Overview

overview

10

Static

static

tmp.exe

windows7_x64

10

tmp.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    60s
  • max time network
    63s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    13-05-2022 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    1.2MB

  • MD5

    c52e23f559f027c6af598ff0a4c3497d

  • SHA1

    0e6de0682ae5d89a6530a6c6e03054f5aaeb0662

  • SHA256

    409a345a063f2fc853b7b45c060970231d9fdc6b453444ae855b7fda4be50021

  • SHA512

    802159c0fa6034dfc4278ee470aef46a52947006b007ae6a90391377d6c9b3774c999c30ab8d62a10869bf4d459736da4b70ce97d7771bf849effff7714e6428

Score
10/10
redlinetest1infostealerpersistencespyware

Malware Config

Extracted

Family

redline

Botnet

test1

C2

23.88.112.179:19536

Attributes
  • auth_value

    68c6114f4d4c471ad88677f54e75676f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 20
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\timeout.exe
        timeout 20
        3⤵
        • Delays execution with timeout.exe
        PID:1992
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/944-59-0x0000000000B10000-0x0000000000B4A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/944-55-0x0000000007F80000-0x00000000080B0000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/944-56-0x0000000075801000-0x0000000075803000-memory.dmp
    Filesize

    8KB

    Download
  • memory/944-54-0x0000000000D50000-0x0000000000E94000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1716-63-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1716-60-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1716-61-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1716-64-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1716-65-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1716-66-0x000000000041232E-mapping.dmp
    Download
  • memory/1716-70-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1716-68-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1716-71-0x00000000003B0000-0x00000000003D0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1992-58-0x0000000000000000-mapping.dmp
    Download
  • memory/2024-57-0x0000000000000000-mapping.dmp
    Download