Resubmissions

27-10-2021 14:44

211027-r4madafbg6 10

27-10-2021 14:28

211027-rs7f6sfah4 10

Analysis

  • max time kernel
    121s
  • max time network
    133s
  • submitted
    01-01-1970 00:00

General

  • Target

    setup_installer/Wed09b3a5ca1a712d390.exe

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09b3a5ca1a712d390.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09b3a5ca1a712d390.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Roaming\3402366.exe
      "C:\Users\Admin\AppData\Roaming\3402366.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1464
    • C:\Users\Admin\AppData\Roaming\8293680.exe
      "C:\Users\Admin\AppData\Roaming\8293680.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
    • C:\Users\Admin\AppData\Roaming\7734100.exe
      "C:\Users\Admin\AppData\Roaming\7734100.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1656
    • C:\Users\Admin\AppData\Roaming\6920440.exe
      "C:\Users\Admin\AppData\Roaming\6920440.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\3402366.exe
    MD5

    40b56ffaf0b24fee5bde1e1fb7212f2f

    SHA1

    ba5948f06bde7c7a92f5823ec7dfd748d336b5b0

    SHA256

    874d7a7825a86d7ac4d4b8aaeec3186dcaf747d15d48626d229fb61ab277c4bf

    SHA512

    fdd2bc4964146b9c540bf95872ca3c4a3aa66946c7371849d998ea1e13ba5497f697f12fd234c5f4bc139dc758efe521e1c7e24a67cde12f0cd8ac79e1946e03

  • C:\Users\Admin\AppData\Roaming\3402366.exe
    MD5

    40b56ffaf0b24fee5bde1e1fb7212f2f

    SHA1

    ba5948f06bde7c7a92f5823ec7dfd748d336b5b0

    SHA256

    874d7a7825a86d7ac4d4b8aaeec3186dcaf747d15d48626d229fb61ab277c4bf

    SHA512

    fdd2bc4964146b9c540bf95872ca3c4a3aa66946c7371849d998ea1e13ba5497f697f12fd234c5f4bc139dc758efe521e1c7e24a67cde12f0cd8ac79e1946e03

  • C:\Users\Admin\AppData\Roaming\6920440.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

  • C:\Users\Admin\AppData\Roaming\6920440.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

  • C:\Users\Admin\AppData\Roaming\7734100.exe
    MD5

    77172e261caaf310b7f2e68fe5ca0012

    SHA1

    f7656bed5475b06379898d3a7abac8bbfa41671f

    SHA256

    bd84d36b0ef7d50d628018a588c13acc143339dc4443bc21dfb55bce5a4a260d

    SHA512

    34b06f9825e8ea3ad69efe8fcbea34770df871a88e4a715de384f20afbcd0990052de582a6c6c3538f7de1616e4d569c21dc2f0cbc75bd1a988aa8495cebd3fc

  • C:\Users\Admin\AppData\Roaming\7734100.exe
    MD5

    77172e261caaf310b7f2e68fe5ca0012

    SHA1

    f7656bed5475b06379898d3a7abac8bbfa41671f

    SHA256

    bd84d36b0ef7d50d628018a588c13acc143339dc4443bc21dfb55bce5a4a260d

    SHA512

    34b06f9825e8ea3ad69efe8fcbea34770df871a88e4a715de384f20afbcd0990052de582a6c6c3538f7de1616e4d569c21dc2f0cbc75bd1a988aa8495cebd3fc

  • C:\Users\Admin\AppData\Roaming\8293680.exe
    MD5

    ff722d7588cb426273a38d99bab58e16

    SHA1

    7a0bdf89467f0296980c3e7b3cebdf2a18d00808

    SHA256

    6a85aa395bafcc389c947aca9a23bcdd4a665d0420b46d1a8785e404e0486056

    SHA512

    0d97b46e0451e09901b57ea4e132b9b7e1f8e78d3edf961218fab0043abdb1c063301f51ad77e06cd4805ec9b5842c74c5f0a5d8bf82d3ae2371ea5d286c4693

  • C:\Users\Admin\AppData\Roaming\8293680.exe
    MD5

    ff722d7588cb426273a38d99bab58e16

    SHA1

    7a0bdf89467f0296980c3e7b3cebdf2a18d00808

    SHA256

    6a85aa395bafcc389c947aca9a23bcdd4a665d0420b46d1a8785e404e0486056

    SHA512

    0d97b46e0451e09901b57ea4e132b9b7e1f8e78d3edf961218fab0043abdb1c063301f51ad77e06cd4805ec9b5842c74c5f0a5d8bf82d3ae2371ea5d286c4693

