Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 21:22
Static task
static1
Behavioral task
behavioral1
Sample
9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe
Resource
win10v2004-en-20220113
General
-
Target
9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe
-
Size
1.1MB
-
MD5
3db8aaeede991e343f4a58c029d5bcb6
-
SHA1
dce0cf75d9080b4c31425adbc899d21f0ebb5c0f
-
SHA256
9bf4c9b6c5e930ce91b84920a73d9111793e6d31477458043e94b649147ebf71
-
SHA512
ae2e99816106a935498f977bf31dd995d315dcdb0237904bce86ccc525732d4b5353376818af87337396370e0cc23ebd321b4ecf1cb30c04969ea0a20ff8df31
Malware Config
Extracted
redline
1
vigasiergu.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-68-0x00000000000F0000-0x0000000000112000-memory.dmp family_redline behavioral1/memory/2008-74-0x00000000000F0000-0x0000000000112000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Hai.exe.comHai.exe.comRegAsm.exepid process 764 Hai.exe.com 1348 Hai.exe.com 2008 RegAsm.exe -
Deletes itself 1 IoCs
Processes:
Hai.exe.compid process 1348 Hai.exe.com -
Loads dropped DLL 4 IoCs
Processes:
9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.execmd.exeHai.exe.comRegAsm.exepid process 1668 9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe 832 cmd.exe 1348 Hai.exe.com 2008 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Hai.exe.comdescription pid process target process PID 1348 set thread context of 2008 1348 Hai.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
Hai.exe.comRegAsm.exepid process 1348 Hai.exe.com 1348 Hai.exe.com 1348 Hai.exe.com 1348 Hai.exe.com 1348 Hai.exe.com 1348 Hai.exe.com 1348 Hai.exe.com 1348 Hai.exe.com 1348 Hai.exe.com 2008 RegAsm.exe 2008 RegAsm.exe 2008 RegAsm.exe 2008 RegAsm.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.execmd.execmd.exeHai.exe.comHai.exe.comdescription pid process target process PID 1668 wrote to memory of 1516 1668 9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe cmd.exe PID 1668 wrote to memory of 1516 1668 9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe cmd.exe PID 1668 wrote to memory of 1516 1668 9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe cmd.exe PID 1668 wrote to memory of 1516 1668 9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe cmd.exe PID 1516 wrote to memory of 832 1516 cmd.exe cmd.exe PID 1516 wrote to memory of 832 1516 cmd.exe cmd.exe PID 1516 wrote to memory of 832 1516 cmd.exe cmd.exe PID 1516 wrote to memory of 832 1516 cmd.exe cmd.exe PID 832 wrote to memory of 524 832 cmd.exe findstr.exe PID 832 wrote to memory of 524 832 cmd.exe findstr.exe PID 832 wrote to memory of 524 832 cmd.exe findstr.exe PID 832 wrote to memory of 524 832 cmd.exe findstr.exe PID 832 wrote to memory of 764 832 cmd.exe Hai.exe.com PID 832 wrote to memory of 764 832 cmd.exe Hai.exe.com PID 832 wrote to memory of 764 832 cmd.exe Hai.exe.com PID 832 wrote to memory of 764 832 cmd.exe Hai.exe.com PID 832 wrote to memory of 1536 832 cmd.exe PING.EXE PID 832 wrote to memory of 1536 832 cmd.exe PING.EXE PID 832 wrote to memory of 1536 832 cmd.exe PING.EXE PID 832 wrote to memory of 1536 832 cmd.exe PING.EXE PID 764 wrote to memory of 1348 764 Hai.exe.com Hai.exe.com PID 764 wrote to memory of 1348 764 Hai.exe.com Hai.exe.com PID 764 wrote to memory of 1348 764 Hai.exe.com Hai.exe.com PID 764 wrote to memory of 1348 764 Hai.exe.com Hai.exe.com PID 1348 wrote to memory of 2008 1348 Hai.exe.com RegAsm.exe PID 1348 wrote to memory of 2008 1348 Hai.exe.com RegAsm.exe PID 1348 wrote to memory of 2008 1348 Hai.exe.com RegAsm.exe PID 1348 wrote to memory of 2008 1348 Hai.exe.com RegAsm.exe PID 1348 wrote to memory of 2008 1348 Hai.exe.com RegAsm.exe PID 1348 wrote to memory of 2008 1348 Hai.exe.com RegAsm.exe PID 1348 wrote to memory of 2008 1348 Hai.exe.com RegAsm.exe PID 1348 wrote to memory of 2008 1348 Hai.exe.com RegAsm.exe PID 1348 wrote to memory of 2008 1348 Hai.