Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
29-01-2022 05:21
Static task
static1
Behavioral task
behavioral1
Sample
cee9ec3f7478e35f714fed6e080f2711.exe
Resource
win7-en-20211208
General
-
Target
cee9ec3f7478e35f714fed6e080f2711.exe
-
Size
1.4MB
-
MD5
cee9ec3f7478e35f714fed6e080f2711
-
SHA1
54173b65efb80cdeeaa1047329dbf20fc13d8ed7
-
SHA256
d626d2dd320f5f66816bf3c97a8dd37f1be24b722fa32601c45e3be87791ed97
-
SHA512
774695b4f5a4b253135337af2df7accf6506c5e3718d55b51fdcad2dddc8e7bc7882f9526085e1240cb72f7fba5833ddbe60d9e07eaa2f9d00199cd0d5ade808
Malware Config
Extracted
redline
49.12.47.66:27973
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/324-60-0x0000000000400000-0x000000000046C000-memory.dmp family_redline behavioral1/memory/324-61-0x0000000000400000-0x000000000046C000-memory.dmp family_redline behavioral1/memory/324-62-0x0000000000400000-0x000000000046C000-memory.dmp family_redline behavioral1/memory/324-64-0x0000000000400000-0x000000000046C000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
cee9ec3f7478e35f714fed6e080f2711.exedescription pid process target process PID 2040 set thread context of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
RegAsm.exepid process 324 RegAsm.exe 324 RegAsm.exe 324 RegAsm.exe 324 RegAsm.exe 324 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 324 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cee9ec3f7478e35f714fed6e080f2711.exedescription pid process target process PID 2040 wrote to memory of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2040 wrote to memory of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2040 wrote to memory of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2040 wrote to memory of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2040 wrote to memory of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2040 wrote to memory of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2040 wrote to memory of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2040 wrote to memory of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2040 wrote to memory of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2040 wrote to memory of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2040 wrote to memory of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2040 wrote to memory of 324 2040 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cee9ec3f7478e35f714fed6e080f2711.exe"C:\Users\Admin\AppData\Local\Temp\cee9ec3f7478e35f714fed6e080f2711.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/324-58-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/324-59-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/324-60-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/324-61-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/324-62-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/324-64-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/324-65-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/2040-55-0x0000000000B80000-0x0000000000CE0000-memory.dmpFilesize
1.4MB
-
memory/2040-56-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB
-
memory/2040-57-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB