Overview

overview

10

Static

static

1.exe

windows7_x64

10

1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294181s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    11-04-2022 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    4.5MB

  • MD5

    f556df38b1abf7c5ef71b6bc040bfe93

  • SHA1

    64a174173f3e4c46b8db36fa04f076dca5a3aac7

  • SHA256

    60c63fafcbcb2655d7806d9715f1755db205a975ddf68421967a39a2abcfb11a

  • SHA512

    0a74598fb4b4b256555c0e4b8e7b654cc0fcb6a18c16f9da912eeea4b24d79f66776e3484200277ff9705032ef60afca97639df4a273cedb2729d6dd085b598b

Score
10/10
phoenixstealerredlineinfostealerspywarestealer

Malware Config

Extracted

Family

redline

C2

104.244.76.137:4487

Attributes
  • auth_value

    67c42657a2dc51f3323efd90a04a2b03

Signatures

  • PhoenixStealer

    PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.

    stealerphoenixstealer
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 12 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\Temp\s.exe
      "C:\Windows\Temp\s.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1524
    • C:\Windows\Temp\setup.exe
      "C:\Windows\Temp\setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:648
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /delete /tn WindowsService /f
          3⤵
            PID:1764
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /tn WindowsService /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /sc onlogon /rl highest
            3⤵
            • Creates scheduled task(s)
            PID:2008
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn WindowsServiceUpload /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /f /rl highest
            3⤵
            • Creates scheduled task(s)
            PID:1236
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Folder'
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1332
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1576 -s 1868
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:1328
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Windows\Temp\run.bat" "
          2⤵
          • Drops startup file
          PID:2012
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Windows\Temp\lol.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1228
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" https://methodmedia.biz/?p=gmzgcobuge5gi3bpgu4dkmbz
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1712
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:944
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {7CBD1431-0760-42AB-969E-2B4493811327} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
        1⤵
          PID:2028

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          99b3a5b4c94baef6e42f3021e0837405

          SHA1

          18932e631aab9de6cc087df841ca037b73794b5c

          SHA256

          c5183453a51511f178d8e5fe025ea803000416a687f033c8733cf4e93461b2c1

          SHA512

          26bca80934ed68c3bb69282f9701692d24f5bba960e6e96e2ca2f673fde4111c61d570bcc7c906a14c7cdea78cd99787c2e61fcfe1a821639ff98fb211f18fa5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T5B11CIP.txt
          Filesize

          602B

          MD5

          d7ac50c74d687905df46b8a126adb19d

          SHA1

          196110f691e46b7386e0f06e201f8eb715b11460

          SHA256

          dcdc5bef1c9e21ac8c069120ebe3ec811eda989912b42cd7263004ec212a32fc

          SHA512

          a08ac55c931f1e74af17815f2039a826ac959fc4a32df117c8f910cfd83f46f9dfb1042f9ee7ef0be10c35d84f70d6c1a5942800db10601ed06a647c6d77a084

          Download Submit

        • C:\Windows\Temp\lol.bat
          Filesize

          62B

          MD5

          f95588de9545bb2369f424377a4c0289

          SHA1

          9e8e0876df2171cbca169e90965442f106cb0600

          SHA256

          70915616ff58efa0206685c04e9c3a1a02fc0a0e8a5396509552b1903d9c8097

          SHA512

          56d82f43863d181af70ce5b943ed9f23b1a18523cfc322cebce17a7f823ebf97420a2d38478fd4839bbcb1f9f659ad9bde965f7891e192b17dc4610e02b5b6f4

          Download Submit

        • C:\Windows\Temp\run.bat
          Filesize

          98B

          MD5

          731afe244b2414169a5f630d52646e56

          SHA1

          e3771ccdccd8c306ee5fc4f264cfc3310690458c

          SHA256

          6c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552

          SHA512

          84e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1

          Download Submit

        • C:\Windows\Temp\s.exe
          Filesize

          3.9MB

          MD5

          89864c831ebb2a57b104544ef4ad5bc5

          SHA1

          7b863625c47af7ae464223f531540e0a85a045f2

          SHA256

          bbae1e89d39bff79d315a5be1b7934223691883c16c3f7ad8cc2ea98b30824bb

          SHA512

          72e44af099372eac1134938f38bc9e19a026d603191e5d81c0a44a066f652a3e2cc71f5a75c1b16e4cc2f83d379cf5a7e293e7f47d6a8364b00e48e8fef028e2

