Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 16:05
Static task
static1
Behavioral task
behavioral1
Sample
8325d53e1e1702d9432c67aae6369f46abf9a26f0556d20cb0a04a7040b1ca80.exe
Resource
win10-en-20211104
General
-
Target
8325d53e1e1702d9432c67aae6369f46abf9a26f0556d20cb0a04a7040b1ca80.exe
-
Size
64KB
-
MD5
f1e1f1d8e5f3c49ef8823a2e51457219
-
SHA1
6fb928baac53cae00942d28a01cfbcb8758ad9cc
-
SHA256
8325d53e1e1702d9432c67aae6369f46abf9a26f0556d20cb0a04a7040b1ca80
-
SHA512
ce9503dfada23ea8b6560e30a27969db6791f4b70eadd9f6acd8950eb0439467bfe7f38cbee0c9c5e50a513f59538ea5e2b6f893b40e126067d0e66ff357c913
Malware Config
Extracted
redline
CRYPT - 42134$
185.209.28.55:2237
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2708-120-0x0000000004B60000-0x0000000004B79000-memory.dmp family_redline -
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1760-157-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/1760-159-0x0000000140310068-mapping.dmp xmrig behavioral1/memory/1760-161-0x0000000140000000-0x0000000140787000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
Trinilogi.exeruntimebroker64x.exesihost64.exepid process 1500 Trinilogi.exe 3088 runtimebroker64x.exe 1456 sihost64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
runtimebroker64x.exedescription pid process target process PID 3088 set thread context of 1760 3088 runtimebroker64x.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8325d53e1e1702d9432c67aae6369f46abf9a26f0556d20cb0a04a7040b1ca80.exeTrinilogi.exeruntimebroker64x.exeexplorer.exepid process 2708 8325d53e1e1702d9432c67aae6369f46abf9a26f0556d20cb0a04a7040b1ca80.exe 1500 Trinilogi.exe 3088 runtimebroker64x.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe 1760 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
8325d53e1e1702d9432c67aae6369f46abf9a26f0556d20cb0a04a7040b1ca80.exeTrinilogi.exeruntimebroker64x.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2708 8325d53e1e1702d9432c67aae6369f46abf9a26f0556d20cb0a04a7040b1ca80.exe Token: SeDebugPrivilege 1500 Trinilogi.exe Token: SeDebugPrivilege 3088 runtimebroker64x.exe Token: SeLockMemoryPrivilege 1760 explorer.exe Token: SeLockMemoryPrivilege 1760 explorer.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
8325d53e1e1702d9432c67aae6369f46abf9a26f0556d20cb0a04a7040b1ca80.exeTrinilogi.execmd.execmd.exeruntimebroker64x.exedescription pid process target process PID 2708 wrote to memory of 1500 2708 8325d53e1e1702d9432c67aae6369f46abf9a26f0556d20cb0a04a7040b1ca80.exe Trinilogi.exe PID 2708 wrote to memory of 1500 2708 8325d53e1e1702d9432c67aae6369f46abf9a26f0556d20cb0a04a7040b1ca80.exe Trinilogi.exe PID 1500 wrote to memory of 3972 1500 Trinilogi.exe cmd.exe PID 1500 wrote to memory of 3972 1500 Trinilogi.exe cmd.exe PID 3972 wrote to memory of 688 3972 cmd.exe schtasks.exe PID 3972 wrote to memory of 688 3972 cmd.exe schtasks.exe PID 1500 wrote to memory of 1356 1500 Trinilogi.exe cmd.exe PID 1500 wrote to memory of 1356 1500 Trinilogi.exe cmd.exe PID 1356 wrote to memory of 3088 1356 cmd.exe runtimebroker64x.exe PID 1356 wrote to memory of 3088 1356 cmd.exe runtimebroker64x.exe PID 3088 wrote to memory of 1456 3088 runtimebroker64x.exe sihost64.exe PID 3088 wrote to memory of 1456 3088 runtimebroker64x.exe sihost64.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe PID 3088 wrote to memory of 1760 3088 runtimebroker64x.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8325d53e1e1702d9432c67aae6369f46abf9a26f0556d20cb0a04a7040b1ca80.exe"C:\Users\Admin\AppData\Local\Temp\8325d53e1e1702d9432c67aae6369f46abf9a26f0556d20cb0a04a7040b1ca80.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trinilogi.exe"C:\Users\Admin\AppData\Local\Temp\Trinilogi.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "runtimebroker64x" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "runtimebroker64x" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exeC:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"5⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe bsjqdsgfph1 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJQKdDfd51MUAGcZ+8CiY/eWSp0aN2gplT4NdxBcWRue+M1Jpa0OJpGvqnNi/CnIRVBtwYcUcBsTgJlURiqnaO0woILJyz0/0D0hJDZynRQ08qFq5P7/mbUB8II5CjRnh9NHfqCnnlw3RFcA8Z2LbiFadHSPio9cwS2aQjdkPVHBZAKU2n9xqm7rcBx5TMMAyEjRsdDYLMfmxpPDS7CwfGIxZjlwbzdxRwQIMxNxbs51UKMXSMHHCcOx+8aW4ZlO8qkDAH3hfPQAc0kllEA2DI5VL1XJgHoZtXYR1kI83nuYGjD9EAoHG29TcNPUPSC06OX+ik6/te/jCtGrEUOkA6mMzzArmAi3dt62G9e0ZRNwbPMxstE0K7SVu2ZKFLBIR5r1WoiVpBdcmeO4s0+5L8WnjvesBddnCVrPjdOU21U+MA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Trinilogi.exeMD5
728f38d39c035cd7908cac6c22cb3f46
SHA155d9caf8c3e95a66bc57cd3e6732ec871792badd
SHA25609e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37
SHA51212aae3711174f7007c56c13b638ff3a8ff6ce90f2657989024ce916a0c2cd8ccd344f7968f81dedf7f2a95bbeebb941c00818e68a8f5df4d88e901b62e5900c4
-
C:\Users\Admin\AppData\Local\Temp\Trinilogi.exeMD5
728f38d39c035cd7908cac6c22cb3f46
SHA155d9caf8c3e95a66bc57cd3e6732ec871792badd
SHA25609e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37
SHA51212aae3711174f7007c56c13b638ff3a8ff6ce90f2657989024ce916a0c2cd8ccd344f7968f81dedf7f2a95bbeebb941c00818e68a8f5df4d88e901b62e5900c4
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exeMD5
728f38d39c035cd7908cac6c22cb3f46
SHA155d9caf8c3e95a66bc57cd3e6732ec871792badd
SHA25609e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37
SHA51212aae3711174f7007c56c13b638ff3a8ff6ce90f2657989024ce916a0c2cd8ccd344f7968f81dedf7f2a95bbeebb941c00818e68a8f5df4d88e901b62e5900c4
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exeMD5
728f38d39c035cd7908cac6c22cb3f46
SHA155d9caf8c3e95a66bc57cd3e6732ec871792badd
SHA25609e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37
SHA51212aae3711174f7007c56c13b638ff3a8ff6ce90f2657989024ce916a0c2cd8ccd344f7968f81dedf7f2a95bbeebb941c00818e68a8f5df4d88e901b62e5900c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
9ffb415e287a7ae2f14ab0c7387b2b1d
SHA1b4f83a40c8d02012ca97d04f68d6c26381c32da6
SHA25606328631b2b0a279cc61136ac7e3e0d98cd5acff70013c1b41781504c21a2957
SHA5127ccf979d4ca65589049067fdd5f01a53a2f90f7174b5d9df62aa1f3b601844a26e9bca9cb940d1f87b3fafb754a5adf2b73afee727a129e9dc133f740dc7ed4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
9ffb415e287a7ae2f14ab0c7387b2b1d
SHA1b4f83a40c8d02012ca97d04f68d6c26381c32da6
SHA25606328631b2b0a279cc61136ac7e3e0d98cd5acff70013c1b41781504c21a2957
SHA5127ccf979d4ca65589049067fdd5f01a53a2f90f7174b5d9df62aa1f3b601844a26e9bca9cb940d1f87b3fafb754a5adf2b73afee727a129e9dc133f740dc7ed4a
-
memory/688-142-0x0000000000000000-mapping.dmp
-
memory/1356-144-0x0000000000000000-mapping.dmp
-
memory/1456-158-0x000000001C1C0000-0x000000001C1C2000-memory.dmpFilesize
8KB
-
memory/1456-155-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1456-152-0x0000000000000000-mapping.dmp
-
memory/1500-140-0x0000000001830000-0x0000000001831000-memory.dmpFilesize
4KB
-
memory/1500-135-0x0000000000000000-mapping.dmp
-
memory/1500-143-0x0000000001A60000-0x0000000001A62000-memory.dmpFilesize
8KB
-
memory/1500-138-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/1760-157-0x0000000140000000-0x0000000140787000-memory.dmpFilesize
7.5MB
-
memory/1760-159-0x0000000140310068-mapping.dmp
-
memory/1760-165-0x0000000001280000-0x00000000012A0000-memory.dmpFilesize
128KB
-
memory/1760-166-0x0000000002F90000-0x0000000002FB0000-memory.dmpFilesize
128KB
-
memory/1760-164-0x0000000001240000-0x0000000001260000-memory.dmpFilesize
128KB
-
memory/1760-162-0x0000000001220000-0x0000000001222000-memory.dmpFilesize
8KB
-
memory/1760-163-0x0000000001220000-0x0000000001222000-memory.dmpFilesize
8KB
-
memory/1760-161-0x0000000140000000-0x0000000140787000-memory.dmpFilesize
7.5MB
-
memory/1760-160-0x0000000001200000-0x0000000001220000-memory.dmpFilesize
128KB
-
memory/2708-128-0x0000000007590000-0x0000000007591000-memory.dmpFilesize
4KB
-
memory/2708-131-0x0000000007F50000-0x0000000007F51000-memory.dmpFilesize
4KB
-
memory/2708-126-0x0000000007170000-0x0000000007171000-memory.dmpFilesize
4KB
-
memory/2708-125-0x0000000007130000-0x0000000007131000-memory.dmpFilesize
4KB
-
memory/2708-130-0x0000000007550000-0x0000000007551000-memory.dmpFilesize
4KB
-
memory/2708-124-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/2708-123-0x0000000007240000-0x0000000007241000-memory.dmpFilesize
4KB
-
memory/2708-122-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/2708-121-0x0000000007740000-0x0000000007741000-memory.dmpFilesize
4KB
-
memory/2708-129-0x0000000008250000-0x0000000008251000-memory.dmpFilesize
4KB
-
memory/2708-127-0x0000000007470000-0x0000000007471000-memory.dmpFilesize
4KB
-
memory/2708-120-0x0000000004B60000-0x0000000004B79000-memory.dmpFilesize
100KB
-
memory/2708-132-0x0000000008C90000-0x0000000008C91000-memory.dmpFilesize
4KB
-
memory/2708-134-0x0000000004690000-0x0000000004691000-memory.dmpFilesize
4KB
-
memory/2708-133-0x0000000009390000-0x0000000009391000-memory.dmpFilesize
4KB
-
memory/2708-118-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/3088-145-0x0000000000000000-mapping.dmp
-
memory/3088-151-0x0000000001D20000-0x0000000001D22000-memory.dmpFilesize
8KB
-
memory/3972-141-0x0000000000000000-mapping.dmp