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe"C:\Users\Admin\AppData\Local\Temp\9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c cmd < Ingranditi.vss2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^fuetIiQsuPqjAJVttASkWlwvPOGVNzHQwJbzXtckNBEqDdxupaWHHZAytGgTAVENilkQkBuZyGnxFwTnxALxvqowpagsQBLSXQSayDVHjXBwBu$" Sul.vss4⤵
-
C:\Users\Admin\AppData\Roaming\Hai.exe.comHai.exe.com I4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Hai.exe.comC:\Users\Admin\AppData\Roaming\Hai.exe.com I5⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegAsm.exeC:\Users\Admin\AppData\Roaming\RegAsm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\PING.EXEping localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Cancellato.vssMD5
9ade5ce9d5905c826669ce593925778b
SHA1b426f52bfe2297f709488e1efe74173188e9059c
SHA256a362496c9b6d20798529ed23964028e39ebc245eb1cd9db407e0162c73f4d0d6
SHA5123130f0ac30e8448c46f1385a91821a9d819490b8fad3a0885cdee36fda73c3322a43ff6888cb70d987164a55d4e7d848a6d529eacb3e88a7aea6c27b8e102174
-
C:\Users\Admin\AppData\Roaming\Hai.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Roaming\Hai.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Roaming\IMD5
4f0ea88efaffe77c5b2f0def0525437e
SHA1fff4fafe4d044c50e4d7cbb6f3caf3b0a2857184
SHA25635f4ea06fb50b35dcdbb01eed3b1326a2ab648eeec81644a12e42921fc4e0b02
SHA5122ecbb604e5c366bef2de50473a8a1ad165f1bda03bc4bb6c057432514e36b68797e6a88967827f885e22e9b3ae9c8b510923b87390baf452bdd8ee539cb6af1f
-
C:\Users\Admin\AppData\Roaming\Ingranditi.vssMD5
43cb85e9dd4c6a25b26a284c4d4b76ac
SHA1567f4c9fb4877a772bd1504fabd63e93bd30563f
SHA256e33387125c435bc00687074755c6f20c461c9d935c948554a46ae4e63cd8474f
SHA51254f600aefef8b937ce046edc353f971c3a02e869d7fbfe1a768360b1a3fbd85c22ad6625056acfaf44958b4e5aa6fb6bf77cfa54f68e4fd1ad916c0d283ae98f
-
C:\Users\Admin\AppData\Roaming\Mille.vssMD5
4f0ea88efaffe77c5b2f0def0525437e
SHA1fff4fafe4d044c50e4d7cbb6f3caf3b0a2857184
SHA25635f4ea06fb50b35dcdbb01eed3b1326a2ab648eeec81644a12e42921fc4e0b02
SHA5122ecbb604e5c366bef2de50473a8a1ad165f1bda03bc4bb6c057432514e36b68797e6a88967827f885e22e9b3ae9c8b510923b87390baf452bdd8ee539cb6af1f
-
C:\Users\Admin\AppData\Roaming\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\Sul.vssMD5
47985749b176175b0233934dbf034f5d
SHA1936938f9d1e68b932ae9d61ffec19bcb0a57efea
SHA25668a864ef9f9283178192b42c19c07877454785e5db339edf77c0ca7efe337c49
SHA512a6a97be7a82b20d1b9921e3639d870c4871cd224a4bd406d0e0beb93a6753cc34ece23c703601a8635859d5251d2d7a2e2a6f4799c7cb6c5e99652a42790523a
-
\Users\Admin\AppData\Local\Temp\nsnD450.tmp\nsExec.dllMD5
09c2e27c626d6f33018b8a34d3d98cb6
SHA18d6bf50218c8f201f06ecf98ca73b74752a2e453
SHA256114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1
SHA512883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954
-
\Users\Admin\AppData\Roaming\Hai.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Roaming\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Roaming\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
memory/1348-67-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1668-53-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/2008-66-0x00000000000F0000-0x0000000000112000-memory.dmpFilesize
136KB
-
memory/2008-68-0x00000000000F0000-0x0000000000112000-memory.dmpFilesize
136KB
-
memory/2008-74-0x00000000000F0000-0x0000000000112000-memory.dmpFilesize
136KB
-
memory/2008-75-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB