Analysis
-
max time kernel
132s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
26-02-2022 23:30
Static task
static1
Behavioral task
behavioral1
Sample
59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe
Resource
win10v2004-en-20220113
General
-
Target
59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe
-
Size
465KB
-
MD5
c71425e3cc3c2e52e15f6554d510e6a8
-
SHA1
136db115777778a0ecb9d459d3ace8c98542aafb
-
SHA256
59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237
-
SHA512
b0838277e82abe6e2df4cbf899d72c7faf92874800a6dd5fae4f9b6effa45543cbcd5cca934c351942ddfb52db3a0fc399199d7497faa079e8ed82ad77c536ba
Malware Config
Extracted
redline
yt
65.21.1.119:24371
-
auth_value
a7960fdd4739462c8f9231095a524ac3
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3836-134-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3628 created 3836 3628 WerFault.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exedescription pid process target process PID 816 set thread context of 3836 816 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3156 3836 WerFault.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 3156 WerFault.exe 3156 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exeWerFault.exedescription pid process Token: SeDebugPrivilege 816 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe Token: SeRestorePrivilege 3156 WerFault.exe Token: SeBackupPrivilege 3156 WerFault.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exepid process 3836 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exeWerFault.exedescription pid process target process PID 816 wrote to memory of 3836 816 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe PID 816 wrote to memory of 3836 816 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe PID 816 wrote to memory of 3836 816 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe PID 816 wrote to memory of 3836 816 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe PID 816 wrote to memory of 3836 816 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe PID 816 wrote to memory of 3836 816 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe PID 816 wrote to memory of 3836 816 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe PID 816 wrote to memory of 3836 816 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe PID 3628 wrote to memory of 3836 3628 WerFault.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe PID 3628 wrote to memory of 3836 3628 WerFault.exe 59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe"C:\Users\Admin\AppData\Local\Temp\59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exeC:\Users\Admin\AppData\Local\Temp\59a8083391f2d47e161cf0caa51da1ea77898657941279135a3a66e10dfc1237.exe2⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 123⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3836 -ip 38361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/816-130-0x0000000074BDE000-0x0000000074BDF000-memory.dmpFilesize
4KB
-
memory/816-131-0x0000000000390000-0x000000000040A000-memory.dmpFilesize
488KB
-
memory/816-133-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/816-132-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/3836-134-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB