Analysis
-
max time kernel
175s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 05:30
Static task
static1
Behavioral task
behavioral1
Sample
07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe
Resource
win7-en-20211208
General
-
Target
07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe
-
Size
479KB
-
MD5
203e8131a6f654a6c67f53ef46b65117
-
SHA1
51ece091b99c77ef712db6aac01ca8b183d2e0b0
-
SHA256
07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27
-
SHA512
311db800b56eac3f3bdfd78a922eeb7a2a019b236f3dea5229475519f5bf87f756d9cdcad9a8d4011ba9fc1b1463cb860d1d2da7fb92c8c29553c3e117d0e0c0
Malware Config
Extracted
redline
test1
disandillanne.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4980-214-0x0000000000410000-0x0000000000430000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4256 created 1208 4256 WerFault.exe deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe -
Executes dropped EXE 2 IoCs
Processes:
af2ecd93-5867-48ce-86e8-80bbe734c949.exedeadeb04-3b52-4a45-be46-9e6a01d2ae84.exepid process 4488 af2ecd93-5867-48ce-86e8-80bbe734c949.exe 1208 deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
deadeb04-3b52-4a45-be46-9e6a01d2ae84.exedescription pid process target process PID 1208 set thread context of 4980 1208 deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe AppLaunch.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4748 1208 WerFault.exe deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeaf2ecd93-5867-48ce-86e8-80bbe734c949.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 af2ecd93-5867-48ce-86e8-80bbe734c949.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier af2ecd93-5867-48ce-86e8-80bbe734c949.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
af2ecd93-5867-48ce-86e8-80bbe734c949.exeWerFault.exepid process 4488 af2ecd93-5867-48ce-86e8-80bbe734c949.exe 4748 WerFault.exe 4748 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exeaf2ecd93-5867-48ce-86e8-80bbe734c949.exesvchost.exeWerFault.exeTiWorker.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 4576 07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe Token: SeDebugPrivilege 4488 af2ecd93-5867-48ce-86e8-80bbe734c949.exe Token: SeShutdownPrivilege 2624 svchost.exe Token: SeCreatePagefilePrivilege 2624 svchost.exe Token: SeShutdownPrivilege 2624 svchost.exe Token: SeCreatePagefilePrivilege 2624 svchost.exe Token: SeShutdownPrivilege 2624 svchost.exe Token: SeCreatePagefilePrivilege 2624 svchost.exe Token: SeRestorePrivilege 4748 WerFault.exe Token: SeBackupPrivilege 4748 WerFault.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeDebugPrivilege 4980 AppLaunch.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exedeadeb04-3b52-4a45-be46-9e6a01d2ae84.exeWerFault.exedescription pid process target process PID 4576 wrote to memory of 4488 4576 07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe af2ecd93-5867-48ce-86e8-80bbe734c949.exe PID 4576 wrote to memory of 4488 4576 07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe af2ecd93-5867-48ce-86e8-80bbe734c949.exe PID 4576 wrote to memory of 4488 4576 07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe af2ecd93-5867-48ce-86e8-80bbe734c949.exe PID 4576 wrote to memory of 1208 4576 07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe PID 4576 wrote to memory of 1208 4576 07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe PID 4576 wrote to memory of 1208 4576 07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe PID 1208 wrote to memory of 4980 1208 deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe AppLaunch.exe PID 1208 wrote to memory of 4980 1208 deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe AppLaunch.exe PID 1208 wrote to memory of 4980 1208 deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe AppLaunch.exe PID 1208 wrote to memory of 4980 1208 deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe AppLaunch.exe PID 1208 wrote to memory of 4980 1208 deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe AppLaunch.exe PID 4256 wrote to memory of 1208 4256 WerFault.exe deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe PID 4256 wrote to memory of 1208 4256 WerFault.exe deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe"C:\Users\Admin\AppData\Local\Temp\07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\af2ecd93-5867-48ce-86e8-80bbe734c949.exe"C:\Users\Admin\AppData\Local\Temp\af2ecd93-5867-48ce-86e8-80bbe734c949.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe"C:\Users\Admin\AppData\Local\Temp\deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 3803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1208 -ip 12081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\af2ecd93-5867-48ce-86e8-80bbe734c949.exeMD5
fd4bcc51f6325388f8d2e6c3f6b32cee
SHA199f99a4b5655d01789e9ebe97effc7b64369c641
SHA2565f9484bd0136da270398279a49369490fbb2ba4fa92e73126b60b75148da407f
SHA512c7a8577cc54c05227768f079648414819673cbefb7d2824724683a702febb476ac38270f4ac4c98d5639fa789697e9738ef6e98487774b594d114bdecb3309e3
-
C:\Users\Admin\AppData\Local\Temp\af2ecd93-5867-48ce-86e8-80bbe734c949.exeMD5
fd4bcc51f6325388f8d2e6c3f6b32cee
