Overview

overview

10

Static

static

10

setup_inst...32.exe

windows10_x64

10

setup_inst...2b.exe

windows10_x64

8

setup_inst...61.exe

windows10_x64

10

setup_inst...f8.exe

windows10_x64

10

setup_inst...34.exe

windows10_x64

10

setup_inst...c2.exe

windows10_x64

10

setup_inst...cb.exe

windows10_x64

10

setup_inst...90.exe

windows10_x64

10

setup_inst...79.exe

windows10_x64

6

setup_inst...d8.exe

windows10_x64

3

setup_inst...3b.exe

windows10_x64

8

setup_inst...ac.exe

windows10_x64

10

setup_inst...38.exe

windows10_x64

10

setup_inst...b5.exe

windows10_x64

10

setup_inst...b2.exe

windows10_x64

7

setup_inst...rl.dll

windows10_x64

3

setup_inst...pp.dll

windows10_x64

3

setup_inst...-1.dll

windows10_x64

3

setup_inst...-6.dll

windows10_x64

3

setup_inst...-1.dll

windows10_x64

1

setup_inst...ll.exe

windows10_x64

10

Resubmissions

27-10-2021 14:44

211027-r4madafbg6 10

27-10-2021 14:28

211027-rs7f6sfah4 10

Analysis

  • max time kernel
    1804s
  • max time network
    1814s
  • submitted
    01-01-1970 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_installer/Wed09e95ff6b5.exe

Score
10/10
redlinesermaninfostealerspyware

Malware Config

Extracted

Family

redline

Botnet

serman

C2

135.181.129.119:4805

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • autoit_exe 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09e95ff6b5.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09e95ff6b5.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Users\Public\run.exe
      C:\Users\Public\run.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4444
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2932
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 240
        3⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4172
    • C:\Users\Public\run2.exe
      C:\Users\Public\run2.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4540
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1120
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:1404
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1364
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4664
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1552
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
      PID:4944
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:3228

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\run.exe
      MD5

      b804ea11feb74be302e4c81cd20fd53e

      SHA1

      7d8b4f854b13875226d22d4066ebbea09f8ab512

      SHA256

      eac802653eed6b9db8fbf7a0ecfe559bd2e7dac148504a393aa7f536291a1d7e

      SHA512

      2e7f10b34bb368b50be9d199c7180255b51d2dd6eb9625df11cbd89bcda7c65b0327057147cd3dfa116a320b06e5be7593a8c19635823dd7facc9f8f4f5bd813

      Download Submit
    • C:\Users\Public\run.exe
      MD5

      b804ea11feb74be302e4c81cd20fd53e

      SHA1

      7d8b4f854b13875226d22d4066ebbea09f8ab512

      SHA256

      eac802653eed6b9db8fbf7a0ecfe559bd2e7dac148504a393aa7f536291a1d7e

      SHA512

      2e7f10b34bb368b50be9d199c7180255b51d2dd6eb9625df11cbd89bcda7c65b0327057147cd3dfa116a320b06e5be7593a8c19635823dd7facc9f8f4f5bd813

      Download Submit
    • C:\Users\Public\run2.exe
      MD5

      5ce9a5442c3050e99d03ea4abeb4c667

      SHA1

      d5d6906be3dc11bd87cec8fc128143906ab6d213

      SHA256

      62e6faefb82888dbad5c295bf21d8eb08d494665da2cac5c429944cf7d0c3724

      SHA512

      4cbc6ca45fffaa77e9900dad2f6f1ce41a3646b3a94108873b57e91fe65780e30fdb3aadc927c1aafdfdfeecf0cfd6d02734723f99b1fd63e6692cea7517bd3f

      Download Submit
    • C:\Users\Public\run2.exe
      MD5

      5ce9a5442c3050e99d03ea4abeb4c667

      SHA1

      d5d6906be3dc11bd87cec8fc128143906ab6d213

      SHA256

      62e6faefb82888dbad5c295bf21d8eb08d494665da2cac5c429944cf7d0c3724

      SHA512

      4cbc6ca45fffaa77e9900dad2f6f1ce41a3646b3a94108873b57e91fe65780e30fdb3aadc927c1aafdfdfeecf0cfd6d02734723f99b1fd63e6692cea7517bd3f

      Download Submit
    • memory/2932-147-0x00000000096F0000-0x0000000009CF6000-memory.dmp
      Filesize

      6.0MB

      Download
    • memory/2932-152-0x0000000009B10000-0x0000000009B11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-181-0x000000000CD20000-0x000000000CD21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-180-0x000000000C620000-0x000000000C621000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-163-0x000000000A8E0000-0x000000000A8E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-156-0x000000000A790000-0x000000000A791000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-155-0x000000000AD50000-0x000000000AD51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-154-0x000000000A7B0000-0x000000000A7B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-153-0x000000000A690000-0x000000000A691000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-131-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2932-136-0x0000000000418D2A-mapping.dmp
      Download
    • memory/2932-138-0x0000000004F60000-0x0000000004F61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-137-0x0000000004F60000-0x0000000004F61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-139-0x0000000004F60000-0x0000000004F61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-140-0x0000000000400000-0x0000000000401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-142-0x0000000009D00000-0x0000000009D01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-143-0x0000000009740000-0x0000000009741000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-144-0x0000000009870000-0x0000000009871000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-145-0x00000000097A0000-0x00000000097A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-146-0x00000000097E0000-0x00000000097E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2932-148-0x0000000004F60000-0x0000000004F61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4444-118-0x0000000000000000-mapping.dmp
      Download
    • memory/4444-123-0x00000000001E0000-0x00000000001E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4444-129-0x0000000000400000-0x0000000000AEE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4444-128-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4444-127-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4444-126-0x0000000000C90000-0x0000000000C91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4444-125-0x0000000000C80000-0x0000000000C81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4444-124-0x00000000001F0000-0x00000000001F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4540-121-0x0000000000000000-mapping.dmp
      Download