0000000002ABC000-memory.dmpFilesize
112KB
-
memory/2348-138-0x00000000099C0000-0x00000000099C1000-memory.dmpFilesize
4KB
-
memory/2348-123-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/2348-129-0x0000000002C60000-0x0000000002C61000-memory.dmpFilesize
4KB
-
memory/2348-127-0x0000000002AE2000-0x0000000002AE3000-memory.dmpFilesize
4KB
-
memory/2348-128-0x0000000002AE3000-0x0000000002AE4000-memory.dmpFilesize
4KB
-
memory/2348-126-0x0000000002AE0000-0x0000000002AE1000-memory.dmpFilesize
4KB
-
memory/2348-125-0x00000000060F0000-0x00000000060F1000-memory.dmpFilesize
4KB
-
memory/2348-124-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/2440-150-0x0000000000000000-mapping.dmp
-
memory/2440-164-0x0000000003190000-0x0000000003192000-memory.dmpFilesize
8KB
-
memory/3336-162-0x0000000000000000-mapping.dmp
-
memory/3436-148-0x0000000000000000-mapping.dmp