          Download Submit

        • C:\Windows\Temp\setup.exe
          Filesize

          968KB

          MD5

          92c419119e1a95da7d3ce5c85724872f

          SHA1

          494650fe4fdca8260cf48a006979d14c6a890c8b

          SHA256

          5fb5101940f2fa6e9145b664ef88b3cb3258cf8743dd1f13f76dd7bbdb652b96

          SHA512

          3d6699910ba9f466e940db1abf89ca7e88466f4f5ce3cd11ad7b2da3ad0fb1045e11f831d4766347a2b6b7959b7c00b0f93d8e7f4bf9b27e00bc17319f3da5b9

          Download Submit

        • C:\Windows\Temp\setup.exe
          Filesize

          968KB

          MD5

          92c419119e1a95da7d3ce5c85724872f

          SHA1

          494650fe4fdca8260cf48a006979d14c6a890c8b

          SHA256

          5fb5101940f2fa6e9145b664ef88b3cb3258cf8743dd1f13f76dd7bbdb652b96

          SHA512

          3d6699910ba9f466e940db1abf89ca7e88466f4f5ce3cd11ad7b2da3ad0fb1045e11f831d4766347a2b6b7959b7c00b0f93d8e7f4bf9b27e00bc17319f3da5b9

          Download Submit

        • \Windows\Temp\s.exe
          Filesize

          3.9MB

          MD5

          89864c831ebb2a57b104544ef4ad5bc5

          SHA1

          7b863625c47af7ae464223f531540e0a85a045f2

          SHA256

          bbae1e89d39bff79d315a5be1b7934223691883c16c3f7ad8cc2ea98b30824bb

          SHA512

          72e44af099372eac1134938f38bc9e19a026d603191e5d81c0a44a066f652a3e2cc71f5a75c1b16e4cc2f83d379cf5a7e293e7f47d6a8364b00e48e8fef028e2

          Download Submit

        • \Windows\Temp\s.exe
          Filesize

          3.9MB

          MD5

          89864c831ebb2a57b104544ef4ad5bc5

          SHA1

          7b863625c47af7ae464223f531540e0a85a045f2

          SHA256

          bbae1e89d39bff79d315a5be1b7934223691883c16c3f7ad8cc2ea98b30824bb

          SHA512

          72e44af099372eac1134938f38bc9e19a026d603191e5d81c0a44a066f652a3e2cc71f5a75c1b16e4cc2f83d379cf5a7e293e7f47d6a8364b00e48e8fef028e2

          Download Submit

        • \Windows\Temp\s.exe
          Filesize

          3.9MB

          MD5

          89864c831ebb2a57b104544ef4ad5bc5

          SHA1

          7b863625c47af7ae464223f531540e0a85a045f2

          SHA256

          bbae1e89d39bff79d315a5be1b7934223691883c16c3f7ad8cc2ea98b30824bb

          SHA512

          72e44af099372eac1134938f38bc9e19a026d603191e5d81c0a44a066f652a3e2cc71f5a75c1b16e4cc2f83d379cf5a7e293e7f47d6a8364b00e48e8fef028e2

          Download Submit

        • \Windows\Temp\s.exe
          Filesize

          3.9MB

          MD5

          89864c831ebb2a57b104544ef4ad5bc5

          SHA1

          7b863625c47af7ae464223f531540e0a85a045f2

          SHA256

          bbae1e89d39bff79d315a5be1b7934223691883c16c3f7ad8cc2ea98b30824bb

          SHA512

          72e44af099372eac1134938f38bc9e19a026d603191e5d81c0a44a066f652a3e2cc71f5a75c1b16e4cc2f83d379cf5a7e293e7f47d6a8364b00e48e8fef028e2

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          968KB

          MD5

          92c419119e1a95da7d3ce5c85724872f

          SHA1

          494650fe4fdca8260cf48a006979d14c6a890c8b

          SHA256

          5fb5101940f2fa6e9145b664ef88b3cb3258cf8743dd1f13f76dd7bbdb652b96

          SHA512

          3d6699910ba9f466e940db1abf89ca7e88466f4f5ce3cd11ad7b2da3ad0fb1045e11f831d4766347a2b6b7959b7c00b0f93d8e7f4bf9b27e00bc17319f3da5b9

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          968KB

          MD5

          92c419119e1a95da7d3ce5c85724872f

          SHA1

          494650fe4fdca8260cf48a006979d14c6a890c8b

          SHA256

          5fb5101940f2fa6e9145b664ef88b3cb3258cf8743dd1f13f76dd7bbdb652b96

          SHA512

          3d6699910ba9f466e940db1abf89ca7e88466f4f5ce3cd11ad7b2da3ad0fb1045e11f831d4766347a2b6b7959b7c00b0f93d8e7f4bf9b27e00bc17319f3da5b9

