Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
31-10-2021 20:21
Static task
static1
Behavioral task
behavioral1
Sample
Sun03e4aeb7e43a1c.exe
Resource
win7-en-20211014
General
-
Target
Sun03e4aeb7e43a1c.exe
-
Size
309KB
-
MD5
a8261f626a6e743ee0ce9abe3da429a1
-
SHA1
c12339c5bf0f1867c3ffbfb6bfe24feb12748078
-
SHA256
d0f0261c323ff82079ce60fb591082b69f97c3106315e6017d03b800b65894fe
-
SHA512
64542e73edfa809f916784ce13b90284877380becd52d9401b1c17fe3cc9991498597e5f869701df905119780e46654c83c09993bf3e277cb110637225cb112a
Malware Config
Extracted
redline
SomeBody
185.215.113.29:36224
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4440-129-0x0000000002230000-0x000000000224C000-memory.dmp family_redline behavioral2/memory/4440-131-0x0000000002440000-0x000000000245B000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
8791348868.exe5892765361.exepid process 4280 8791348868.exe 4440 5892765361.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 freegeoip.app 27 freegeoip.app 28 freegeoip.app 32 freegeoip.app -
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\8791348868.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\8791348868.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2684 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5892765361.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4440 5892765361.exe Token: SeDebugPrivilege 2684 taskkill.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Sun03e4aeb7e43a1c.execmd.execmd.execmd.exedescription pid process target process PID 1424 wrote to memory of 4052 1424 Sun03e4aeb7e43a1c.exe cmd.exe PID 1424 wrote to memory of 4052 1424 Sun03e4aeb7e43a1c.exe cmd.exe PID 1424 wrote to memory of 4052 1424 Sun03e4aeb7e43a1c.exe cmd.exe PID 4052 wrote to memory of 4280 4052 cmd.exe 8791348868.exe PID 4052 wrote to memory of 4280 4052 cmd.exe 8791348868.exe PID 4052 wrote to memory of 4280 4052 cmd.exe 8791348868.exe PID 1424 wrote to memory of 4244 1424 Sun03e4aeb7e43a1c.exe cmd.exe PID 1424 wrote to memory of 4244 1424 Sun03e4aeb7e43a1c.exe cmd.exe PID 1424 wrote to memory of 4244 1424 Sun03e4aeb7e43a1c.exe cmd.exe PID 4244 wrote to memory of 4440 4244 cmd.exe 5892765361.exe PID 4244 wrote to memory of 4440 4244 cmd.exe 5892765361.exe PID 4244 wrote to memory of 4440 4244 cmd.exe 5892765361.exe PID 1424 wrote to memory of 2388 1424 Sun03e4aeb7e43a1c.exe cmd.exe PID 1424 wrote to memory of 2388 1424 Sun03e4aeb7e43a1c.exe cmd.exe PID 1424 wrote to memory of 2388 1424 Sun03e4aeb7e43a1c.exe cmd.exe PID 2388 wrote to memory of 2684 2388 cmd.exe taskkill.exe PID 2388 wrote to memory of 2684 2388 cmd.exe taskkill.exe PID 2388 wrote to memory of 2684 2388 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sun03e4aeb7e43a1c.exe"C:\Users\Admin\AppData\Local\Temp\Sun03e4aeb7e43a1c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\8791348868.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8791348868.exe"C:\Users\Admin\AppData\Local\Temp\8791348868.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\5892765361.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5892765361.exe"C:\Users\Admin\AppData\Local\Temp\5892765361.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun03e4aeb7e43a1c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Sun03e4aeb7e43a1c.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sun03e4aeb7e43a1c.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5892765361.exeMD5
