Analysis
-
max time kernel
119s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 20:37
Behavioral task
behavioral1
Sample
5ae748c103a50cdd6d338506a153caa6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5ae748c103a50cdd6d338506a153caa6.exe
Resource
win10-en-20211208
General
-
Target
5ae748c103a50cdd6d338506a153caa6.exe
-
Size
268KB
-
MD5
5ae748c103a50cdd6d338506a153caa6
-
SHA1
cfc4f248b309c6e8ac5b8031a2a4d614a48c5ea7
-
SHA256
870a4cfc58c388361c8834701aa8112a0de4155305e92aedc66e0384813d3439
-
SHA512
b7a354d56a07aede8eef9357985545c3a576a788fb6b6c11b88401ea9f81d3f5637ca63cc399f6096a96d4c73425d9e7787fa63d7b51cb72424b5d565bec5682
Malware Config
Extracted
asyncrat
1.0.7
Default
null:null
DcRatMutex
-
anti_vm
false
-
bsod
false
-
delay
1
-
install
true
-
install_file
RuntimeBroker.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/SctPUR4x
Extracted
redline
cheat
rat3000.ddns.net:56698
Extracted
redline
@xbaxissxx
137.117.100.173:36513
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3648-124-0x00000000018A0000-0x00000000018BE000-memory.dmp family_redline behavioral2/memory/3648-130-0x000000001BA90000-0x000000001BAAE000-memory.dmp family_redline -
Async RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1260-115-0x0000000000430000-0x000000000047A000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe asyncrat C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe asyncrat behavioral2/memory/3648-122-0x0000000001890000-0x000000000189E000-memory.dmp asyncrat behavioral2/memory/3648-129-0x00000000019D0000-0x00000000019DC000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker.exepid process 3648 RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3676 timeout.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
5ae748c103a50cdd6d338506a153caa6.exeRuntimeBroker.exepid process 1260 5ae748c103a50cdd6d338506a153caa6.exe 1260 5ae748c103a50cdd6d338506a153caa6.exe 1260 5ae748c103a50cdd6d338506a153caa6.exe 1260 5ae748c103a50cdd6d338506a153caa6.exe 1260 5ae748c103a50cdd6d338506a153caa6.exe 1260 5ae748c103a50cdd6d338506a153caa6.exe 1260 5ae748c103a50cdd6d338506a153caa6.exe 1260 5ae748c103a50cdd6d338506a153caa6.exe 1260 5ae748c103a50cdd6d338506a153caa6.exe 1260 5ae748c103a50cdd6d338506a153caa6.exe 1260 5ae748c103a50cdd6d338506a153caa6.exe 1260 5ae748c103a50cdd6d338506a153caa6.exe 1260 5ae748c103a50cdd6d338506a153caa6.exe 3648 RuntimeBroker.exe 3648 RuntimeBroker.exe 3648 RuntimeBroker.exe 3648 RuntimeBroker.exe 3648 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5ae748c103a50cdd6d338506a153caa6.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 1260 5ae748c103a50cdd6d338506a153caa6.exe Token: SeDebugPrivilege 3648 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
5ae748c103a50cdd6d338506a153caa6.execmd.execmd.exeRuntimeBroker.execmd.exedescription pid process target process PID 1260 wrote to memory of 3712 1260 5ae748c103a50cdd6d338506a153caa6.exe cmd.exe PID 1260 wrote to memory of 3712 1260 5ae748c103a50cdd6d338506a153caa6.exe cmd.exe PID 1260 wrote to memory of 1884 1260 5ae748c103a50cdd6d338506a153caa6.exe cmd.exe PID 1260 wrote to memory of 1884 1260 5ae748c103a50cdd6d338506a153caa6.exe cmd.exe PID 3712 wrote to memory of 3436 3712 cmd.exe schtasks.exe PID 3712 wrote to memory of 3436 3712 cmd.exe schtasks.exe PID 1884 wrote to memory of 3676 1884 cmd.exe timeout.exe PID 1884 wrote to memory of 3676 1884 cmd.exe timeout.exe PID 1884 wrote to memory of 3648 1884 cmd.exe RuntimeBroker.exe PID 1884 wrote to memory of 3648 1884 cmd.exe RuntimeBroker.exe PID 3648 wrote to memory of 1328 3648 RuntimeBroker.exe cmd.exe PID 3648 wrote to memory of 1328 3648 RuntimeBroker.exe cmd.exe PID 1328 wrote to memory of 984 1328 cmd.exe powershell.exe PID 1328 wrote to memory of 984 1328 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ae748c103a50cdd6d338506a153caa6.exe"C:\Users\Admin\AppData\Local\Temp\5ae748c103a50cdd6d338506a153caa6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC31.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\miner.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\miner.exe"'5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC31.tmp.batMD5
40e5097d6bb6bba1f362fc5464cbbf2f
SHA13d7fef2e08ec8fc3b10face44a4fb74b58e390f6
SHA2566de15c0a02d7ddab1e8dabf2b9c71407001527544ea099cfd99839ebaef423a4
SHA512e5149719e9a8f0e5982f4815a8a8bb513788c3e39473a01b224ba8c78677c799f59257c7b9e8fbe78e23845926bb971a4ac014410181f1325f9da7ef58bc5381
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
5ae748c103a50cdd6d338506a153caa6
SHA1cfc4f248b309c6e8ac5b8031a2a4d614a48c5ea7
SHA256870a4cfc58c388361c8834701aa8112a0de4155305e92aedc66e0384813d3439
SHA512b7a354d56a07aede8eef9357985545c3a576a788fb6b6c11b88401ea9f81d3f5637ca63cc399f6096a96d4c73425d9e7787fa63d7b51cb72424b5d565bec5682
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
5ae748c103a50cdd6d338506a153caa6
SHA1cfc4f248b309c6e8ac5b8031a2a4d614a48c5ea7
SHA256870a4cfc58c388361c8834701aa8112a0de4155305e92aedc66e0384813d3439
SHA512b7a354d56a07aede8eef9357985545c3a576a788fb6b6c11b88401ea9f81d3f5637ca63cc399f6096a96d4c73425d9e7787fa63d7b51cb72424b5d565bec5682
-
memory/1260-115-0x0000000000430000-0x000000000047A000-memory.dmpFilesize
296KB
-
memory/1260-116-0x0000000000B50000-0x0000000000BB7000-memory.dmpFilesize
412KB
-
memory/3648-123-0x00000000018D0000-0x00000000018EE000-memory.dmpFilesize
120KB
-
memory/3648-121-0x0000000003420000-0x0000000003496000-memory.dmpFilesize
472KB
-
memory/3648-122-0x0000000001890000-0x000000000189E000-memory.dmpFilesize
56KB
-
memory/3648-120-0x000000001C502000-0x000000001C503000-memory.dmpFilesize
4KB
-
memory/3648-124-0x00000000018A0000-0x00000000018BE000-memory.dmpFilesize
120KB
-
memory/3648-125-0x0000000001920000-0x0000000001932000-memory.dmpFilesize
72KB
-
memory/3648-126-0x0000000001980000-0x00000000019BE000-memory.dmpFilesize
248KB
-
memory/3648-127-0x000000001D800000-0x000000001D9C2000-memory.dmpFilesize
1.8MB
-
memory/3648-128-0x000000001F7F0000-0x000000001FD16000-memory.dmpFilesize
5.1MB
-
memory/3648-129-0x00000000019D0000-0x00000000019DC000-memory.dmpFilesize
48KB
-
memory/3648-130-0x000000001BA90000-0x000000001BAAE000-memory.dmpFilesize
120KB