Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    11-12-2021 12:08

General

  • Target

    99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe

  • Size

    529KB

  • MD5

    69b0537aa7c938d286c62da1aa9565a7

  • SHA1

    b6346d3e607b1b14f33422856dc0fc6ad9315041

  • SHA256

    99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b

  • SHA512

    bda8565e1c8655cefcc3fb82bee676999625c065f86be475e6461be30a7fe07f58fce43f41fc816d9fe4607ec73963c38a0c87df5ce05e3d138d64e1d0404fb6

Malware Config

Extracted

Family

redline

Botnet

777

C2

93.115.20.139:28978

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
    "C:\Users\Admin\AppData\Local\Temp\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Users\Admin\AppData\Local\Temp\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
      C:\Users\Admin\AppData\Local\Temp\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
      2⤵
        PID:2512
      • C:\Users\Admin\AppData\Local\Temp\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
        C:\Users\Admin\AppData\Local\Temp\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe
        2⤵
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        PID:3620
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2124
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:500
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3568
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3948
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:4052
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:2644

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Collection

    Data from Local System

    2
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\99ef3dc9e708cb30d6d7b6c820a3ba531f6df1c80850394c69c1fdd82629fb4b.exe.log
      MD5

      41fbed686f5700fc29aaccf83e8ba7fd

      SHA1

      5271bc29538f11e42a3b600c8dc727186e912456

      SHA256

      df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

      SHA512

      234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

    • memory/2460-120-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
      Filesize

      4KB

    • memory/2460-118-0x0000000000F90000-0x0000000000F91000-memory.dmp
      Filesize

      4KB

    • memory/2460-115-0x0000000000550000-0x0000000000551000-memory.dmp
      Filesize

      4KB

    • memory/2460-119-0x0000000004E20000-0x0000000004E21000-memory.dmp
      Filesize

      4KB

    • memory/2460-121-0x0000000005670000-0x0000000005671000-memory.dmp
      Filesize

      4KB

    • memory/2460-117-0x0000000004F80000-0x0000000004F81000-memory.dmp
      Filesize

      4KB

    • memory/3620-122-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

    • memory/3620-123-0x0000000000418FBE-mapping.dmp
    • memory/3620-139-0x0000000007040000-0x0000000007041000-memory.dmp
      Filesize

      4KB

    • memory/3620-129-0x0000000005020000-0x0000000005021000-memory.dmp
      Filesize

      4KB

    • memory/3620-128-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
      Filesize

      4KB

    • memory/3620-130-0x0000000004F50000-0x0000000004F51000-memory.dmp
      Filesize

      4KB

    • memory/3620-131-0x0000000004F90000-0x0000000004F91000-memory.dmp
      Filesize

      4KB

    • memory/3620-132-0x0000000004ED0000-0x00000000054D6000-memory.dmp
      Filesize

      6.0MB

    • memory/3620-134-0x0000000005350000-0x0000000005351000-memory.dmp
      Filesize

      4KB

    • memory/3620-137-0x0000000005E80000-0x0000000005E81000-memory.dmp
      Filesize

      4KB

    • memory/3620-138-0x0000000006940000-0x0000000006941000-memory.dmp
      Filesize

      4KB

    • memory/3620-127-0x00000000054E0000-0x00000000054E1000-memory.dmp
      Filesize

      4KB