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          968KB

          MD5

          92c419119e1a95da7d3ce5c85724872f

          SHA1

          494650fe4fdca8260cf48a006979d14c6a890c8b

          SHA256

          5fb5101940f2fa6e9145b664ef88b3cb3258cf8743dd1f13f76dd7bbdb652b96

          SHA512

          3d6699910ba9f466e940db1abf89ca7e88466f4f5ce3cd11ad7b2da3ad0fb1045e11f831d4766347a2b6b7959b7c00b0f93d8e7f4bf9b27e00bc17319f3da5b9

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          968KB

          MD5

          92c419119e1a95da7d3ce5c85724872f

          SHA1

          494650fe4fdca8260cf48a006979d14c6a890c8b

          SHA256

          5fb5101940f2fa6e9145b664ef88b3cb3258cf8743dd1f13f76dd7bbdb652b96

          SHA512

          3d6699910ba9f466e940db1abf89ca7e88466f4f5ce3cd11ad7b2da3ad0fb1045e11f831d4766347a2b6b7959b7c00b0f93d8e7f4bf9b27e00bc17319f3da5b9

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          968KB

          MD5

          92c419119e1a95da7d3ce5c85724872f

          SHA1

          494650fe4fdca8260cf48a006979d14c6a890c8b

          SHA256

          5fb5101940f2fa6e9145b664ef88b3cb3258cf8743dd1f13f76dd7bbdb652b96

          SHA512

          3d6699910ba9f466e940db1abf89ca7e88466f4f5ce3cd11ad7b2da3ad0fb1045e11f831d4766347a2b6b7959b7c00b0f93d8e7f4bf9b27e00bc17319f3da5b9

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          968KB

          MD5

          92c419119e1a95da7d3ce5c85724872f

          SHA1

          494650fe4fdca8260cf48a006979d14c6a890c8b

          SHA256

          5fb5101940f2fa6e9145b664ef88b3cb3258cf8743dd1f13f76dd7bbdb652b96

          SHA512

          3d6699910ba9f466e940db1abf89ca7e88466f4f5ce3cd11ad7b2da3ad0fb1045e11f831d4766347a2b6b7959b7c00b0f93d8e7f4bf9b27e00bc17319f3da5b9

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          968KB

          MD5

          92c419119e1a95da7d3ce5c85724872f

          SHA1

          494650fe4fdca8260cf48a006979d14c6a890c8b

          SHA256

          5fb5101940f2fa6e9145b664ef88b3cb3258cf8743dd1f13f76dd7bbdb652b96

          SHA512

          3d6699910ba9f466e940db1abf89ca7e88466f4f5ce3cd11ad7b2da3ad0fb1045e11f831d4766347a2b6b7959b7c00b0f93d8e7f4bf9b27e00bc17319f3da5b9

          Download Submit

        • \Windows\Temp\setup.exe
          Filesize

          968KB

          MD5

          92c419119e1a95da7d3ce5c85724872f

          SHA1

          494650fe4fdca8260cf48a006979d14c6a890c8b

          SHA256

          5fb5101940f2fa6e9145b664ef88b3cb3258cf8743dd1f13f76dd7bbdb652b96

          SHA512

          3d6699910ba9f466e940db1abf89ca7e88466f4f5ce3cd11ad7b2da3ad0fb1045e11f831d4766347a2b6b7959b7c00b0f93d8e7f4bf9b27e00bc17319f3da5b9

          Download Submit

        • memory/648-118-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/648-115-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/648-133-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/648-125-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/648-111-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/648-110-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/648-117-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/648-113-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/648-120-0x0000000000400000-0x000000000048D000-memory.dmp

          Filesize

          564KB

          Download

        • memory/1332-136-0x00000000023D2000-0x00000000023D4000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1332-145-0x00000000023DB000-0x00000000023FA000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1332-132-0x000007FEEB100000-0x000007FEEBC5D000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1332-137-0x00000000023D4000-0x00000000023D7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1332-135-0x00000000023D0000-0x00000000023D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1332-131-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1432-76-0x0000000000400000-0x0000000000AE0000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1524-97-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1524-104-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1524-103-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1524-95-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1576-109-0x0000000000150000-0x0000000000158000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1576-107-0x0000000000140000-0x0000000000148000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1576-108-0x0000000000740000-0x00000000007A6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1576-70-0x00000000012E0000-0x0000000001300000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1576-106-0x000000001BDF0000-0x000000001BDF2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1576-134-0x000000001BDF6000-0x000000001BE15000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1576-123-0x00000000008C0000-0x00000000008EC000-memory.dmp

          Filesize

          176KB

          Download

        • memory/1892-54-0x0000000074FF1000-0x0000000074FF3000-memory.dmp

          Filesize

          8KB

          Download