Overview

overview

10

Static

static

Redline St...ck.exe

windows7_x64

8

Redline St...ck.exe

windows7_x64

8

Redline St...ck.exe

windows11_x64

10

Redline St...ck.exe

windows10_x64

10

Redline St...ck.exe

windows10_x64

10

Redline St...ck.exe

windows10_x64

10

Analysis

  • max time kernel
    89s
  • max time network
    129s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    20-10-2021 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Redline Stealer 2021 Cracked/Redline_20_2_crack.exe

  • Size

    15.1MB

  • MD5

    083776e54ad37b3a45d7e6516b1e13fb

  • SHA1

    e784e8f041dfb7612e8439518ed587f1f878b9eb

  • SHA256

    4334163e03a3cae86600be22c3deb8e786142db27883cc99f0536f713621df9d

  • SHA512

    0985538bf8c2add2e85ac09e64826e0993fae2b1b4e7643a42f010201e4e8f2065f673a795aa4eabf7bee26709f35fbc84553042f40ce3a2fde96a271c43590c

Score
10/10
persistence

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Drops startup file 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\Redline_20_2_crack.exe
    "C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\Redline_20_2_crack.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Users\Admin\Desktop\New folder\crack.exe
      "C:\Users\Admin\Desktop\New folder\crack.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Suspicious behavior: AddClipboardFormatListener
      PID:3292
  • C:\Windows\System32\Upfc.exe
    C:\Windows\System32\Upfc.exe /launchtype periodic /cv NhUJ642WskKLYRDgxSoWYQ.0
    1⤵
      PID:5100
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -s W32Time
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4612
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      1⤵
      • Modifies data under HKEY_USERS
      PID:4656
    • C:\Windows\System32\sihclient.exe
      C:\Windows\System32\sihclient.exe /cv sbePE9p7cEmNT2HJTnSbtw.0.2
      1⤵
        PID:4716
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
        1⤵
          PID:3540
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe f658eb2d4cf0ccde794d06364a8d49bb sbePE9p7cEmNT2HJTnSbtw.0.1.0.3.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:4260
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
          1⤵
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:1220
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
          1⤵
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2336
          • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
            C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
            2⤵
              PID:2516
          • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
            C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
            1⤵
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            PID:4840
          • C:\Windows\System32\WaaSMedicAgent.exe
            C:\Windows\System32\WaaSMedicAgent.exe f658eb2d4cf0ccde794d06364a8d49bb sbePE9p7cEmNT2HJTnSbtw.0.1.0.3.0
            1⤵
            • Modifies data under HKEY_USERS
            PID:4908
          • C:\Windows\System32\WaaSMedicAgent.exe
            C:\Windows\System32\WaaSMedicAgent.exe f658eb2d4cf0ccde794d06364a8d49bb sbePE9p7cEmNT2HJTnSbtw.0.1.0.3.0
            1⤵
            • Modifies data under HKEY_USERS
            PID:4912
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:3532
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\ReadMe.txt
              1⤵
                PID:2008
              • C:\Users\Admin\Desktop\New folder\crack.exe
                "C:\Users\Admin\Desktop\New folder\crack.exe"
                1⤵
                • Executes dropped EXE
                PID:1880
              • C:\Users\Admin\Desktop\New folder\Panel\RedLine_20_2\Panel\Panel.exe
                "C:\Users\Admin\Desktop\New folder\Panel\RedLine_20_2\Panel\Panel.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3148
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 3148 -s 992
                  2⤵
                  • Program crash
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2580
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -pss -s 456 -p 3148 -ip 3148
                1⤵
                • Suspicious use of NtCreateProcessExOtherParentProcess
                • Suspicious use of WriteProcessMemory
                PID:1012

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              System Information Discovery

              3
              T1082

              Query Registry

              2
              T1012

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\Desktop\New folder\Panel\RedLine_20_2\Panel\Panel.exe
                MD5

                f4e19b67ef27af1434151a512860574e

                SHA1

                56304fc2729974124341e697f3b21c84a8dd242a

                SHA256

                c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

                SHA512

                a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

                Download Submit
              • C:\Users\Admin\Desktop\New folder\Panel\RedLine_20_2\Panel\Panel.exe
                MD5

                f4e19b67ef27af1434151a512860574e

                SHA1

                56304fc2729974124341e697f3b21c84a8dd242a

                SHA256

                c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a

                SHA512

                a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77

                Download Submit
              • C:\Users\Admin\Desktop\New folder\Panel\RedLine_20_2\Panel\Panel.exe.config
                MD5

