Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-01-2022 05:21
Static task
static1
Behavioral task
behavioral1
Sample
cee9ec3f7478e35f714fed6e080f2711.exe
Resource
win7-en-20211208
General
-
Target
cee9ec3f7478e35f714fed6e080f2711.exe
-
Size
1.4MB
-
MD5
cee9ec3f7478e35f714fed6e080f2711
-
SHA1
54173b65efb80cdeeaa1047329dbf20fc13d8ed7
-
SHA256
d626d2dd320f5f66816bf3c97a8dd37f1be24b722fa32601c45e3be87791ed97
-
SHA512
774695b4f5a4b253135337af2df7accf6506c5e3718d55b51fdcad2dddc8e7bc7882f9526085e1240cb72f7fba5833ddbe60d9e07eaa2f9d00199cd0d5ade808
Malware Config
Extracted
redline
49.12.47.66:27973
Extracted
redline
123
46.3.199.85:4329
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3216-125-0x0000000000400000-0x000000000046C000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\asf3r3.exe family_redline C:\Users\Admin\AppData\Roaming\asf3r3.exe family_redline behavioral2/memory/1176-137-0x0000000000B90000-0x0000000000BB0000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
asf3r3.exee3dwefw.exeoobeldr.exepid process 1176 asf3r3.exe 1248 e3dwefw.exe 3296 oobeldr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
cee9ec3f7478e35f714fed6e080f2711.exedescription pid process target process PID 2492 set thread context of 3216 2492 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1480 schtasks.exe 2440 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exeasf3r3.exepid process 3216 RegAsm.exe 3216 RegAsm.exe 3216 RegAsm.exe 3216 RegAsm.exe 3216 RegAsm.exe 1176 asf3r3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exeasf3r3.exedescription pid process Token: SeDebugPrivilege 3216 RegAsm.exe Token: SeDebugPrivilege 1176 asf3r3.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cee9ec3f7478e35f714fed6e080f2711.exeRegAsm.exee3dwefw.exeoobeldr.exedescription pid process target process PID 2492 wrote to memory of 3216 2492 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2492 wrote to memory of 3216 2492 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2492 wrote to memory of 3216 2492 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2492 wrote to memory of 3216 2492 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2492 wrote to memory of 3216 2492 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2492 wrote to memory of 3216 2492 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2492 wrote to memory of 3216 2492 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 2492 wrote to memory of 3216 2492 cee9ec3f7478e35f714fed6e080f2711.exe RegAsm.exe PID 3216 wrote to memory of 1176 3216 RegAsm.exe asf3r3.exe PID 3216 wrote to memory of 1176 3216 RegAsm.exe asf3r3.exe PID 3216 wrote to memory of 1176 3216 RegAsm.exe asf3r3.exe PID 3216 wrote to memory of 1248 3216 RegAsm.exe e3dwefw.exe PID 3216 wrote to memory of 1248 3216 RegAsm.exe e3dwefw.exe PID 3216 wrote to memory of 1248 3216 RegAsm.exe e3dwefw.exe PID 1248 wrote to memory of 1480 1248 e3dwefw.exe schtasks.exe PID 1248 wrote to memory of 1480 1248 e3dwefw.exe schtasks.exe PID 1248 wrote to memory of 1480 1248 e3dwefw.exe schtasks.exe PID 3296 wrote to memory of 2440 3296 oobeldr.exe schtasks.exe PID 3296 wrote to memory of 2440 3296 oobeldr.exe schtasks.exe PID 3296 wrote to memory of 2440 3296 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cee9ec3f7478e35f714fed6e080f2711.exe"C:\Users\Admin\AppData\Local\Temp\cee9ec3f7478e35f714fed6e080f2711.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\asf3r3.exe"C:\Users\Admin\AppData\Roaming\asf3r3.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exe"C:\Users\Admin\AppData\Roaming\e3dwefw.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
C:\Users\Admin\AppData\Roaming\asf3r3.exeMD5
251a95b3e822ff316dcbeec79f622594
SHA1214ffd96dbb7df6d8e437d57753131142ab3cfa1
SHA2560b1dd3984b36ee6b633f22f4f90eebe1b9f32ec6d6c46134a179f69e6bd11ec7
SHA512f0441fdec6cf50fb8c37a8f5707bba20cde622faa13d9426ffc1f4cd66c0ed428ca5f767aee78f6ffac9d5677d423ddced153b71363f8bcca96c63ca5a13e88f
-
C:\Users\Admin\AppData\Roaming\asf3r3.exeMD5
251a95b3e822ff316dcbeec79f622594
SHA1214ffd96dbb7df6d8e437d57753131142ab3cfa1
SHA2560b1dd3984b36ee6b633f22f4f90eebe1b9f32ec6d6c46134a179f69e6bd11ec7
SHA512f0441fdec6cf50fb8c37a8f5707bba20cde622faa13d9426ffc1f4cd66c0ed428ca5f767aee78f6ffac9d5677d423ddced153b71363f8bcca96c63ca5a13e88f
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
memory/1176-142-0x0000000007AC0000-0x0000000007B10000-memory.dmpFilesize
320KB
-
memory/1176-141-0x0000000005470000-0x0000000005A76000-memory.dmpFilesize
6.0MB
-
memory/1176-140-0x00000000055A0000-0x00000000055EB000-memory.dmpFilesize
300KB
-
memory/1176-137-0x0000000000B90000-0x0000000000BB0000-memory.dmpFilesize
128KB
-
memory/2492-124-0x0000000005800000-0x000000000580A000-memory.dmpFilesize
40KB
-
memory/2492-118-0x0000000000800000-0x0000000000960000-memory.dmpFilesize
1.4MB
-
memory/2492-119-0x0000000005830000-0x0000000005D2E000-memory.dmpFilesize
5.0MB
-
memory/2492-120-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/2492-121-0x00000000053D0000-0x0000000005462000-memory.dmpFilesize
584KB
-
memory/2492-122-0x0000000005770000-0x00000000057E6000-memory.dmpFilesize
472KB
-
memory/2492-123-0x0000000005350000-0x000000000536E000-memory.dmpFilesize
120KB
-
memory/3216-133-0x0000000006D50000-0x0000000006D8E000-memory.dmpFilesize
248KB
-
memory/3216-127-0x0000000005790000-0x00000000057A2000-memory.dmpFilesize
72KB
-
memory/3216-126-0x0000000005D80000-0x0000000006386000-memory.dmpFilesize
6.0MB
-
memory/3216-125-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/3216-128-0x00000000058C0000-0x00000000059CA000-memory.dmpFilesize
1.0MB
-
memory/3216-134-0x0000000007770000-0x00000000077BB000-memory.dmpFilesize
300KB
-
memory/3216-129-0x0000000005BA0000-0x0000000005D62000-memory.dmpFilesize
1.8MB
-
memory/3216-132-0x0000000006BE0000-0x0000000006C46000-memory.dmpFilesize
408KB
-
memory/3216-131-0x0000000006E40000-0x000000000736C000-memory.dmpFilesize
5.2MB
-
memory/3216-130-0x0000000005770000-0x0000000005D76000-memory.dmpFilesize
6.0MB