Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
16-12-2021 13:23
Static task
static1
Behavioral task
behavioral1
Sample
a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe
-
Size
473KB
-
MD5
67152b967be7058c9d7bc02353b342eb
-
SHA1
38b63764e9be58180353cbb206f13a6668bcb9d4
-
SHA256
a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f
-
SHA512
87abe65d91fd7724bbd15a1008658ccf54a350370c107b2f69f42f6b105a4d0d54ff1adcf2e34a1988cd71f51a1710328d4a16cbfbf6b0fc567e51aeee1322ab
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
Siski
C2
109.248.201.17:34060
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1348-119-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1348-120-0x000000000041932A-mapping.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exedescription pid process target process PID 3764 set thread context of 1348 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 924 1348 WerFault.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 924 WerFault.exe 924 WerFault.exe 924 WerFault.exe 924 WerFault.exe 924 WerFault.exe 924 WerFault.exe 924 WerFault.exe 924 WerFault.exe 924 WerFault.exe 924 WerFault.exe 924 WerFault.exe 924 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe Token: SeRestorePrivilege 924 WerFault.exe Token: SeBackupPrivilege 924 WerFault.exe Token: SeDebugPrivilege 924 WerFault.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exedescription pid process target process PID 3764 wrote to memory of 3888 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe PID 3764 wrote to memory of 3888 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe PID 3764 wrote to memory of 3888 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe PID 3764 wrote to memory of 3888 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe PID 3764 wrote to memory of 1348 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe PID 3764 wrote to memory of 1348 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe PID 3764 wrote to memory of 1348 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe PID 3764 wrote to memory of 1348 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe PID 3764 wrote to memory of 1348 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe PID 3764 wrote to memory of 1348 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe PID 3764 wrote to memory of 1348 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe PID 3764 wrote to memory of 1348 3764 a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe"C:\Users\Admin\AppData\Local\Temp\a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exeC:\Users\Admin\AppData\Local\Temp\a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exeC:\Users\Admin\AppData\Local\Temp\a17209b819a454f90054a6de229f948177b1e421f1bd2c17d5633d64bc412c5f.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1348-119-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1348-120-0x000000000041932A-mapping.dmp
-
memory/3764-115-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/3764-118-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/3764-117-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB