Analysis
-
max time kernel
104s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-05-2022 11:54
Static task
static1
Behavioral task
behavioral1
Sample
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe
Resource
win10v2004-20220414-en
General
-
Target
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe
-
Size
2.0MB
-
MD5
4733a823253e50d03fac643b86bfc988
-
SHA1
f665d1e999f428ff6c737eed26e83790dbee024d
-
SHA256
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba
-
SHA512
17c8e90f316004f38dc92e5102ee78903f7d7bf62c40231b868e8182740b9f659cc95bb9d5e19b2830671e43855f3a90d0b380cef2236213227f99fe538b1984
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/624-57-0x0000000000A30000-0x0000000000F28000-memory.dmp family_redline behavioral1/memory/624-58-0x0000000000A30000-0x0000000000F28000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1624 cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 checkip.amazonaws.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exedescription ioc process File opened for modification \??\PhysicalDrive0 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exepid process 624 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe -
Processes:
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exepid process 624 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe 624 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe 624 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exedescription pid process Token: SeDebugPrivilege 624 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.execmd.exedescription pid process target process PID 624 wrote to memory of 1624 624 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe cmd.exe PID 624 wrote to memory of 1624 624 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe cmd.exe PID 624 wrote to memory of 1624 624 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe cmd.exe PID 624 wrote to memory of 1624 624 9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe cmd.exe PID 1624 wrote to memory of 1720 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 1720 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 1720 1624 cmd.exe PING.EXE PID 1624 wrote to memory of 1720 1624 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe"C:\Users\Admin\AppData\Local\Temp\9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/624-54-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/624-56-0x0000000077870000-0x00000000779F0000-memory.dmpFilesize
1.5MB
-
memory/624-57-0x0000000000A30000-0x0000000000F28000-memory.dmpFilesize
5.0MB
-
memory/624-58-0x0000000000A30000-0x0000000000F28000-memory.dmpFilesize
5.0MB
-
memory/1624-59-0x0000000000000000-mapping.dmp
-
memory/1720-60-0x0000000000000000-mapping.dmp