                494890d393a5a8c54771186a87b0265e

                SHA1

                162fa5909c1c3f84d34bda5d3370a957fe58c9c8

                SHA256

                f2a5a06359713226aeacfe239eeb8ae8606f4588d8e58a19947c3a190efbdfc7

                SHA512

                40fbd033f288fee074fc36e899796efb30d3c582784b834fc583706f19a0b8d5a134c6d1405afe563d2676072e4eefc4e169b2087867cab77a3fa1aa1a7c9395

                Download Submit
              • C:\Users\Admin\Desktop\New folder\ReadMe.txt
                MD5

                1aa5bac6cacd74746ec6c3eb28e0092b

                SHA1

                5ed229ae018700778a8b617c1c92baf0ceaf18c8

                SHA256

                e6bc141f184b9e8a476b3d79ff5b6d864b4a164915c641c7fcf1fefb95d44ac7

                SHA512

                7c5816c11824dadf9ff9e80b7eb8a4eb3efbfd2fd08a34b5d61ed148303ec6cfb313df4122b5d0a3151c943d8bc67ae6de9c3b1ef59371dd941da64609aa24a9

                Download Submit
              • C:\Users\Admin\Desktop\New folder\crack.exe
                MD5

                d2092715d71b90721291a1d59f69a8cc

                SHA1

                99ebd7a6601d85cc7206b5a9dbf623ec9e5963ad

                SHA256

                b38006408e2229c1c23c56e4efba5df476d7ee13931ec7766cb6940b1b397679

                SHA512

                3b99205ae8c7c69ca207b45b5d2701a24a7aa2bff2f4dace45702f4eaca71e19d0630d33f869e4793d7d3f9d429b37c77690df6913c225e0b9e5c3e7d583d322

                Download Submit
              • C:\Users\Admin\Desktop\New folder\crack.exe
                MD5

                d2092715d71b90721291a1d59f69a8cc

                SHA1

                99ebd7a6601d85cc7206b5a9dbf623ec9e5963ad

                SHA256

                b38006408e2229c1c23c56e4efba5df476d7ee13931ec7766cb6940b1b397679

                SHA512

                3b99205ae8c7c69ca207b45b5d2701a24a7aa2bff2f4dace45702f4eaca71e19d0630d33f869e4793d7d3f9d429b37c77690df6913c225e0b9e5c3e7d583d322

                Download Submit
              • C:\Users\Admin\Desktop\New folder\crack.exe
                MD5

                d2092715d71b90721291a1d59f69a8cc

                SHA1

                99ebd7a6601d85cc7206b5a9dbf623ec9e5963ad

                SHA256

                b38006408e2229c1c23c56e4efba5df476d7ee13931ec7766cb6940b1b397679

                SHA512

                3b99205ae8c7c69ca207b45b5d2701a24a7aa2bff2f4dace45702f4eaca71e19d0630d33f869e4793d7d3f9d429b37c77690df6913c225e0b9e5c3e7d583d322

                Download Submit
              • memory/1220-151-0x000001D693E70000-0x000001D693E74000-memory.dmp
                Filesize

                16KB

                Download
              • memory/2516-152-0x0000000000000000-mapping.dmp
                Download
              • memory/3148-167-0x000000001ACC0000-0x000000001AE60000-memory.dmp
                Filesize

                1.6MB

                Download
              • memory/3148-165-0x00007FFCB05F0000-0x00007FFCB10B1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3148-168-0x0000000002070000-0x0000000002071000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3148-169-0x00007FFCD4DF0000-0x00007FFCD4DF1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3148-170-0x00007FFCD50B0000-0x00007FFCD50B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3292-158-0x0000000000B60000-0x0000000000B62000-memory.dmp
                Filesize

                8KB

                Download
              • memory/3292-156-0x0000000000240000-0x0000000000241000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3292-153-0x0000000000000000-mapping.dmp
                Download
              • memory/4656-146-0x0000021990C80000-0x0000021990C90000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4656-148-0x0000021993300000-0x0000021993304000-memory.dmp
                Filesize

                16KB

                Download
              • memory/4656-147-0x0000021990D00000-0x0000021990D10000-memory.dmp
                Filesize

                64KB

                Download