Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 09:12
Static task
static1
General
-
Target
067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe
-
Size
1.2MB
-
MD5
ba48cbe3330971221c4c9c406a30ef6f
-
SHA1
d766e0b0a7108d201490b256d5164c087ee13715
-
SHA256
067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6
-
SHA512
650e1e0d9bcb1f6f1b123b1782e16fb2a03c8cb034e23b9ff4875572978fa36b3573a65c983555e87ca2adb93adc9dc10e868baa77570620c03e9897ed8a678d
Malware Config
Extracted
redline
185.105.119.120:48759
Extracted
redline
cheat
185.253.7.41:49508
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1308-133-0x0000000000400000-0x000000000046C000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\asf3r3.exe family_redline C:\Users\Admin\AppData\Roaming\asf3r3.exe family_redline behavioral1/memory/2640-145-0x0000000000EB0000-0x0000000000ED0000-memory.dmp family_redline behavioral1/memory/2640-148-0x0000000005760000-0x0000000005D66000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
asf3r3.exee3dwefw.exeoobeldr.exepid process 2640 asf3r3.exe 1060 e3dwefw.exe 1332 oobeldr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exedescription pid process target process PID 2712 set thread context of 1308 2712 067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
RegAsm.exepid process 1308 RegAsm.exe 1308 RegAsm.exe 1308 RegAsm.exe 1308 RegAsm.exe 1308 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1308 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exeRegAsm.exee3dwefw.exeoobeldr.exedescription pid process target process PID 2712 wrote to memory of 1308 2712 067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe RegAsm.exe PID 2712 wrote to memory of 1308 2712 067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe RegAsm.exe PID 2712 wrote to memory of 1308 2712 067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe RegAsm.exe PID 2712 wrote to memory of 1308 2712 067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe RegAsm.exe PID 2712 wrote to memory of 1308 2712 067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe RegAsm.exe PID 2712 wrote to memory of 1308 2712 067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe RegAsm.exe PID 2712 wrote to memory of 1308 2712 067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe RegAsm.exe PID 2712 wrote to memory of 1308 2712 067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe RegAsm.exe PID 1308 wrote to memory of 2640 1308 RegAsm.exe asf3r3.exe PID 1308 wrote to memory of 2640 1308 RegAsm.exe asf3r3.exe PID 1308 wrote to memory of 2640 1308 RegAsm.exe asf3r3.exe PID 1308 wrote to memory of 1060 1308 RegAsm.exe e3dwefw.exe PID 1308 wrote to memory of 1060 1308 RegAsm.exe e3dwefw.exe PID 1308 wrote to memory of 1060 1308 RegAsm.exe e3dwefw.exe PID 1060 wrote to memory of 192 1060 e3dwefw.exe schtasks.exe PID 1060 wrote to memory of 192 1060 e3dwefw.exe schtasks.exe PID 1060 wrote to memory of 192 1060 e3dwefw.exe schtasks.exe PID 1332 wrote to memory of 1292 1332 oobeldr.exe schtasks.exe PID 1332 wrote to memory of 1292 1332 oobeldr.exe schtasks.exe PID 1332 wrote to memory of 1292 1332 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe"C:\Users\Admin\AppData\Local\Temp\067b704b54f19baef687e3e3f4ac845283b1f670752df309e6eb143565851da6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\asf3r3.exe"C:\Users\Admin\AppData\Roaming\asf3r3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exe"C:\Users\Admin\AppData\Roaming\e3dwefw.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
C:\Users\Admin\AppData\Roaming\asf3r3.exeMD5
654b0fbc5f45e7aa0d208a9ae2352f30
SHA1d91b8b6a3d1815010973db6189fc1f7b73e98dd8
SHA256808bad1396611118abb83a7d09940c7c47d785511db2e5b652becf9ec67cdb19
SHA512807a471d51a5e7f22f19a7cd0775f852519c256b3592136b4f673dcc8b53488698c5830d75cfc461937a5a485963c37e1eb4e18c40446ac241df1b859a242234
-
C:\Users\Admin\AppData\Roaming\asf3r3.exeMD5
654b0fbc5f45e7aa0d208a9ae2352f30
SHA1d91b8b6a3d1815010973db6189fc1f7b73e98dd8
SHA256808bad1396611118abb83a7d09940c7c47d785511db2e5b652becf9ec67cdb19
SHA512807a471d51a5e7f22f19a7cd0775f852519c256b3592136b4f673dcc8b53488698c5830d75cfc461937a5a485963c37e1eb4e18c40446ac241df1b859a242234
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
memory/1308-138-0x0000000005190000-0x0000000005796000-memory.dmpFilesize
6.0MB
-
memory/1308-141-0x0000000006E50000-0x0000000006E8E000-memory.dmpFilesize
248KB
-
memory/1308-134-0x00000000057A0000-0x0000000005DA6000-memory.dmpFilesize
6.0MB
-
memory/1308-135-0x0000000005210000-0x0000000005222000-memory.dmpFilesize
72KB
-
memory/1308-136-0x0000000005340000-0x000000000544A000-memory.dmpFilesize
1.0MB
-
memory/1308-137-0x0000000005DB0000-0x0000000005F72000-memory.dmpFilesize
1.8MB
-
memory/1308-149-0x0000000007D00000-0x0000000007D50000-memory.dmpFilesize
320KB
-
memory/1308-139-0x0000000006EB0000-0x00000000073DC000-memory.dmpFilesize
5.2MB
-
memory/1308-140-0x0000000006BA0000-0x0000000006C06000-memory.dmpFilesize
408KB
-
memory/1308-133-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1308-142-0x00000000073E0000-0x000000000742B000-memory.dmpFilesize
300KB
-
memory/2640-145-0x0000000000EB0000-0x0000000000ED0000-memory.dmpFilesize
128KB
-
memory/2640-148-0x0000000005760000-0x0000000005D66000-memory.dmpFilesize
6.0MB
-
memory/2712-132-0x0000000005090000-0x000000000509A000-memory.dmpFilesize
40KB
-
memory/2712-131-0x0000000004BC0000-0x0000000004BDE000-memory.dmpFilesize
120KB
-
memory/2712-122-0x0000000005000000-0x0000000005076000-memory.dmpFilesize
472KB
-
memory/2712-118-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/2712-115-0x00000000001C0000-0x0000000000304000-memory.dmpFilesize
1.3MB
-
memory/2712-117-0x0000000004C60000-0x0000000004CF2000-memory.dmpFilesize
584KB
-
memory/2712-116-0x00000000050C0000-0x00000000055BE000-memory.dmpFilesize
5.0MB