Overview

overview

10

Static

static

07f25ccae0...27.exe

windows7_x64

10

07f25ccae0...27.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    175s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    08-02-2022 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe

  • Size

    479KB

  • MD5

    203e8131a6f654a6c67f53ef46b65117

  • SHA1

    51ece091b99c77ef712db6aac01ca8b183d2e0b0

  • SHA256

    07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27

  • SHA512

    311db800b56eac3f3bdfd78a922eeb7a2a019b236f3dea5229475519f5bf87f756d9cdcad9a8d4011ba9fc1b1463cb860d1d2da7fb92c8c29553c3e117d0e0c0

Score
10/10
redlinetest1discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

test1

C2

disandillanne.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe
    "C:\Users\Admin\AppData\Local\Temp\07f25ccae0c5a4be7aacf1e2fc562e20ad26cfeb32d561a23635ce963a6d5c27.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4576
    • C:\Users\Admin\AppData\Local\Temp\af2ecd93-5867-48ce-86e8-80bbe734c949.exe
      "C:\Users\Admin\AppData\Local\Temp\af2ecd93-5867-48ce-86e8-80bbe734c949.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4488
    • C:\Users\Admin\AppData\Local\Temp\deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe
      "C:\Users\Admin\AppData\Local\Temp\deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4980
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 380
        3⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4748
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2624
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1208 -ip 1208
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:4256
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\af2ecd93-5867-48ce-86e8-80bbe734c949.exe
    MD5

    fd4bcc51f6325388f8d2e6c3f6b32cee

    SHA1

    99f99a4b5655d01789e9ebe97effc7b64369c641

    SHA256

    5f9484bd0136da270398279a49369490fbb2ba4fa92e73126b60b75148da407f

    SHA512

    c7a8577cc54c05227768f079648414819673cbefb7d2824724683a702febb476ac38270f4ac4c98d5639fa789697e9738ef6e98487774b594d114bdecb3309e3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\af2ecd93-5867-48ce-86e8-80bbe734c949.exe
    MD5

    fd4bcc51f6325388f8d2e6c3f6b32cee

    SHA1

    99f99a4b5655d01789e9ebe97effc7b64369c641

    SHA256

    5f9484bd0136da270398279a49369490fbb2ba4fa92e73126b60b75148da407f

    SHA512

    c7a8577cc54c05227768f079648414819673cbefb7d2824724683a702febb476ac38270f4ac4c98d5639fa789697e9738ef6e98487774b594d114bdecb3309e3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe
    MD5

    4f1c1dee549fe45bfc4d69f251c3bbfe

    SHA1

    2771a162d86f1658a37ad50b55e73c38ebf4459a

    SHA256

    20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75

    SHA512

    15b3d64c333e679a37661a21bff192cb6e76f63b3a1b409ae1ec1401893b77d9b76bafff01b3efbdcf7e15a60b55c4f424a161772423c264a3c64d8405255581

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\deadeb04-3b52-4a45-be46-9e6a01d2ae84.exe
    MD5

    4f1c1dee549fe45bfc4d69f251c3bbfe

    SHA1

    2771a162d86f1658a37ad50b55e73c38ebf4459a

    SHA256

    20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75

    SHA512

    15b3d64c333e679a37661a21bff192cb6e76f63b3a1b409ae1ec1401893b77d9b76bafff01b3efbdcf7e15a60b55c4f424a161772423c264a3c64d8405255581

    Download Submit
  • memory/1208-201-0x00000000025B0000-0x00000000025F1000-memory.dmp
    Filesize

    260KB

    Download
  • memory/1208-202-0x0000000000400000-0x0000000000967000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/1208-203-0x0000000000400000-0x0000000000967000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/1208-200-0x0000000000400000-0x0000000000967000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/1208-199-0x0000000000A80000-0x0000000000A81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-198-0x0000000000400000-0x0000000000967000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/1208-197-0x0000000000400000-0x0000000000967000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/1208-204-0x0000000000A90000-0x0000000000A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-205-0x0000000000400000-0x0000000000967000-memory.dmp
    Filesize

    5.4MB

    Download
  • memory/1208-213-0x000000000019F000-0x00000000001A0000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2624-194-0x0000022C83240000-0x0000022C83244000-memory.dmp
    Filesize

    16KB

    Download
  • memory/4488-173-0x0000000002231000-0x000000000223C000-memory.dmp
    Filesize

    44KB

    Download
  • memory/4488-181-0x00000000057D0000-0x0000000005836000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4488-157-0x0000000000400000-0x00000000004F8000-memory.dmp
    Filesize

    992KB

    Download
  • memory/4488-161-0x0000000000400000-0x00000000004F8000-memory.dmp
    Filesize

    992KB

    Download
  • memory/4488-160-0x00000000008E0000-0x00000000008E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4488-162-0x0000000000400000-0x00000000004F8000-memory.dmp
    Filesize

    992KB

    Download
  • memory/4488-159-0x0000000002260000-0x0000000002299000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4488-158-0x0000000000400000-0x00000000004F8000-memory.dmp
    Filesize

    992KB

    Download
  • memory/4488-163-0x0000000000400000-0x00000000004F8000-memory.dmp
    Filesize

    992KB

    Download
  • memory/4488-164-0x0000000000400000-0x00000000004F8000-memory.dmp
    Filesize

    992KB

    Download
  • memory/4488-165-0x0000000000400000-0x00000000004F8000-memory.dmp
    Filesize

    992KB

    Download
  • memory/4488-166-0x0000000002230000-0x000000000225A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/4488-172-0x0000000002230000-0x000000000225A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/4488-180-0x0000000000580000-0x000000000061C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4488-175-0x0000000005110000-0x0000000005111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4488-174-0x0000000074BA0000-0x0000000075350000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4488-176-0x0000000005112000-0x0000000005113000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4488-177-0x0000000005113000-0x0000000005114000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4488-178-0x0000000005114000-0x0000000005115000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4488-179-0x0000000000500000-0x0000000000550000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4576-145-0x0000000000730000-0x00000000007E0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/4576-148-0x0000000074BA0000-0x0000000075350000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4576-133-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/4576-152-0x00000000050A0000-0x0000000005644000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4576-151-0x0000000005093000-0x0000000005094000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4576-149-0x0000000005090000-0x0000000005091000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4576-150-0x0000000005092000-0x0000000005093000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4576-144-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/4576-147-0x0000000000730000-0x00000000007E0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/4576-137-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/4576-153-0x0000000004F00000-0x0000000004F92000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4576-154-0x0000000005094000-0x0000000005095000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4576-146-0x0000000000730000-0x00000000007FA000-memory.dmp
    Filesize

    808KB

    Download
  • memory/4576-136-0x0000000000730000-0x00000000007E0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/4576-134-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/4980-221-0x0000000005F40000-0x0000000005FB6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4980-215-0x0000000074BA0000-0x0000000075350000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4980-216-0x0000000004FA0000-0x00000000055B8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4980-217-0x0000000004A00000-0x0000000004A12000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4980-218-0x0000000004B30000-0x0000000004C3A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4980-219-0x0000000004980000-0x0000000004F98000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4980-220-0x0000000004A60000-0x0000000004A9C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4980-214-0x0000000000410000-0x0000000000430000-memory.dmp
    Filesize

    128KB

    Download