Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
11-04-2022 02:55
General
-
Target
1.exe
-
Size
4.5MB
-
MD5
f556df38b1abf7c5ef71b6bc040bfe93
-
SHA1
64a174173f3e4c46b8db36fa04f076dca5a3aac7
-
SHA256
60c63fafcbcb2655d7806d9715f1755db205a975ddf68421967a39a2abcfb11a
-
SHA512
0a74598fb4b4b256555c0e4b8e7b654cc0fcb6a18c16f9da912eeea4b24d79f66776e3484200277ff9705032ef60afca97639df4a273cedb2729d6dd085b598b
Score
10/10
Malware Config
Extracted
Family
redline
C2
104.244.76.137:4487
Attributes
-
auth_value
67c42657a2dc51f3323efd90a04a2b03
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\s.exe"C:\Windows\Temp\s.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 5724⤵
- Program crash
-
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn WindowsService /f3⤵
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn WindowsService /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /sc onlogon /rl highest3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn WindowsServiceUpload /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /f /rl highest3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Folder'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4724 -s 17643⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\run.bat" "2⤵
- Drops startup file
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\lol.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://methodmedia.biz/?p=gmzgcobuge5gi3bpgu4dkmbz3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7fff823446f8,0x7fff82344708,0x7fff823447184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4852 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5728 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6d4c15460,0x7ff6d4c15470,0x7ff6d4c154805⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6844 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5020 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3052 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,3165633036019257130,9120918416067446972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3296 /prefetch:84⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3464 -ip 34641⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 4724 -ip 47241⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
9KB
MD5a1616ba7384c405c7d76c0ac7f8cc1a9
SHA1dfd8fd96255e91c93207caa7658903b3fbf88816
SHA25635d04e1b2550624bc9499e8dbdea60e9a317d9d14fbf5d28f386e98d12a277b6
SHA5129c47766848361b0ffc1d88c33be9ad8275a16146b1b2a00b6f93fed4d8a6e1df34b5f62086e4d6c3b1b04d812ed517c597b2218353210a524cdbc5ac20bcf895
-
Filesize
62B
MD5f95588de9545bb2369f424377a4c0289
SHA19e8e0876df2171cbca169e90965442f106cb0600
SHA25670915616ff58efa0206685c04e9c3a1a02fc0a0e8a5396509552b1903d9c8097
SHA51256d82f43863d181af70ce5b943ed9f23b1a18523cfc322cebce17a7f823ebf97420a2d38478fd4839bbcb1f9f659ad9bde965f7891e192b17dc4610e02b5b6f4
-
Filesize
98B
MD5731afe244b2414169a5f630d52646e56
SHA1e3771ccdccd8c306ee5fc4f264cfc3310690458c
SHA2566c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552
SHA51284e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1
-
Filesize
3.9MB
MD589864c831ebb2a57b104544ef4ad5bc5
SHA17b863625c47af7ae464223f531540e0a85a045f2
SHA256bbae1e89d39bff79d315a5be1b7934223691883c16c3f7ad8cc2ea98b30824bb
SHA51272e44af099372eac1134938f38bc9e19a026d603191e5d81c0a44a066f652a3e2cc71f5a75c1b16e4cc2f83d379cf5a7e293e7f47d6a8364b00e48e8fef028e2
-
Filesize
3.9MB
MD589864c831ebb2a57b104544ef4ad5bc5
SHA17b863625c47af7ae464223f531540e0a85a045f2
SHA256bbae1e89d39bff79d315a5be1b7934223691883c16c3f7ad8cc2ea98b30824bb
SHA51272e44af099372eac1134938f38bc9e19a026d603191e5d81c0a44a066f652a3e2cc71f5a75c1b16e4cc2f83d379cf5a7e293e7f47d6a8364b00e48e8fef028e2
-
Filesize
968KB
MD592c419119e1a95da7d3ce5c85724872f
SHA1494650fe4fdca8260cf48a006979d14c6a890c8b
SHA2565fb5101940f2fa6e9145b664ef88b3cb3258cf8743dd1f13f76dd7bbdb652b96
SHA5123d6699910ba9f466e940db1abf89ca7e88466f4f5ce3cd11ad7b2da3ad0fb1045e11f831d4766347a2b6b7959b7c00b0f93d8e7f4bf9b27e00bc17319f3da5b9
-
Filesize
968KB
MD592c419119e1a95da7d3ce5c85724872f
SHA1494650fe4fdca8260cf48a006979d14c6a890c8b
SHA2565fb5101940f2fa6e9145b664ef88b3cb3258cf8743dd1f13f76dd7bbdb652b96
SHA5123d6699910ba9f466e940db1abf89ca7e88466f4f5ce3cd11ad7b2da3ad0fb1045e11f831d4766347a2b6b7959b7c00b0f93d8e7f4bf9b27e00bc17319f3da5b9
-
Filesize
6.9MB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
5.6MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
128KB
-
Filesize
10.8MB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
20KB
-
Filesize
8KB
-
Filesize
24KB
-
Filesize
16KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
8KB