c8a54178bca548e62bc755b59eaac4d2
SHA1fd6820252e4717ee0607da991904b7a2b96d5a8c
SHA2561a0bbc5b4780978864b67d31e87a434bc7c60d72c6e014f1018318743ef836b3
SHA512acb16d4854a7ff72d6186e667ab8642eb0120f9cbb66f366efb3b96ae5b8228686b69863cd405bfc65a779a29d2fdce439dbf0e0c825df201aea8811a5d2688b
-
C:\Users\Admin\AppData\Local\Temp\5892765361.exeMD5
c8a54178bca548e62bc755b59eaac4d2
SHA1fd6820252e4717ee0607da991904b7a2b96d5a8c
SHA2561a0bbc5b4780978864b67d31e87a434bc7c60d72c6e014f1018318743ef836b3
SHA512acb16d4854a7ff72d6186e667ab8642eb0120f9cbb66f366efb3b96ae5b8228686b69863cd405bfc65a779a29d2fdce439dbf0e0c825df201aea8811a5d2688b
-
C:\Users\Admin\AppData\Local\Temp\8791348868.exeMD5
0316a4971affb23ccf2cfa83d0de9392
SHA174f2661e497b2079981447666a4fc71ede4e1774
SHA256455a5f61669029076d9cb7f128e53740721d3606ce8297bd050235186062d288
SHA512673638a4dd197d68633364d23b98329184a090262e8605b8c51fb6ee95a48374470564b1519720c554b1880ed11fe81840363de4aaff6a5c68a62a072837ed20
-
C:\Users\Admin\AppData\Local\Temp\8791348868.exeMD5
0316a4971affb23ccf2cfa83d0de9392
SHA174f2661e497b2079981447666a4fc71ede4e1774
SHA256455a5f61669029076d9cb7f128e53740721d3606ce8297bd050235186062d288
SHA512673638a4dd197d68633364d23b98329184a090262e8605b8c51fb6ee95a48374470564b1519720c554b1880ed11fe81840363de4aaff6a5c68a62a072837ed20
-
memory/1424-116-0x0000000000460000-0x00000000005AA000-memory.dmpFilesize
1.3MB
-
memory/1424-117-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1424-115-0x00000000001C0000-0x00000000001E9000-memory.dmpFilesize
164KB
-
memory/2388-147-0x0000000000000000-mapping.dmp
-
memory/2684-148-0x0000000000000000-mapping.dmp
-
memory/4052-118-0x0000000000000000-mapping.dmp
-
memory/4244-121-0x0000000000000000-mapping.dmp
-
memory/4280-119-0x0000000000000000-mapping.dmp
-
memory/4440-131-0x0000000002440000-0x000000000245B000-memory.dmpFilesize
108KB
-
memory/4440-137-0x0000000004CD3000-0x0000000004CD4000-memory.dmpFilesize
4KB
-
memory/4440-129-0x0000000002230000-0x000000000224C000-memory.dmpFilesize
112KB
-
memory/4440-130-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/4440-127-0x0000000000590000-0x00000000006DA000-memory.dmpFilesize
1.3MB
-
memory/4440-132-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/4440-133-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/4440-134-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/4440-136-0x0000000004CD2000-0x0000000004CD3000-memory.dmpFilesize
4KB
-
memory/4440-135-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/4440-138-0x0000000004CD4000-0x0000000004CD6000-memory.dmpFilesize
8KB
-
memory/4440-128-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/4440-139-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/4440-140-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/4440-141-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/4440-142-0x00000000060D0000-0x00000000060D1000-memory.dmpFilesize
4KB
-
memory/4440-143-0x0000000006150000-0x0000000006151000-memory.dmpFilesize
4KB
-
memory/4440-144-0x0000000006230000-0x0000000006231000-memory.dmpFilesize
4KB
-
memory/4440-145-0x00000000063C0000-0x00000000063C1000-memory.dmpFilesize
4KB
-
memory/4440-146-0x00000000065E0000-0x00000000065E1000-memory.dmpFilesize
4KB
-
memory/4440-126-0x0000000000590000-0x00000000006DA000-memory.dmpFilesize
1.3MB
-
memory/4440-122-0x0000000000000000-mapping.dmp