Analysis
-
max time kernel
144s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-04-2022 15:06
Static task
static1
Behavioral task
behavioral1
Sample
d23377638cab0ee29ab55a5312279c32.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
d23377638cab0ee29ab55a5312279c32.exe
Resource
win10v2004-en-20220113
General
-
Target
d23377638cab0ee29ab55a5312279c32.exe
-
Size
1.9MB
-
MD5
d23377638cab0ee29ab55a5312279c32
-
SHA1
c97a094fb56509a79cdec0a56a5099d77aadd7a5
-
SHA256
148607dfd0bbe0d5b58268c6bd252a2cdbd2271e4f1b43138eb7de47eb51bf65
-
SHA512
e4eddf8407bb96b1916e6a32376ec6950dfa822d36519ad8cab03ac57a391bd49d61b003ce261eccabba0bbf73788e77739bf8426b95a6adc306a1311f8a7004
Malware Config
Extracted
redline
@ansdvsvsvd
46.8.220.88:65531
-
auth_value
d7b874c6650abbcb219b4f56f4676fee
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3284-133-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
fl.exeservices32.exesihost32.exepid process 4320 fl.exe 4920 services32.exe 792 sihost32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\fl.exe vmprotect C:\Users\Admin\AppData\Local\Temp\fl.exe vmprotect behavioral2/memory/4320-152-0x0000000000900000-0x000000000111A000-memory.dmp vmprotect C:\Windows\System32\services32.exe vmprotect C:\Windows\system32\services32.exe vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
services32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation services32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
fl.exeservices32.exedescription ioc process File created C:\Windows\system32\services32.exe fl.exe File opened for modification C:\Windows\system32\services32.exe fl.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe services32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d23377638cab0ee29ab55a5312279c32.exedescription pid process target process PID 2368 set thread context of 3284 2368 d23377638cab0ee29ab55a5312279c32.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
AppLaunch.exefl.exepowershell.exepowershell.exeservices32.exepowershell.exepowershell.exepid process 3284 AppLaunch.exe 4320 fl.exe 2000 powershell.exe 2000 powershell.exe 3512 powershell.exe 3512 powershell.exe 4920 services32.exe 4920 services32.exe 4988 powershell.exe 4988 powershell.exe 1588 powershell.exe 1588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
AppLaunch.exefl.exepowershell.exepowershell.exeservices32.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3284 AppLaunch.exe Token: SeDebugPrivilege 4320 fl.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 3512 powershell.exe Token: SeDebugPrivilege 4920 services32.exe Token: SeDebugPrivilege 4988 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
d23377638cab0ee29ab55a5312279c32.exeAppLaunch.exefl.execmd.execmd.execmd.exeservices32.execmd.exedescription pid process target process PID 2368 wrote to memory of 3284 2368 d23377638cab0ee29ab55a5312279c32.exe AppLaunch.exe PID 2368 wrote to memory of 3284 2368 d23377638cab0ee29ab55a5312279c32.exe AppLaunch.exe PID 2368 wrote to memory of 3284 2368 d23377638cab0ee29ab55a5312279c32.exe AppLaunch.exe PID 2368 wrote to memory of 3284 2368 d23377638cab0ee29ab55a5312279c32.exe AppLaunch.exe PID 2368 wrote to memory of 3284 2368 d23377638cab0ee29ab55a5312279c32.exe AppLaunch.exe PID 3284 wrote to memory of 4320 3284 AppLaunch.exe fl.exe PID 3284 wrote to memory of 4320 3284 AppLaunch.exe fl.exe PID 4320 wrote to memory of 1568 4320 fl.exe cmd.exe PID 4320 wrote to memory of 1568 4320 fl.exe cmd.exe PID 1568 wrote to memory of 2000 1568 cmd.exe powershell.exe PID 1568 wrote to memory of 2000 1568 cmd.exe powershell.exe PID 4320 wrote to memory of 3160 4320 fl.exe cmd.exe PID 4320 wrote to memory of 