SHA199f99a4b5655d01789e9ebe97effc7b64369c641
SHA2565f9484bd0136da270398279a49369490fbb2ba4fa92e73126b60b75148da407f
SHA512c7a8577cc54c05227768f079648414819673cbefb7d2824724683a702febb476ac38270f4ac4c98d5639fa789697e9738ef6e98487774b594d114bdecb3309e3
-
C:\Users\Admin\AppData\Local\Temp\deadeb04-3b52-4a45-be46-9e6a01d2ae84.exeMD5
4f1c1dee549fe45bfc4d69f251c3bbfe
SHA12771a162d86f1658a37ad50b55e73c38ebf4459a
SHA25620144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75
SHA51215b3d64c333e679a37661a21bff192cb6e76f63b3a1b409ae1ec1401893b77d9b76bafff01b3efbdcf7e15a60b55c4f424a161772423c264a3c64d8405255581
-
C:\Users\Admin\AppData\Local\Temp\deadeb04-3b52-4a45-be46-9e6a01d2ae84.exeMD5
4f1c1dee549fe45bfc4d69f251c3bbfe
SHA12771a162d86f1658a37ad50b55e73c38ebf4459a
SHA25620144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75
SHA51215b3d64c333e679a37661a21bff192cb6e76f63b3a1b409ae1ec1401893b77d9b76bafff01b3efbdcf7e15a60b55c4f424a161772423c264a3c64d8405255581
-
memory/1208-201-0x00000000025B0000-0x00000000025F1000-memory.dmpFilesize
260KB
-
memory/1208-202-0x0000000000400000-0x0000000000967000-memory.dmpFilesize
5.4MB
-
memory/1208-203-0x0000000000400000-0x0000000000967000-memory.dmpFilesize
5.4MB
-
memory/1208-200-0x0000000000400000-0x0000000000967000-memory.dmpFilesize
5.4MB
-
memory/1208-199-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/1208-198-0x0000000000400000-0x0000000000967000-memory.dmpFilesize
5.4MB
-
memory/1208-197-0x0000000000400000-0x0000000000967000-memory.dmpFilesize
5.4MB
-
memory/1208-204-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/1208-205-0x0000000000400000-0x0000000000967000-memory.dmpFilesize
5.4MB
-
memory/1208-213-0x000000000019F000-0x00000000001A0000-memory.dmpFilesize
4KB
-
memory/2624-194-0x0000022C83240000-0x0000022C83244000-memory.dmpFilesize
16KB
-
memory/4488-173-0x0000000002231000-0x000000000223C000-memory.dmpFilesize
44KB
-
memory/4488-181-0x00000000057D0000-0x0000000005836000-memory.dmpFilesize
408KB
-
memory/4488-157-0x0000000000400000-0x00000000004F8000-memory.dmpFilesize
992KB
-
memory/4488-161-0x0000000000400000-0x00000000004F8000-memory.dmpFilesize
992KB
-
memory/4488-160-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/4488-162-0x0000000000400000-0x00000000004F8000-memory.dmpFilesize
992KB
-
memory/4488-159-0x0000000002260000-0x0000000002299000-memory.dmpFilesize
228KB
-
memory/4488-158-0x0000000000400000-0x00000000004F8000-memory.dmpFilesize
992KB
-
memory/4488-163-0x0000000000400000-0x00000000004F8000-memory.dmpFilesize
992KB
-
memory/4488-164-0x0000000000400000-0x00000000004F8000-memory.dmpFilesize
992KB
-
memory/4488-165-0x0000000000400000-0x00000000004F8000-memory.dmpFilesize
992KB
-
memory/4488-166-0x0000000002230000-0x000000000225A000-memory.dmpFilesize
168KB
-
memory/4488-172-0x0000000002230000-0x000000000225A000-memory.dmpFilesize
168KB
-
memory/4488-180-0x0000000000580000-0x000000000061C000-memory.dmpFilesize
624KB
-
memory/4488-175-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/4488-174-0x0000000074BA0000-0x0000000075350000-memory.dmpFilesize
7.7MB
-
memory/4488-176-0x0000000005112000-0x0000000005113000-memory.dmpFilesize
4KB
-
memory/4488-177-0x0000000005113000-0x0000000005114000-memory.dmpFilesize
4KB
-
memory/4488-178-0x0000000005114000-0x0000000005115000-memory.dmpFilesize
4KB
-
memory/4488-179-0x0000000000500000-0x0000000000550000-memory.dmpFilesize
320KB
-
memory/4576-145-0x0000000000730000-0x00000000007E0000-memory.dmpFilesize
704KB
-
memory/4576-148-0x0000000074BA0000-0x0000000075350000-memory.dmpFilesize
7.7MB
-
memory/4576-133-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/4576-152-0x00000000050A0000-0x0000000005644000-memory.dmpFilesize
5.6MB
-
memory/4576-151-0x0000000005093000-0x0000000005094000-memory.dmpFilesize
4KB
-
memory/4576-149-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/4576-150-0x0000000005092000-0x0000000005093000-memory.dmpFilesize
4KB
-
memory/4576-144-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/4576-147-0x0000000000730000-0x00000000007E0000-memory.dmpFilesize
704KB
-
memory/4576-137-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/4576-153-0x0000000004F00000-0x0000000004F92000-memory.dmpFilesize
584KB
-
memory/4576-154-0x0000000005094000-0x0000000005095000-memory.dmpFilesize
4KB
-
memory/4576-146-0x0000000000730000-0x00000000007FA000-memory.dmpFilesize
808KB
-
memory/4576-136-0x0000000000730000-0x00000000007E0000-memory.dmpFilesize
704KB
-
memory/4576-134-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/4980-221-0x0000000005F40000-0x0000000005FB6000-memory.dmpFilesize
472KB
-
memory/4980-215-0x0000000074BA0000-0x0000000075350000-memory.dmpFilesize
7.7MB
-
memory/4980-216-0x0000000004FA0000-0x00000000055B8000-memory.dmpFilesize
6.1MB
-
memory/4980-217-0x0000000004A00000-0x0000000004A12000-memory.dmpFilesize
72KB
-
memory/4980-218-0x0000000004B30000-0x0000000004C3A000-memory.dmpFilesize
1.0MB
-
memory/4980-219-0x0000000004980000-0x0000000004F98000-memory.dmpFilesize
6.1MB
-
memory/4980-220-0x0000000004A60000-0x0000000004A9C000-memory.dmpFilesize
240KB
-
memory/4980-214-0x0000000000410000-0x0000000000430000-memory.dmpFilesize
128KB