Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    31-10-2021 20:21

General

  • Target

    Sun03e4aeb7e43a1c.exe

  • Size

    309KB

  • MD5

    a8261f626a6e743ee0ce9abe3da429a1

  • SHA1

    c12339c5bf0f1867c3ffbfb6bfe24feb12748078

  • SHA256

    d0f0261c323ff82079ce60fb591082b69f97c3106315e6017d03b800b65894fe

  • SHA512

    64542e73edfa809f916784ce13b90284877380becd52d9401b1c17fe3cc9991498597e5f869701df905119780e46654c83c09993bf3e277cb110637225cb112a

Malware Config

Extracted

Family

redline

Botnet

SomeBody

C2

185.215.113.29:36224

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • autoit_exe 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sun03e4aeb7e43a1c.exe
    "C:\Users\Admin\AppData\Local\Temp\Sun03e4aeb7e43a1c.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\2643552399.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Users\Admin\AppData\Local\Temp\2643552399.exe
        "C:\Users\Admin\AppData\Local\Temp\2643552399.exe"
        3⤵
        • Executes dropped EXE
        PID:1096
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0759435491.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Users\Admin\AppData\Local\Temp\0759435491.exe
        "C:\Users\Admin\AppData\Local\Temp\0759435491.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1804
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun03e4aeb7e43a1c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Sun03e4aeb7e43a1c.exe" & exit
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "Sun03e4aeb7e43a1c.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0759435491.exe
    MD5

    c8a54178bca548e62bc755b59eaac4d2

    SHA1

    fd6820252e4717ee0607da991904b7a2b96d5a8c

    SHA256

    1a0bbc5b4780978864b67d31e87a434bc7c60d72c6e014f1018318743ef836b3

    SHA512

    acb16d4854a7ff72d6186e667ab8642eb0120f9cbb66f366efb3b96ae5b8228686b69863cd405bfc65a779a29d2fdce439dbf0e0c825df201aea8811a5d2688b

  • C:\Users\Admin\AppData\Local\Temp\0759435491.exe
    MD5

    c8a54178bca548e62bc755b59eaac4d2

    SHA1

    fd6820252e4717ee0607da991904b7a2b96d5a8c

    SHA256

    1a0bbc5b4780978864b67d31e87a434bc7c60d72c6e014f1018318743ef836b3

    SHA512

    acb16d4854a7ff72d6186e667ab8642eb0120f9cbb66f366efb3b96ae5b8228686b69863cd405bfc65a779a29d2fdce439dbf0e0c825df201aea8811a5d2688b

  • C:\Users\Admin\AppData\Local\Temp\2643552399.exe
    MD5

    0316a4971affb23ccf2cfa83d0de9392

    SHA1

    74f2661e497b2079981447666a4fc71ede4e1774

    SHA256

    455a5f61669029076d9cb7f128e53740721d3606ce8297bd050235186062d288

    SHA512

    673638a4dd197d68633364d23b98329184a090262e8605b8c51fb6ee95a48374470564b1519720c554b1880ed11fe81840363de4aaff6a5c68a62a072837ed20

  • C:\Users\Admin\AppData\Local\Temp\2643552399.exe
    MD5

    0316a4971affb23ccf2cfa83d0de9392

    SHA1

    74f2661e497b2079981447666a4fc71ede4e1774

    SHA256

    455a5f61669029076d9cb7f128e53740721d3606ce8297bd050235186062d288

    SHA512

    673638a4dd197d68633364d23b98329184a090262e8605b8c51fb6ee95a48374470564b1519720c554b1880ed11fe81840363de4aaff6a5c68a62a072837ed20

  • \Users\Admin\AppData\Local\Temp\0759435491.exe
    MD5

    c8a54178bca548e62bc755b59eaac4d2

    SHA1

    fd6820252e4717ee0607da991904b7a2b96d5a8c

    SHA256

    1a0bbc5b4780978864b67d31e87a434bc7c60d72c6e014f1018318743ef836b3

    SHA512

    acb16d4854a7ff72d6186e667ab8642eb0120f9cbb66f366efb3b96ae5b8228686b69863cd405bfc65a779a29d2fdce439dbf0e0c825df201aea8811a5d2688b

  • \Users\Admin\AppData\Local\Temp\0759435491.exe
    MD5

    c8a54178bca548e62bc755b59eaac4d2

    SHA1

    fd6820252e4717ee0607da991904b7a2b96d5a8c

    SHA256

    1a0bbc5b4780978864b67d31e87a434bc7c60d72c6e014f1018318743ef836b3

    SHA512

    acb16d4854a7ff72d6186e667ab8642eb0120f9cbb66f366efb3b96ae5b8228686b69863cd405bfc65a779a29d2fdce439dbf0e0c825df201aea8811a5d2688b

  • \Users\Admin\AppData\Local\Temp\2643552399.exe
    MD5

    0316a4971affb23ccf2cfa83d0de9392

    SHA1

    74f2661e497b2079981447666a4fc71ede4e1774

    SHA256

    455a5f61669029076d9cb7f128e53740721d3606ce8297bd050235186062d288

    SHA512

    673638a4dd197d68633364d23b98329184a090262e8605b8c51fb6ee95a48374470564b1519720c554b1880ed11fe81840363de4aaff6a5c68a62a072837ed20

  • memory/432-81-0x0000000000000000-mapping.dmp
  • memory/780-59-0x0000000000000000-mapping.dmp
  • memory/964-65-0x0000000000000000-mapping.dmp
  • memory/1096-62-0x0000000000000000-mapping.dmp
  • memory/1612-80-0x0000000000000000-mapping.dmp
  • memory/1804-77-0x0000000001FD0000-0x0000000001FEB000-memory.dmp
    Filesize

    108KB

  • memory/1804-73-0x0000000001BD0000-0x0000000001C00000-memory.dmp
    Filesize

    192KB

  • memory/1804-79-0x0000000004994000-0x0000000004996000-memory.dmp
    Filesize

    8KB

  • memory/1804-71-0x0000000001EF0000-0x0000000001F0C000-memory.dmp
    Filesize

    112KB

  • memory/1804-74-0x0000000000400000-0x000000000044D000-memory.dmp
    Filesize

    308KB

  • memory/1804-75-0x0000000004991000-0x0000000004992000-memory.dmp
    Filesize

    4KB

  • memory/1804-76-0x0000000004992000-0x0000000004993000-memory.dmp
    Filesize

    4KB

  • memory/1804-69-0x0000000000000000-mapping.dmp
  • memory/1804-72-0x00000000005E0000-0x0000000000602000-memory.dmp
    Filesize

    136KB

  • memory/1804-78-0x0000000004993000-0x0000000004994000-memory.dmp
    Filesize

    4KB

  • memory/1932-55-0x0000000075901000-0x0000000075903000-memory.dmp
    Filesize

    8KB

  • memory/1932-56-0x00000000003C0000-0x00000000003E9000-memory.dmp
    Filesize

    164KB

  • memory/1932-57-0x0000000000460000-0x00000000004AA000-memory.dmp
    Filesize

    296KB

  • memory/1932-58-0x0000000000400000-0x0000000000458000-memory.dmp
    Filesize

    352KB