Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 09:18
General
-
Target
4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe
-
Size
799KB
-
MD5
fa977ef2f98139eab16f02e933466a16
-
SHA1
9d330777eb941567d9c93b96a23d6b34fc868d61
-
SHA256
4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548
-
SHA512
c44377e77fd08d74860ee1ea2dfad3402dae57be10a9add40eb35e2134fb36116168856a5b16b21380bde604a7b6d5ac64c1c0daf481d1f08f2c34fad9fbe972
Malware Config
Extracted
redline
Proliv3
145.239.32.179:27763
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe"C:\Users\Admin\AppData\Local\Temp\4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\runtimeservice.exe"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
c4ab556b6a1dd537cc1942204fdfd6cd
SHA191c8f1c171c1710f78a53ab119959e15549c3931
SHA256fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79
SHA512997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
c4ab556b6a1dd537cc1942204fdfd6cd
SHA191c8f1c171c1710f78a53ab119959e15549c3931
SHA256fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79
SHA512997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
dbd399ad19db67986885ae73860583a1
SHA10981d845da6a8cde0913d08cdcdcacaced6d7141
SHA256b4563d2f26a78c16789c86d4aeff3a038832b6af46947fc5e79e51f0bce717f9
SHA512b3198db63958dbad486df7aa067c44b839d8af833f41b08b396ac5f728726428462b25452b82e5cb2500e046e0f7d81dc994808935eabae40ee2ac5d3e068134
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
dbd399ad19db67986885ae73860583a1
SHA10981d845da6a8cde0913d08cdcdcacaced6d7141
SHA256b4563d2f26a78c16789c86d4aeff3a038832b6af46947fc5e79e51f0bce717f9
SHA512b3198db63958dbad486df7aa067c44b839d8af833f41b08b396ac5f728726428462b25452b82e5cb2500e046e0f7d81dc994808935eabae40ee2ac5d3e068134
-
C:\Users\Admin\AppData\Roaming\runtimeservice.exeMD5
c4ab556b6a1dd537cc1942204fdfd6cd
SHA191c8f1c171c1710f78a53ab119959e15549c3931
SHA256fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79
SHA512997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f
-
C:\Users\Admin\AppData\Roaming\runtimeservice.exeMD5
c4ab556b6a1dd537cc1942204fdfd6cd
SHA191c8f1c171c1710f78a53ab119959e15549c3931
SHA256fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79
SHA512997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f
-
memory/1172-148-0x0000000000000000-mapping.dmp
-
memory/1280-150-0x0000000000000000-mapping.dmp
-
memory/1280-161-0x0000000000960000-0x0000000000962000-memory.dmpFilesize
8KB
-
memory/2460-147-0x0000000003A10000-0x0000000003A12000-memory.dmpFilesize
8KB
-
memory/2460-146-0x00000000039C0000-0x00000000039C1000-memory.dmpFilesize
4KB
-
memory/2460-145-0x0000000003990000-0x0000000003996000-memory.dmpFilesize
24KB
-
memory/2460-143-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/2460-140-0x0000000000000000-mapping.dmp
-
memory/2720-139-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/2720-125-0x00000000053F2000-0x00000000053F3000-memory.dmpFilesize
4KB
-
memory/2720-137-0x0000000007D20000-0x0000000007D21000-memory.dmpFilesize
4KB
-
memory/2720-138-0x0000000007DC0000-0x0000000007DC1000-memory.dmpFilesize
4KB
-
memory/2720-115-0x0000000002640000-0x0000000002671000-memory.dmpFilesize
196KB
-
memory/2720-135-0x00000000076E0000-0x00000000076E1000-memory.dmpFilesize
4KB
-
memory/2720-134-0x00000000075D0000-0x00000000075D1000-memory.dmpFilesize
4KB
-
memory/2720-133-0x0000000006FA0000-0x0000000006FA1000-memory.dmpFilesize
4KB
-
memory/2720-132-0x0000000006DD0000-0x0000000006DD1000-memory.dmpFilesize
4KB
-
memory/2720-131-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/2720-130-0x00000000053F4000-0x00000000053F5000-memory.dmpFilesize
4KB
-
memory/2720-129-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/2720-128-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/2720-121-0x0000000002AA0000-0x0000000002ABC000-memory.dmpFilesize
112KB
-
memory/2720-127-0x0000000002B70000-0x0000000002B71000-memory.dmpFilesize
4KB
-
memory/2720-126-0x00000000053F3000-0x00000000053F4000-memory.dmpFilesize
4KB
-
memory/2720-124-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/2720-123-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/2720-136-0x0000000007780000-0x0000000007781000-memory.dmpFilesize
4KB
-
memory/3036-157-0x0000000000000000-mapping.dmp
-
memory/3636-149-0x0000000000000000-mapping.dmp
-
memory/3688-158-0x0000000000000000-mapping.dmp
-
memory/3688-162-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/3688-165-0x0000000001390000-0x0000000001392000-memory.dmpFilesize
8KB
-
memory/3700-164-0x0000000000000000-mapping.dmp