3160 4320 fl.exe cmd.exe PID 3160 wrote to memory of 4072 3160 cmd.exe schtasks.exe PID 3160 wrote to memory of 4072 3160 cmd.exe schtasks.exe PID 1568 wrote to memory of 3512 1568 cmd.exe powershell.exe PID 1568 wrote to memory of 3512 1568 cmd.exe powershell.exe PID 4320 wrote to memory of 3796 4320 fl.exe cmd.exe PID 4320 wrote to memory of 3796 4320 fl.exe cmd.exe PID 3796 wrote to memory of 4920 3796 cmd.exe services32.exe PID 3796 wrote to memory of 4920 3796 cmd.exe services32.exe PID 4920 wrote to memory of 2056 4920 services32.exe cmd.exe PID 4920 wrote to memory of 2056 4920 services32.exe cmd.exe PID 2056 wrote to memory of 4988 2056 cmd.exe powershell.exe PID 2056 wrote to memory of 4988 2056 cmd.exe powershell.exe PID 4920 wrote to memory of 792 4920 services32.exe sihost32.exe PID 4920 wrote to memory of 792 4920 services32.exe sihost32.exe PID 2056 wrote to memory of 1588 2056 cmd.exe powershell.exe PID 2056 wrote to memory of 1588 2056 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d23377638cab0ee29ab55a5312279c32.exe"C:\Users\Admin\AppData\Local\Temp\d23377638cab0ee29ab55a5312279c32.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fl.exe"C:\Users\Admin\AppData\Local\Temp\fl.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services32.exeC:\Windows\system32\services32.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"6⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD563aec5618613b4be6bd15b82345a971e
SHA1cf3df18b2ed2b082a513dd53e55afb720cefe40e
SHA256f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721
SHA512a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e58749a7a1826f6ea62df1e2ef63a32b
SHA1c0bca21658b8be4f37b71eec9578bfefa44f862d
SHA2560e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93
SHA5124cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70
-
C:\Users\Admin\AppData\Local\Temp\fl.exeFilesize
4.1MB
MD5316f80a8407ffa9e69852ec4d1bf90e9
SHA11e3aa2295857b33b515fb1d816f5f13cefa89c1f
SHA25686f95e3bf14fe58390b93000122a822857b3c7d54e2d10a725c2b93e69ebba89
SHA512c5c23bfffc84f2af3c736c7439f0294625302de27afde7a5f20260d0ff29654c0b61b257b0173d7b3a1f26328363b1ac95e664757bcc944247448c04c10e9e6a
-
C:\Users\Admin\AppData\Local\Temp\fl.exeFilesize
4.1MB
MD5316f80a8407ffa9e69852ec4d1bf90e9
SHA11e3aa2295857b33b515fb1d816f5f13cefa89c1f
SHA25686f95e3bf14fe58390b93000122a822857b3c7d54e2d10a725c2b93e69ebba89
SHA512c5c23bfffc84f2af3c736c7439f0294625302de27afde7a5f20260d0ff29654c0b61b257b0173d7b3a1f26328363b1ac95e664757bcc944247448c04c10e9e6a
-
C:\Windows\System32\Microsoft\Telemetry\sihost32.exeFilesize
9KB
MD5ce15357c848de5a619508a9dba6de45e
SHA1e996170fa8164b8703939af43214ae1531d7075c
SHA2561d7802b0933014148b105628cbe81f0b997e7dc28b4713e0e225ae84d9ced838
SHA5129a2639db9b62f7bed3740e010e0399fa855693553acbadcd66da180c0e9ddd840886279df279f496483e68edeaae87e78477dd7331fb7111378acb1b8c2f6f2f
-
C:\Windows\System32\services32.exeFilesize
4.1MB
MD5316f80a8407ffa9e69852ec4d1bf90e9
SHA11e3aa2295857b33b515fb1d816f5f13cefa89c1f
SHA25686f95e3bf14fe58390b93000122a822857b3c7d54e2d10a725c2b93e69ebba89
SHA512c5c23bfffc84f2af3c736c7439f0294625302de27afde7a5f20260d0ff29654c0b61b257b0173d7b3a1f26328363b1ac95e664757bcc944247448c04c10e9e6a
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exeFilesize
9KB
MD5ce15357c848de5a619508a9dba6de45e
SHA1e996170fa8164b8703939af43214ae1531d7075c
SHA2561d7802b0933014148b105628cbe81f0b997e7dc28b4713e0e225ae84d9ced838
SHA5129a2639db9b62f7bed3740e010e0399fa855693553acbadcd66da180c0e9ddd840886279df279f496483e68edeaae87e78477dd7331fb7111378acb1b8c2f6f2f
-
C:\Windows\system32\services32.exeFilesize
4.1MB
MD5316f80a8407ffa9e69852ec4d1bf90e9
SHA11e3aa2295857b33b515fb1d816f5f13cefa89c1f
