Analysis
-
max time kernel
96s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-04-2022 00:12
Behavioral task
behavioral1
Sample
bc9964b04c2c38eb8fab28aae525071e.exe
Resource
win7-20220414-en
General
-
Target
bc9964b04c2c38eb8fab28aae525071e.exe
-
Size
106KB
-
MD5
bc9964b04c2c38eb8fab28aae525071e
-
SHA1
62599cf43426898880b02997370780db75a157bf
-
SHA256
deceeec4d99e6b4b70de57d6ee732b1f70e6cbb9ea27d0bb7304fd51b1ca0b2d
-
SHA512
388c8136ee8e78c31266ac7b56ea177573fae7f6935fc6fce399fa724b68b57fb094fc6f0ef6d84e1b92566b48693108cfb7c18b4917c63f1086c5441c19a46f
Malware Config
Extracted
redline
7
49.12.222.31:8854
-
auth_value
811329e6a45eab1a6b331f7b5c15ef6d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3656-130-0x0000000000D30000-0x0000000000D50000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
exe.exepid process 3592 exe.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bc9964b04c2c38eb8fab28aae525071e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation bc9964b04c2c38eb8fab28aae525071e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
bc9964b04c2c38eb8fab28aae525071e.exepid process 3656 bc9964b04c2c38eb8fab28aae525071e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bc9964b04c2c38eb8fab28aae525071e.exedescription pid process Token: SeDebugPrivilege 3656 bc9964b04c2c38eb8fab28aae525071e.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
exe.exepid process 3592 exe.exe 3592 exe.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bc9964b04c2c38eb8fab28aae525071e.exedescription pid process target process PID 3656 wrote to memory of 3592 3656 bc9964b04c2c38eb8fab28aae525071e.exe exe.exe PID 3656 wrote to memory of 3592 3656 bc9964b04c2c38eb8fab28aae525071e.exe exe.exe PID 3656 wrote to memory of 3592 3656 bc9964b04c2c38eb8fab28aae525071e.exe exe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc9964b04c2c38eb8fab28aae525071e.exe"C:\Users\Admin\AppData\Local\Temp\bc9964b04c2c38eb8fab28aae525071e.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exe.exe"C:\Users\Admin\AppData\Local\Temp\exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\exe.exeFilesize
2.0MB
MD52c34d1bf1f3672b5f05c88b6196a3afb
SHA19e3808163d2ef983243053daf1004bcef1e3adf4
SHA256fb62b0e284bddf9a8cf125e945a06f6687c783768690db4ed4e490e858272496
SHA512ad209a25b716e03faa299b5289fce4a3d3beddc35b10373288c5668de849dd2028614306ad10181c9b05d448fd25ea73bb01fb1df465e4cef5e1ade635775703
-
C:\Users\Admin\AppData\Local\Temp\exe.exeFilesize
2.0MB
MD52c34d1bf1f3672b5f05c88b6196a3afb
SHA19e3808163d2ef983243053daf1004bcef1e3adf4
SHA256fb62b0e284bddf9a8cf125e945a06f6687c783768690db4ed4e490e858272496
SHA512ad209a25b716e03faa299b5289fce4a3d3beddc35b10373288c5668de849dd2028614306ad10181c9b05d448fd25ea73bb01fb1df465e4cef5e1ade635775703
-
memory/3592-143-0x0000000000000000-mapping.dmp
-
memory/3656-138-0x00000000066E0000-0x0000000006756000-memory.dmpFilesize
472KB
-
memory/3656-134-0x0000000005720000-0x000000000575C000-memory.dmpFilesize
240KB
-
memory/3656-135-0x00000000067F0000-0x0000000006D94000-memory.dmpFilesize
5.6MB
-
memory/3656-136-0x0000000006240000-0x00000000062D2000-memory.dmpFilesize
584KB
-
memory/3656-137-0x0000000005B80000-0x0000000005BE6000-memory.dmpFilesize
408KB
-
memory/3656-130-0x0000000000D30000-0x0000000000D50000-memory.dmpFilesize
128KB
-
memory/3656-139-0x0000000006760000-0x000000000677E000-memory.dmpFilesize
120KB
-
memory/3656-140-0x0000000007250000-0x0000000007412000-memory.dmpFilesize
1.8MB
-
memory/3656-141-0x0000000007950000-0x0000000007E7C000-memory.dmpFilesize
5.2MB
-
memory/3656-142-0x0000000002FD0000-0x0000000003020000-memory.dmpFilesize
320KB
-
memory/3656-133-0x00000000057F0000-0x00000000058FA000-memory.dmpFilesize
1.0MB
-
memory/3656-132-0x00000000056C0000-0x00000000056D2000-memory.dmpFilesize
72KB
-
memory/3656-131-0x0000000005C20000-0x0000000006238000-memory.dmpFilesize
6.1MB