  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

  • \Users\Admin\AppData\Roaming\3402366.exe
    MD5

    40b56ffaf0b24fee5bde1e1fb7212f2f

    SHA1

    ba5948f06bde7c7a92f5823ec7dfd748d336b5b0

    SHA256

    874d7a7825a86d7ac4d4b8aaeec3186dcaf747d15d48626d229fb61ab277c4bf

    SHA512

    fdd2bc4964146b9c540bf95872ca3c4a3aa66946c7371849d998ea1e13ba5497f697f12fd234c5f4bc139dc758efe521e1c7e24a67cde12f0cd8ac79e1946e03

  • \Users\Admin\AppData\Roaming\6920440.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

  • \Users\Admin\AppData\Roaming\7734100.exe
    MD5

    77172e261caaf310b7f2e68fe5ca0012

    SHA1

    f7656bed5475b06379898d3a7abac8bbfa41671f

    SHA256

    bd84d36b0ef7d50d628018a588c13acc143339dc4443bc21dfb55bce5a4a260d

    SHA512

    34b06f9825e8ea3ad69efe8fcbea34770df871a88e4a715de384f20afbcd0990052de582a6c6c3538f7de1616e4d569c21dc2f0cbc75bd1a988aa8495cebd3fc

  • \Users\Admin\AppData\Roaming\8293680.exe
    MD5

    ff722d7588cb426273a38d99bab58e16

    SHA1

    7a0bdf89467f0296980c3e7b3cebdf2a18d00808

    SHA256

    6a85aa395bafcc389c947aca9a23bcdd4a665d0420b46d1a8785e404e0486056

    SHA512

    0d97b46e0451e09901b57ea4e132b9b7e1f8e78d3edf961218fab0043abdb1c063301f51ad77e06cd4805ec9b5842c74c5f0a5d8bf82d3ae2371ea5d286c4693

  • \Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

  • memory/548-92-0x0000000000000000-mapping.dmp
  • memory/548-95-0x0000000000B30000-0x0000000000B31000-memory.dmp
    Filesize

    4KB

  • memory/548-98-0x0000000002060000-0x0000000002061000-memory.dmp
    Filesize

    4KB

  • memory/1088-67-0x0000000000000000-mapping.dmp
  • memory/1088-73-0x0000000000510000-0x000000000054B000-memory.dmp
    Filesize

    236KB

  • memory/1088-70-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
    Filesize

    4KB

  • memory/1088-82-0x0000000000D10000-0x0000000000D11000-memory.dmp
    Filesize

    4KB

  • memory/1464-72-0x0000000004740000-0x0000000004741000-memory.dmp
    Filesize

    4KB

  • memory/1464-60-0x0000000000000000-mapping.dmp
  • memory/1464-65-0x00000000003C0000-0x00000000003E5000-memory.dmp
    Filesize

    148KB

  • memory/1464-63-0x0000000001270000-0x0000000001271000-memory.dmp
    Filesize

    4KB

  • memory/1544-89-0x0000000000200000-0x0000000000201000-memory.dmp
    Filesize

    4KB

  • memory/1544-87-0x0000000000A20000-0x0000000000A21000-memory.dmp
    Filesize

    4KB

  • memory/1544-90-0x0000000000480000-0x0000000000481000-memory.dmp
    Filesize

    4KB

  • memory/1544-84-0x0000000000000000-mapping.dmp
  • memory/1632-57-0x0000000000450000-0x0000000000451000-memory.dmp
    Filesize

    4KB

  • memory/1632-58-0x0000000000470000-0x0000000000471000-memory.dmp
    Filesize

    4KB

  • memory/1632-55-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
    Filesize

    4KB

  • memory/1656-81-0x0000000004A30000-0x0000000004A31000-memory.dmp
    Filesize

    4KB

  • memory/1656-80-0x0000000000380000-0x00000000003BB000-memory.dmp
    Filesize

    236KB

  • memory/1656-78-0x0000000000F40000-0x0000000000F41000-memory.dmp
    Filesize

    4KB

  • memory/1656-75-0x0000000000000000-mapping.dmp