Analysis
-
max time kernel
1774s -
max time network
1785s -
platform
windows11_x64 -
resource
win11 -
submitted
22-10-2021 14:39
General
-
Target
Fri05f84fa77402bf.exe
-
Size
394KB
-
MD5
8e0abf31bbb7005be2893af10fcceaa9
-
SHA1
a48259c2346d7aed8cf14566d066695a8c2db55c
-
SHA256
2df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
-
SHA512
ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
ChrisNEW
C2
194.104.136.5:46013
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Sets service image path in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe"C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exeC:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exeC:\Users\Admin\AppData\Local\Temp\Fri05f84fa77402bf.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rydf73⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8657d46f8,0x7ff8657d4708,0x7ff8657d47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,3341334519307412542,3622394869399214849,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,3341334519307412542,3622394869399214849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,3341334519307412542,3622394869399214849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3341334519307412542,3622394869399214849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3341334519307412542,3622394869399214849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,3341334519307412542,3622394869399214849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,3341334519307412542,3622394869399214849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3341334519307412542,3622394869399214849,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3341334519307412542,3622394869399214849,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3341334519307412542,3622394869399214849,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3341334519307412542,3622394869399214849,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,3341334519307412542,3622394869399214849,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3328 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 15fe39f69268aaa0adf3d429b4225d83 +WstB7f+6EmM/3smQqNNNQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 15fe39f69268aaa0adf3d429b4225d83 +WstB7f+6EmM/3smQqNNNQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 15fe39f69268aaa0adf3d429b4225d83 +WstB7f+6EmM/3smQqNNNQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fri05f84fa77402bf.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
\??\pipe\LOCAL\crashpad_1952_ZXXORTWMEOXVQOUYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/428-221-0x000002DAB1A00000-0x000002DAB1A02000-memory.dmpFilesize
8KB
-
memory/428-223-0x000002DAB1A00000-0x000002DAB1A02000-memory.dmpFilesize
8KB
-
memory/428-215-0x0000000000000000-mapping.dmp
-
memory/448-155-0x0000000000000000-mapping.dmp
-
memory/824-186-0x0000000000000000-mapping.dmp
-
memory/824-189-0x000001DB2CBB0000-0x000001DB2CBB2000-memory.dmpFilesize
8KB
-
memory/824-191-0x000001DB2CBB0000-0x000001DB2CBB2000-memory.dmpFilesize
8KB
-
memory/880-197-0x0000000000000000-mapping.dmp
-
memory/880-196-0x000001348FAD9000-0x000001348FADA000-memory.dmpFilesize
4KB
-
memory/880-199-0x000001348FBA0000-0x000001348FBA2000-memory.dmpFilesize
8KB
-
memory/880-200-0x000001348FBA0000-0x000001348FBA2000-memory.dmpFilesize
8KB
-
memory/1448-152-0x000001F7C9170000-0x000001F7C9174000-memory.dmpFilesize
16KB
-
memory/1448-151-0x000001F7C6AA0000-0x000001F7C6AB0000-memory.dmpFilesize
64KB
-
memory/1448-150-0x000001F7C6A20000-0x000001F7C6A30000-memory.dmpFilesize
64KB
-
memory/1952-177-0x0000000000000000-mapping.dmp
-
memory/1952-179-0x000001991D940000-0x000001991D942000-memory.dmpFilesize
8KB
-
memory/1952-178-0x000001991D940000-0x000001991D942000-memory.dmpFilesize
8KB
-
memory/2032-225-0x000001A4FA840000-0x000001A4FA842000-memory.dmpFilesize
8KB
-
memory/2032-220-0x0000000000000000-mapping.dmp
-
memory/2272-161-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/2272-164-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/2272-175-0x0000000007550000-0x0000000007551000-memory.dmpFilesize
4KB
-
memory/2272-176-0x0000000006DF0000-0x0000000006DF1000-memory.dmpFilesize
4KB
-
memory/2272-173-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/2272-170-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/2272-168-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/2272-174-0x0000000006E50000-0x0000000006E51000-memory.dmpFilesize
4KB
-
memory/2272-157-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2272-160-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/2272-167-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/2272-166-0x0000000004D70000-0x0000000005388000-memory.dmpFilesize
6.1MB
-
memory/2272-165-0x0000000005C40000-0x0000000005C41000-memory.dmpFilesize
4KB
-
memory/2272-156-0x0000000000000000-mapping.dmp
-
memory/2272-163-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/2272-162-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/2284-233-0x0000000000000000-mapping.dmp
-
memory/2844-252-0x0000000000000000-mapping.dmp
-
memory/3136-236-0x0000000000000000-mapping.dmp
-
memory/3404-182-0x000001E2407F0000-0x000001E2407F2000-memory.dmpFilesize
8KB
-
memory/3404-180-0x0000000000000000-mapping.dmp
-
memory/3404-181-0x000001E2407F0000-0x000001E2407F2000-memory.dmpFilesize
8KB
-
memory/3568-211-0x0000020D79BB0000-0x0000020D79BB2000-memory.dmpFilesize
8KB
-
memory/3568-210-0x0000020D79BB0000-0x0000020D79BB2000-memory.dmpFilesize
8KB
-
memory/3568-209-0x0000020D79BB0000-0x0000020D79BB2000-memory.dmpFilesize
8KB
-
memory/3568-212-0x0000020D79BB0000-0x0000020D79BB2000-memory.dmpFilesize
8KB
-
memory/3568-205-0x0000000000000000-mapping.dmp
-
memory/3752-206-0x000001CE289F0000-0x000001CE289F2000-memory.dmpFilesize
8KB
-
memory/3752-214-0x000001CE289F0000-0x000001CE289F2000-memory.dmpFilesize
8KB
-
memory/3752-201-0x000001CE2894C000-0x000001CE2894D000-memory.dmpFilesize
4KB
-
memory/3752-202-0x0000000000000000-mapping.dmp
-
memory/3752-207-0x000001CE289F0000-0x000001CE289F2000-memory.dmpFilesize
8KB
-
memory/3752-213-0x000001CE289F0000-0x000001CE289F2000-memory.dmpFilesize
8KB
-
memory/3964-246-0x0000000000000000-mapping.dmp
-
memory/4312-149-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/4312-153-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/4312-148-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/4312-154-0x0000000005DA0000-0x0000000005DA1000-memory.dmpFilesize
4KB
-
memory/4312-146-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/4348-216-0x00000229598E1000-0x00000229598E2000-memory.dmpFilesize
4KB
-
memory/4348-217-0x0000000000000000-mapping.dmp
-
memory/4348-222-0x00000229599B0000-0x00000229599B2000-memory.dmpFilesize
8KB
-
memory/4464-188-0x000001C535420000-0x000001C535422000-memory.dmpFilesize
8KB
-
memory/4464-185-0x0000000000000000-mapping.dmp
-
memory/4464-184-0x000001C535097000-0x000001C535098000-memory.dmpFilesize
4KB
-
memory/4464-187-0x00007FF887000000-0x00007FF887001000-memory.dmpFilesize
4KB
-
memory/4464-190-0x000001C535420000-0x000001C535422000-memory.dmpFilesize
8KB
-
memory/4464-193-0x000001C535420000-0x000001C535422000-memory.dmpFilesize
8KB
-
memory/4464-194-0x000001C535420000-0x000001C535422000-memory.dmpFilesize
8KB
-
memory/4464-195-0x000001C535420000-0x000001C535422000-memory.dmpFilesize
8KB