Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 09:18
Static task
static1
General
-
Target
4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe
-
Size
799KB
-
MD5
fa977ef2f98139eab16f02e933466a16
-
SHA1
9d330777eb941567d9c93b96a23d6b34fc868d61
-
SHA256
4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548
-
SHA512
c44377e77fd08d74860ee1ea2dfad3402dae57be10a9add40eb35e2134fb36116168856a5b16b21380bde604a7b6d5ac64c1c0daf481d1f08f2c34fad9fbe972
Malware Config
Extracted
redline
Proliv3
145.239.32.179:27763
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2720-115-0x0000000002640000-0x0000000002671000-memory.dmp family_redline behavioral1/memory/2720-121-0x0000000002AA0000-0x0000000002ABC000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
123.exeruntimeservice.exesihost32.exepid process 2460 123.exe 1280 runtimeservice.exe 3688 sihost32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3636 schtasks.exe 3700 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe123.exeruntimeservice.exepid process 2720 4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe 2460 123.exe 1280 runtimeservice.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe123.exeruntimeservice.exedescription pid process Token: SeDebugPrivilege 2720 4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe Token: SeDebugPrivilege 2460 123.exe Token: SeDebugPrivilege 1280 runtimeservice.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe123.execmd.exeruntimeservice.execmd.exedescription pid process target process PID 2720 wrote to memory of 2460 2720 4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe 123.exe PID 2720 wrote to memory of 2460 2720 4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe 123.exe PID 2460 wrote to memory of 1172 2460 123.exe cmd.exe PID 2460 wrote to memory of 1172 2460 123.exe cmd.exe PID 1172 wrote to memory of 3636 1172 cmd.exe schtasks.exe PID 1172 wrote to memory of 3636 1172 cmd.exe schtasks.exe PID 2460 wrote to memory of 1280 2460 123.exe runtimeservice.exe PID 2460 wrote to memory of 1280 2460 123.exe runtimeservice.exe PID 1280 wrote to memory of 3036 1280 runtimeservice.exe cmd.exe PID 1280 wrote to memory of 3036 1280 runtimeservice.exe cmd.exe PID 1280 wrote to memory of 3688 1280 runtimeservice.exe sihost32.exe PID 1280 wrote to memory of 3688 1280 runtimeservice.exe sihost32.exe PID 3036 wrote to memory of 3700 3036 cmd.exe schtasks.exe PID 3036 wrote to memory of 3700 3036 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe"C:\Users\Admin\AppData\Local\Temp\4d08c78b5911ff104d0c322b887c3e2721c25cc5e8c037a70939600f62d9b548.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\runtimeservice.exe"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "runtimeservice" /tr '"C:\Users\Admin\AppData\Roaming\runtimeservice.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
c4ab556b6a1dd537cc1942204fdfd6cd
SHA191c8f1c171c1710f78a53ab119959e15549c3931
SHA256fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79
SHA512997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
c4ab556b6a1dd537cc1942204fdfd6cd
SHA191c8f1c171c1710f78a53ab119959e15549c3931
SHA256fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79
SHA512997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
dbd399ad19db67986885ae73860583a1
SHA10981d845da6a8cde0913d08cdcdcacaced6d7141
SHA256b4563d2f26a78c16789c86d4aeff3a038832b6af46947fc5e79e51f0bce717f9
SHA512b3198db63958dbad486df7aa067c44b839d8af833f41b08b396ac5f728726428462b25452b82e5cb2500e046e0f7d81dc994808935eabae40ee2ac5d3e068134
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
dbd399ad19db67986885ae73860583a1
SHA10981d845da6a8cde0913d08cdcdcacaced6d7141
SHA256b4563d2f26a78c16789c86d4aeff3a038832b6af46947fc5e79e51f0bce717f9
SHA512b3198db63958dbad486df7aa067c44b839d8af833f41b08b396ac5f728726428462b25452b82e5cb2500e046e0f7d81dc994808935eabae40ee2ac5d3e068134
-
C:\Users\Admin\AppData\Roaming\runtimeservice.exeMD5
c4ab556b6a1dd537cc1942204fdfd6cd
SHA191c8f1c171c1710f78a53ab119959e15549c3931
SHA256fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79
SHA512997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f
-
C:\Users\Admin\AppData\Roaming\runtimeservice.exeMD5
c4ab556b6a1dd537cc1942204fdfd6cd
SHA191c8f1c171c1710f78a53ab119959e15549c3931
SHA256fb07a088ddf5bab17add34ddbdd3d4d15ebff15412cadc4c6cea801244801a79
SHA512997ad56739814b047ddfe53739660d3a0cc1b6cc3fe813c709048fc8a3af2b8b31a04cd3bfe8716626f96b065aa983176706b28a2da937fda45dcbc43e106a0f
-
memory/1172-148-0x0000000000000000-mapping.dmp
-
memory/1280-150-0x0000000000000000-mapping.dmp
-
memory/1280-161-0x0000000000960000-0x0000000000962000-memory.dmpFilesize
8KB
-
memory/2460-147-0x0000000003A10000-0x0000000003A12000-memory.dmpFilesize
8KB
-
memory/2460-146-0x00000000039C0000-0x00000000039C1000-memory.dmpFilesize
4KB
-
memory/2460-145-0x0000000003990000-0x0000000003996000-memory.dmpFilesize
24KB
-
memory/2460-143-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/2460-140-0x0000000000000000-mapping.dmp
-
memory/2720-139-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/2720-125-0x00000000053F2000-0x00000000053F3000-memory.dmpFilesize
4KB
-
memory/2720-137-0x0000000007D20000-0x0000000007D21000-memory.dmpFilesize
4KB
-
memory/2720-138-0x0000000007DC0000-0x0000000007DC1000-memory.dmpFilesize
4KB
-
memory/2720-115-0x0000000002640000-0x0000000002671000-memory.dmpFilesize
196KB
-
memory/2720-135-0x00000000076E0000-0x00000000076E1000-memory.dmpFilesize
4KB
-
memory/2720-134-0x00000000075D0000-0x00000000075D1000-memory.dmpFilesize
4KB
-
memory/2720-133-0x0000000006FA0000-0x0000000006FA1000-memory.dmpFilesize
4KB
-
memory/2720-132-0x0000000006DD0000-0x0000000006DD1000-memory.dmpFilesize
4KB
-
memory/2720-131-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/2720-130-0x00000000053F4000-0x00000000053F5000-memory.dmpFilesize
4KB
-
memory/2720-129-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/2720-128-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/2720-121-0x0000000002AA0000-0x0000000002ABC000-memory.dmpFilesize
112KB
-
memory/2720-127-0x0000000002B70000-0x0000000002B71000-memory.dmpFilesize
4KB
-
memory/2720-126-0x00000000053F3000-0x00000000053F4000-memory.dmpFilesize
4KB
-
memory/2720-124-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/2720-123-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/2720-136-0x0000000007780000-0x0000000007781000-memory.dmpFilesize
4KB
-
memory/3036-157-0x0000000000000000-mapping.dmp
-
memory/3636-149-0x0000000000000000-mapping.dmp
-
memory/3688-158-0x0000000000000000-mapping.dmp
-
memory/3688-162-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/3688-165-0x0000000001390000-0x0000000001392000-memory.dmpFilesize
8KB
-
memory/3700-164-0x0000000000000000-mapping.dmp