SHA25686f95e3bf14fe58390b93000122a822857b3c7d54e2d10a725c2b93e69ebba89
SHA512c5c23bfffc84f2af3c736c7439f0294625302de27afde7a5f20260d0ff29654c0b61b257b0173d7b3a1f26328363b1ac95e664757bcc944247448c04c10e9e6a
-
memory/792-190-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmpFilesize
10.8MB
-
memory/792-184-0x0000000000000000-mapping.dmp
-
memory/792-187-0x0000000000020000-0x0000000000026000-memory.dmpFilesize
24KB
-
memory/792-194-0x000000001BB30000-0x000000001BB32000-memory.dmpFilesize
8KB
-
memory/1568-157-0x0000000000000000-mapping.dmp
-
memory/1588-196-0x0000027FB9C46000-0x0000027FB9C48000-memory.dmpFilesize
8KB
-
memory/1588-189-0x0000000000000000-mapping.dmp
-
memory/1588-191-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmpFilesize
10.8MB
-
memory/1588-192-0x0000027FB9C40000-0x0000027FB9C42000-memory.dmpFilesize
8KB
-
memory/1588-193-0x0000027FB9C43000-0x0000027FB9C45000-memory.dmpFilesize
8KB
-
memory/2000-166-0x000002CD2C836000-0x000002CD2C838000-memory.dmpFilesize
8KB
-
memory/2000-158-0x0000000000000000-mapping.dmp
-
memory/2000-159-0x000002CD2D660000-0x000002CD2D682000-memory.dmpFilesize
136KB
-
memory/2000-163-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmpFilesize
10.8MB
-
memory/2000-165-0x000002CD2C833000-0x000002CD2C835000-memory.dmpFilesize
8KB
-
memory/2000-164-0x000002CD2C830000-0x000002CD2C832000-memory.dmpFilesize
8KB
-
memory/2056-181-0x0000000000000000-mapping.dmp
-
memory/2368-131-0x0000000000970000-0x0000000000B52000-memory.dmpFilesize
1.9MB
-
memory/3160-160-0x0000000000000000-mapping.dmp
-
memory/3284-148-0x0000000007DD0000-0x00000000082FC000-memory.dmpFilesize
5.2MB
-
memory/3284-142-0x0000000005540000-0x00000000055A6000-memory.dmpFilesize
408KB
-
memory/3284-132-0x0000000000000000-mapping.dmp
-
memory/3284-133-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3284-146-0x00000000063D0000-0x00000000063EE000-memory.dmpFilesize
120KB
-
memory/3284-147-0x00000000070C0000-0x0000000007282000-memory.dmpFilesize
1.8MB
-
memory/3284-144-0x00000000061F0000-0x0000000006282000-memory.dmpFilesize
584KB
-
memory/3284-143-0x0000000006090000-0x0000000006106000-memory.dmpFilesize
472KB
-
memory/3284-145-0x0000000006840000-0x0000000006DE4000-memory.dmpFilesize
5.6MB
-
memory/3284-138-0x00000000057B0000-0x0000000005DC8000-memory.dmpFilesize
6.1MB
-
memory/3284-139-0x00000000051B0000-0x00000000051C2000-memory.dmpFilesize
72KB
-
memory/3284-140-0x00000000052E0000-0x00000000053EA000-memory.dmpFilesize
1.0MB
-
memory/3284-141-0x0000000005230000-0x000000000526C000-memory.dmpFilesize
240KB
-
memory/3512-167-0x0000000000000000-mapping.dmp
-
memory/3512-173-0x000001BB40C16000-0x000001BB40C18000-memory.dmpFilesize
8KB
-
memory/3512-172-0x000001BB40C13000-0x000001BB40C15000-memory.dmpFilesize
8KB
-
memory/3512-171-0x000001BB40C10000-0x000001BB40C12000-memory.dmpFilesize
8KB
-
memory/3512-170-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmpFilesize
10.8MB
-
memory/3796-174-0x0000000000000000-mapping.dmp
-
memory/4072-161-0x0000000000000000-mapping.dmp
-
memory/4320-149-0x0000000000000000-mapping.dmp
-
memory/4320-152-0x0000000000900000-0x000000000111A000-memory.dmpFilesize
8.1MB
-
memory/4320-153-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmpFilesize
10.8MB
-
memory/4320-156-0x0000000001940000-0x0000000001952000-memory.dmpFilesize
72KB
-
memory/4320-162-0x000000001DF30000-0x000000001DF32000-memory.dmpFilesize
8KB
-
memory/4920-178-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmpFilesize
10.8MB
-
memory/4920-175-0x0000000000000000-mapping.dmp
-
memory/4988-188-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmpFilesize
10.8MB
-
memory/4988-182-0x0000000000000000-mapping.dmp