Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    27-01-2022 09:12

General

  • Target

    067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe

  • Size

    1.2MB

  • MD5

    ba48cbe3330971221c4c9c406a30ef6f

  • SHA1

    d766e0b0a7108d201490b256d5164c087ee13715

  • SHA256

    067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6

  • SHA512

    650e1e0d9bcb1f6f1b123b1782e16fb2a03c8cb034e23b9ff4875572978fa36b3573a65c983555e87ca2adb93adc9dc10e868baa77570620c03e9897ed8a678d

Malware Config

Extracted

Family

redline

C2

185.105.119.120:48759

Extracted

Family

redline

Botnet

cheat

C2

185.253.7.41:49508

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe
    "C:\Users\Admin\AppData\Local\Temp\067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      #cmd
      2⤵
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Users\Admin\AppData\Roaming\asf3r3.exe
        "C:\Users\Admin\AppData\Roaming\asf3r3.exe"
        3⤵
        • Executes dropped EXE
        PID:2640
      • C:\Users\Admin\AppData\Roaming\e3dwefw.exe
        "C:\Users\Admin\AppData\Roaming\e3dwefw.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\SysWOW64\schtasks.exe
          /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
          4⤵
          • Creates scheduled task(s)
          PID:192
  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    MD5

    67486b272027c5c08c37d2a7dfa3b019

    SHA1

    660cd3fa71e480e03b392ccfff95b1a651ec1563

    SHA256

    cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

    SHA512

    6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    MD5

    67486b272027c5c08c37d2a7dfa3b019

    SHA1

    660cd3fa71e480e03b392ccfff95b1a651ec1563

    SHA256

    cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

    SHA512

    6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

  • C:\Users\Admin\AppData\Roaming\asf3r3.exe
    MD5

    654b0fbc5f45e7aa0d208a9ae2352f30

    SHA1

    d91b8b6a3d1815010973db6189fc1f7b73e98dd8

    SHA256

    808bad1396611118abb83a7d09940c7c47d785511db2e5b652becf9ec67cdb19

    SHA512

    807a471d51a5e7f22f19a7cd0775f852519c256b3592136b4f673dcc8b53488698c5830d75cfc461937a5a485963c37e1eb4e18c40446ac241df1b859a242234

  • C:\Users\Admin\AppData\Roaming\asf3r3.exe
    MD5

    654b0fbc5f45e7aa0d208a9ae2352f30

    SHA1

    d91b8b6a3d1815010973db6189fc1f7b73e98dd8

    SHA256

    808bad1396611118abb83a7d09940c7c47d785511db2e5b652becf9ec67cdb19

    SHA512

    807a471d51a5e7f22f19a7cd0775f852519c256b3592136b4f673dcc8b53488698c5830d75cfc461937a5a485963c37e1eb4e18c40446ac241df1b859a242234

  • C:\Users\Admin\AppData\Roaming\e3dwefw.exe
    MD5

    67486b272027c5c08c37d2a7dfa3b019

    SHA1

    660cd3fa71e480e03b392ccfff95b1a651ec1563

    SHA256

    cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

    SHA512

    6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

  • C:\Users\Admin\AppData\Roaming\e3dwefw.exe
    MD5

    67486b272027c5c08c37d2a7dfa3b019

    SHA1

    660cd3fa71e480e03b392ccfff95b1a651ec1563

    SHA256

    cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

    SHA512

    6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

  • memory/1308-138-0x0000000005190000-0x0000000005796000-memory.dmp
    Filesize

    6.0MB

  • memory/1308-141-0x0000000006E50000-0x0000000006E8E000-memory.dmp
    Filesize

    248KB

  • memory/1308-134-0x00000000057A0000-0x0000000005DA6000-memory.dmp
    Filesize

    6.0MB

  • memory/1308-135-0x0000000005210000-0x0000000005222000-memory.dmp
    Filesize

    72KB

  • memory/1308-136-0x0000000005340000-0x000000000544A000-memory.dmp
    Filesize

    1.0MB

  • memory/1308-137-0x0000000005DB0000-0x0000000005F72000-memory.dmp
    Filesize

    1.8MB

  • memory/1308-149-0x0000000007D00000-0x0000000007D50000-memory.dmp
    Filesize

    320KB

  • memory/1308-139-0x0000000006EB0000-0x00000000073DC000-memory.dmp
    Filesize

    5.2MB

  • memory/1308-140-0x0000000006BA0000-0x0000000006C06000-memory.dmp
    Filesize

    408KB

  • memory/1308-133-0x0000000000400000-0x000000000046C000-memory.dmp
    Filesize

    432KB

  • memory/1308-142-0x00000000073E0000-0x000000000742B000-memory.dmp
    Filesize

    300KB

  • memory/2640-145-0x0000000000EB0000-0x0000000000ED0000-memory.dmp
    Filesize

    128KB

  • memory/2640-148-0x0000000005760000-0x0000000005D66000-memory.dmp
    Filesize

    6.0MB

  • memory/2712-132-0x0000000005090000-0x000000000509A000-memory.dmp
    Filesize

    40KB

  • memory/2712-131-0x0000000004BC0000-0x0000000004BDE000-memory.dmp
    Filesize

    120KB

  • memory/2712-122-0x0000000005000000-0x0000000005076000-memory.dmp
    Filesize

    472KB

  • memory/2712-118-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
    Filesize

    4KB

  • memory/2712-115-0x00000000001C0000-0x0000000000304000-memory.dmp
    Filesize

    1.3MB

  • memory/2712-117-0x0000000004C60000-0x0000000004CF2000-memory.dmp
    Filesize

    584KB

  • memory/2712-116-0x00000000050C0000-0x00000000055BE000-memory.dmp
    Filesize

    5.0MB