Analysis
-
max time kernel
1602s -
max time network
1607s -
platform
windows7_x64 -
resource
win7-de-20210920 -
submitted
22-10-2021 14:39
Static task
static1
Behavioral task
behavioral1
Sample
Fri05f84fa77402bf.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
Fri05f84fa77402bf.exe
Resource
win7-en-20211014
Behavioral task
behavioral3
Sample
Fri05f84fa77402bf.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
Fri05f84fa77402bf.exe
Resource
win11
Behavioral task
behavioral5
Sample
Fri05f84fa77402bf.exe
Resource
win10-ja-20210920
Behavioral task
behavioral6
Sample
Fri05f84fa77402bf.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Fri05f84fa77402bf.exe
Resource
win10-de-20211014
General
-
Target
Fri05f84fa77402bf.exe
-
Size
394KB
-
MD5
8e0abf31bbb7005be2893af10fcceaa9
-
SHA1
a48259c2346d7aed8cf14566d066695a8c2db55c
-
SHA256
2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
-
SHA512
ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
Malware Config
Extracted
redline
ChrisNEW
194.104.136.5:46013
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral3/memory/308-60-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral3/memory/308-59-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral3/memory/308-61-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral3/memory/308-62-0x0000000000418542-mapping.dmp family_redline behavioral3/memory/308-63-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Fri05f84fa77402bf.exedescription pid process target process PID 592 set thread context of 308 592 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD2BD921-334A-11EC-8175-C2E46088F6E7} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341680746" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0de5dd557c7d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000bc9722f93bd6da725ce76ed9cd2a819e8a91181a2dcace91b77e0a0694709183000000000e8000000002000020000000c9a739d71532ebb72552be4b3b123da93cf412905af777bd10f7ab43394c73a420000000154f5447d272f14bc596c0a5a671a936cb9287550b1d7c03b3dcce60d0fe9d3040000000b6897112c34e5332eb90bd59f08b138a9f18b242c9cbf2687c0b0a8e32cde75d685ed4727c500fd58769e7208cca46f84ac9c4499fc59f7481f088dee0777836 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a6000000000200000000001066000000010000200000001e38d07943e0520bfb4c191abe7afbd6495a776075bb4d1010f718a644132bf3000000000e80000000020000200000001acef362ab32094ddad10f5e72e6558c553be4a96a25992921032b3a5125c4ed90000000e361da9dffb153807b057b0d1a9484d4144ec6e7ff0e5537bc1c920ae0e0998e48fd37cb774c5053f652be8d0f330006b1941e10c7a363e79dcdcb448a5a969ba9c90f50858aaf8e7304e500e6fc27c2cc1693dc1c0cbad951558d1275e3af85de8587d36c2c0a0a8fb5c5fce01b058e2d38db6a80b87ce5e2a7877c036158950488387867e4238e5742237546b48c13400000000618f84644af831dca6a3380b36fe9f9307899290fcae9c97b781839604aa50b07cbb2259003ff67d1dbc7556c1d3d953d3fdbd5518e80e43430b25b478772d2 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\de-DE = "de-DE.1" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1736 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Fri05f84fa77402bf.exedescription pid process Token: SeDebugPrivilege 308 Fri05f84fa77402bf.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1736 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1736 iexplore.exe 1736 iexplore.exe 1684 IEXPLORE.EXE 1684 IEXPLORE.EXE 1684 IEXPLORE.EXE 1684 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Fri05f84fa77402bf.exeFri05f84fa77402bf.exeiexplore.exetaskeng.exedescription pid process target process PID 592 wrote to memory of 308 592 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 592 wrote to memory of 308 592 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 592 wrote to memory of 308 592 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 592 wrote to memory of 308 592 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 592 wrote to memory of 308 592 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 592 wrote to memory of 308 592 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 592 wrote to memory of 308 592 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 592 wrote to memory of 308 592 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 592 wrote to memory of 308 592 Fri05f84fa77402bf.exe Fri05f84fa77402bf.exe PID 308 wrote to memory of 1736 308 Fri05f84fa77402bf.exe iexplore.exe PID 308 wrote to memory of 1736 308 Fri05f84fa77402bf.exe iexplore.exe PID 308 wrote to memory of 1736 308 Fri05f84fa77402bf.exe iexplore.exe PID 308 wrote to memory of 1736 308 Fri05f84fa77402bf.exe iexplore.exe PID 1736 wrote to memory of 1684 1736 iexplore.exe IEXPLORE.EXE PID 1736 wrote to memory of 1684 1736 iexplore.exe IEXPLORE.EXE PID 1736 wrote to memory of 1684 1736 iexplore.exe IEXPLORE.EXE PID 1736 wrote to memory of 1684 1736 iexplore.exe IEXPLORE.EXE PID 1852 wrote to memory of 1008 1852 taskeng.exe default-browser-agent.exe PID 1852 wrote to memory of 1008 1852 taskeng.exe default-browser-agent.exe PID 1852 wrote to memory of 1008 1852 taskeng.exe default-browser-agent.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe"C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exeC:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1rydf73⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1736 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {5AA66AE9-21EC-4D6F-909B-817F07D7A199} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {38055C2D-9ECC-4EB5-BC46-BB6D1A9DF037} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {7BDF6BD2-80A6-4193-A34F-A071023BE65D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
ab5c36d10261c173c5896f3478cdc6b7
SHA187ac53810ad125663519e944bc87ded3979cbee4
SHA256f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9
SHA512e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
46213e3ef3c8f1377aa91097e43a6b7e
SHA18e42487664754b99f7c34ef1de14b0fa8072db1c
SHA256eb6b42f48b408e07107a28e446ba3ac898487c844ed9c57d6879c76e79a0d821
SHA512778a4b182102a8f567f9fb143443a30916997ada87ceb028437c45f080f09242acca3f2f8573172b95e86a83bd094354f6ac2d30be3c4eeeed996690cbb2452f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wkz58mr\imagestore.datMD5
206e023148ee2bb5a1997faad14b2318
SHA1ad9d3ce706dc10c5a7ccdaf6cb82698879c3d5e6
SHA25627b6a630ea7c10cbf23f0ee8ad8a8af7f6877bbc799ac71fc069621e26e3181b
SHA512efabbc2236637f8f7b910eabca99ca847a98b66de43233aad39a5a5cb78c1269ffa1bb21c3d3fdf2f41c9e2abfde29e9627f2b129ecdb1c35ee2b7b81ec102af
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8I2CSA6O.txtMD5
e2be4a0f533d4b098c09104c414de173
SHA1cffaf07b8174c9d1c74d0fb9296a0b9d2b543668
SHA2565e13cefa875c06d0823812e26a803eaaf34f862f942095f1e06d40a3cee6add5
SHA51272920acb6eee1738c425f6d5fa8b3bc76c1bc89f83f95e9669cff2c926d823a3011ba30e5d965449e19c2634ed5a56d3dffa6e2fe4e07eccfdfe1f5c8897846c
-
memory/308-59-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/308-58-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/308-61-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/308-62-0x0000000000418542-mapping.dmp
-
memory/308-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/308-65-0x0000000004370000-0x0000000004371000-memory.dmpFilesize
4KB
-
memory/308-60-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/308-57-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/592-54-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/592-56-0x0000000004290000-0x0000000004291000-memory.dmpFilesize
4KB
-
memory/1008-72-0x0000000000000000-mapping.dmp
-
memory/1684-67-0x0000000000000000-mapping.dmp
-
memory/1736-66-0x0000000000000000-mapping.dmp