Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
09-11-2021 13:16
Static task
static1
Behavioral task
behavioral1
Sample
ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe
Resource
win10-en-20211104
General
-
Target
ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe
-
Size
656KB
-
MD5
3809f4a381c0f6da1c9bcecf01c66684
-
SHA1
5c157fd28ba9fe3a0841beb8ed912e550a67ce89
-
SHA256
ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae
-
SHA512
2bd22a895c8556644d773821a341901144bb8152a21cd3022ed88910515761baaf1281284db937534863491655a51c909eea458051ce10e42b94a92a641b0a5c
Malware Config
Extracted
redline
09.11
185.215.113.17:7700
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4220-124-0x00000000023D0000-0x00000000023FE000-memory.dmp family_redline behavioral1/memory/4220-132-0x0000000002490000-0x00000000024BC000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
dipster.exepid process 4220 dipster.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dipster.exedescription pid process Token: SeDebugPrivilege 4220 dipster.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exedescription pid process target process PID 3584 wrote to memory of 4220 3584 ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe dipster.exe PID 3584 wrote to memory of 4220 3584 ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe dipster.exe PID 3584 wrote to memory of 4220 3584 ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe dipster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe"C:\Users\Admin\AppData\Local\Temp\ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\warmded\dipster.exedipster.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\warmded\dipster.exeMD5
60c1c744ea8ef33fecca02fc1ed86d87
SHA18c63cb28883d6816e13a4a1da3915233687fb33f
SHA2561e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc
SHA512082e8176ab8648e3427f2fcbc6c472ea47091e14c9062214cc4f3a6b33336e18a8c2c5d48cda0be855b1f9e4d9c06ea90584ee5b8b6381b5cb01f474642b2ea0
-
C:\Users\Admin\AppData\Roaming\warmded\dipster.exeMD5
60c1c744ea8ef33fecca02fc1ed86d87
SHA18c63cb28883d6816e13a4a1da3915233687fb33f
SHA2561e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc
SHA512082e8176ab8648e3427f2fcbc6c472ea47091e14c9062214cc4f3a6b33336e18a8c2c5d48cda0be855b1f9e4d9c06ea90584ee5b8b6381b5cb01f474642b2ea0
-
memory/3584-119-0x00000000047F0000-0x00000000048BF000-memory.dmpFilesize
828KB
-
memory/3584-120-0x0000000000400000-0x0000000002B9D000-memory.dmpFilesize
39.6MB
-
memory/3584-118-0x0000000002E5E000-0x0000000002ECA000-memory.dmpFilesize
432KB
-
memory/4220-128-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/4220-130-0x0000000004B72000-0x0000000004B73000-memory.dmpFilesize
4KB
-
memory/4220-126-0x00000000020A0000-0x00000000020D9000-memory.dmpFilesize
228KB
-
memory/4220-125-0x0000000002070000-0x000000000209B000-memory.dmpFilesize
172KB
-
memory/4220-127-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4220-121-0x0000000000000000-mapping.dmp
-
memory/4220-129-0x0000000004B73000-0x0000000004B74000-memory.dmpFilesize
4KB
-
memory/4220-124-0x00000000023D0000-0x00000000023FE000-memory.dmpFilesize
184KB
-
memory/4220-131-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/4220-132-0x0000000002490000-0x00000000024BC000-memory.dmpFilesize
176KB
-
memory/4220-133-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/4220-134-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/4220-135-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/4220-136-0x0000000004B74000-0x0000000004B76000-memory.dmpFilesize
8KB
-
memory/4220-137-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/4220-138-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB