Analysis
-
max time kernel
79s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-12-2021 23:43
Static task
static1
General
-
Target
7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exe
-
Size
551KB
-
MD5
749f87b58e7faa71de24d4f8487d3c56
-
SHA1
bf0d6bb93a9b2c25ec8a8fdf831da2ee3630aa7d
-
SHA256
7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690
-
SHA512
dc3cd730b9a5616fa4d261b96d6857947a0342d72008738013fb7fb2981c76139aab6ab6978e05ae880faa02c3e52fb1fc3357b30ccf5afed44f4f3523fd5561
Malware Config
Extracted
redline
mix16.12
185.215.113.70:21508
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2708-121-0x0000000000E50000-0x0000000000E7E000-memory.dmp family_redline behavioral1/memory/2708-128-0x0000000002A70000-0x0000000002A9D000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
neofim.exepid process 2708 neofim.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
neofim.exepid process 2708 neofim.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
neofim.exedescription pid process Token: SeDebugPrivilege 2708 neofim.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exedescription pid process target process PID 2560 wrote to memory of 2708 2560 7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exe neofim.exe PID 2560 wrote to memory of 2708 2560 7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exe neofim.exe PID 2560 wrote to memory of 2708 2560 7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exe neofim.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exe"C:\Users\Admin\AppData\Local\Temp\7d6762a9187e44646e80e0b866d6389128e2caceb9cadb3e535cf36e615ad690.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\neofed\neofim.exeneofim.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\neofed\neofim.exeMD5
b55b79a43adaa926c61fcab8dd9270b3
SHA181ab099461595934b47462d0587d0f0c85a24999
SHA25650ce76cbce3d9be8c8e7d9595ddfe43118192a1df5644a8ec03a1bcf36029d97
SHA512f5d10c08e1c3904f885376ad21501cadc4206ebe5e3d3bba46a97cc78745ac1dd07997936771dd07809865438d97767c1c810afcd3f74f8a346b02fb8e554540
-
C:\Users\Admin\AppData\Roaming\neofed\neofim.exeMD5
b55b79a43adaa926c61fcab8dd9270b3
SHA181ab099461595934b47462d0587d0f0c85a24999
SHA25650ce76cbce3d9be8c8e7d9595ddfe43118192a1df5644a8ec03a1bcf36029d97
SHA512f5d10c08e1c3904f885376ad21501cadc4206ebe5e3d3bba46a97cc78745ac1dd07997936771dd07809865438d97767c1c810afcd3f74f8a346b02fb8e554540
-
memory/2560-115-0x0000000000D40000-0x0000000000DAC000-memory.dmpFilesize
432KB
-
memory/2560-117-0x0000000000400000-0x000000000087B000-memory.dmpFilesize
4.5MB
-
memory/2560-116-0x0000000000E80000-0x0000000000F4E000-memory.dmpFilesize
824KB
-
memory/2708-128-0x0000000002A70000-0x0000000002A9D000-memory.dmpFilesize
180KB
-
memory/2708-131-0x0000000002B70000-0x0000000002B71000-memory.dmpFilesize
4KB
-
memory/2708-122-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/2708-123-0x0000000000C90000-0x0000000000CBB000-memory.dmpFilesize
172KB
-
memory/2708-124-0x0000000000CF0000-0x0000000000D29000-memory.dmpFilesize
228KB
-
memory/2708-125-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/2708-126-0x0000000002B60000-0x0000000002B61000-memory.dmpFilesize
4KB
-
memory/2708-118-0x0000000000000000-mapping.dmp
-
memory/2708-127-0x0000000002B62000-0x0000000002B63000-memory.dmpFilesize
4KB
-
memory/2708-129-0x0000000002B63000-0x0000000002B64000-memory.dmpFilesize
4KB
-
memory/2708-130-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/2708-121-0x0000000000E50000-0x0000000000E7E000-memory.dmpFilesize
184KB
-
memory/2708-132-0x0000000002B90000-0x0000000002B91000-memory.dmpFilesize
4KB
-
memory/2708-133-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/2708-134-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/2708-135-0x0000000002B64000-0x0000000002B66000-memory.dmpFilesize
8KB
-
memory/2708-136-0x0000000005D30000-0x0000000005D31000-memory.dmpFilesize
4KB
-
memory/2708-137-0x00000000064F0000-0x00000000064F1000-memory.dmpFilesize
4KB
-
memory/2708-138-0x0000000006580000-0x0000000006581000-memory.dmpFilesize
4KB
-
memory/2708-139-0x0000000006780000-0x0000000006781000-memory.dmpFilesize
4KB
-
memory/2708-140-0x00000000069B0000-0x00000000069B1000-memory.dmpFilesize
4KB
-
memory/2708-141-0x0000000006B80000-0x0000000006B81000-memory.dmpFilesize
4KB