Analysis
-
max time kernel
90s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 08:13
General
-
Target
tmp.exe
-
Size
233KB
-
MD5
94247657d1d5310558f964899e55e6f1
-
SHA1
259ee76c389c9ad78eced69889c22a8ed07e4d71
-
SHA256
73aab7448569833e2efc6a6a87ca13380c95f9553d3eeb905781121074e37223
-
SHA512
2394af4baf90e6fc8f269ed89ff20af190d1473a692ba60dc3bf4f74c37868b610a3dd064842fd32f7cdbb820b3d0096e6f934a09c30cc7edebfb9e1cd7f4a5c
Malware Config
Extracted
redline
321
188.68.205.12:7053
-
auth_value
4d46e916fedf26ad6d80e6e09a9f06db
Signatures
-
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\M3gJNbpqWpct.exe"C:\Users\Public\M3gJNbpqWpct.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Public\BEgHvre3gJNc.exe"C:\Users\Public\BEgHvre3gJNc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3972 -s 16203⤵
- Program crash
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 3972 -ip 39721⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD5f7e0bc53f475f93c184b31409ca5539f
SHA1e60ba555b7f4d5dc28d57b474e0e0c7554da2552
SHA256dd96dd3fb9a841267ba7fdd9c6ee960f5c705763d34d3744299f2a74e7fa24f5
SHA5120de2188475e12de697c8c318c10a9a6e0b9c807a88b3129187766c9c8aeaddaa4847be63921848507a7810321fa5e3b17839d92c1c4efe488dfbbe9a3fe0a8c3
-
Filesize
42KB
MD5f7e0bc53f475f93c184b31409ca5539f
SHA1e60ba555b7f4d5dc28d57b474e0e0c7554da2552
SHA256dd96dd3fb9a841267ba7fdd9c6ee960f5c705763d34d3744299f2a74e7fa24f5
SHA5120de2188475e12de697c8c318c10a9a6e0b9c807a88b3129187766c9c8aeaddaa4847be63921848507a7810321fa5e3b17839d92c1c4efe488dfbbe9a3fe0a8c3
-
Filesize
106KB
MD5dd98a38572264302a031491ab1609399
SHA11289dd899d70e5d7dbc370a05d1fe7b6fd853e62
SHA256356e4e6ba72cd92750e00ca7ee0016e53eddf4674d833afff6a17dabdb62cccd
SHA5120113dec16d255a9e6b6d5bc269908241e3fa7de755dbd3f54654e6f3aed664d4b30a0cfdf1eeb129cef8838a314598d95cdcb0c238a550953c279664086548f8
-
Filesize
106KB
MD5dd98a38572264302a031491ab1609399
SHA11289dd899d70e5d7dbc370a05d1fe7b6fd853e62
SHA256356e4e6ba72cd92750e00ca7ee0016e53eddf4674d833afff6a17dabdb62cccd
SHA5120113dec16d255a9e6b6d5bc269908241e3fa7de755dbd3f54654e6f3aed664d4b30a0cfdf1eeb129cef8838a314598d95cdcb0c238a550953c279664086548f8
-
Filesize
6.1MB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
128KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
64KB