Analysis
-
max time kernel
147s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
Resource
win7-20220414-en
General
-
Target
0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe
-
Size
392KB
-
MD5
5fea51478a01f10a78d428751e973aba
-
SHA1
cb7f1e3acc3636a6f890edb8c44d0abe2674ec1c
-
SHA256
0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b
-
SHA512
47ea5c07b4d9d2bd5f9045906da94961f9d7d64e55c992435bdae2d21334daed98f096892da46f2bd18637f48ecac6bc80d6531c5a1cacceb7f3a46182e103c6
Malware Config
Extracted
arkei
Default
http://62.204.41.69/p8jG9WvgbE.php
Extracted
redline
04062022
62.204.41.166:27688
-
auth_value
48182fe753fa2aff7472da064aa2a5d9
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1440-69-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1440-70-0x0000000000400000-0x0000000000424000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
Fvdfggf.exepid process 1988 Fvdfggf.exe -
Loads dropped DLL 2 IoCs
Processes:
0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exepid process 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exeFvdfggf.exedescription pid process target process PID 2028 set thread context of 1632 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe PID 1988 set thread context of 1440 1988 Fvdfggf.exe regasm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exeFvdfggf.exepid process 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe 1988 Fvdfggf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exeFvdfggf.exepid process 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe 1988 Fvdfggf.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exeFvdfggf.exedescription pid process target process PID 2028 wrote to memory of 1988 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe Fvdfggf.exe PID 2028 wrote to memory of 1988 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe Fvdfggf.exe PID 2028 wrote to memory of 1988 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe Fvdfggf.exe PID 2028 wrote to memory of 1988 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe Fvdfggf.exe PID 2028 wrote to memory of 1632 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe PID 2028 wrote to memory of 1632 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe PID 2028 wrote to memory of 1632 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe PID 2028 wrote to memory of 1632 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe PID 2028 wrote to memory of 1632 2028 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe PID 1988 wrote to memory of 1440 1988 Fvdfggf.exe regasm.exe PID 1988 wrote to memory of 1440 1988 Fvdfggf.exe regasm.exe PID 1988 wrote to memory of 1440 1988 Fvdfggf.exe regasm.exe PID 1988 wrote to memory of 1440 1988 Fvdfggf.exe regasm.exe PID 1988 wrote to memory of 1440 1988 Fvdfggf.exe regasm.exe PID 1988 wrote to memory of 1440 1988 Fvdfggf.exe regasm.exe PID 1988 wrote to memory of 1440 1988 Fvdfggf.exe regasm.exe PID 1988 wrote to memory of 1440 1988 Fvdfggf.exe regasm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe"C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"C:\Users\Admin\AppData\Local\Temp\0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b.exe"2⤵PID:1632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fvdfggf.exeFilesize
172KB
MD5e124d6fab64aa638922bc7861998fa8c
SHA13420d895a8ef834eaf85c800fb83b1eca0a7816e
SHA256de8f8f5217cc3fca88d5261c8ad2c3115750ccf4f7bf3e7904760af2014959e3
SHA512b456215751eeda2f5b633cd52b5b5d820d1dc96d9ec4f4f35fa4fa1c5859dd925c949f0f6270af80a12ede9f9ac45f4a979aea7f8d4da459ed05cd1b7bdd5ed7
-
\Users\Admin\AppData\Local\Temp\Fvdfggf.exeFilesize
172KB
MD5e124d6fab64aa638922bc7861998fa8c
SHA13420d895a8ef834eaf85c800fb83b1eca0a7816e
SHA256de8f8f5217cc3fca88d5261c8ad2c3115750ccf4f7bf3e7904760af2014959e3
SHA512b456215751eeda2f5b633cd52b5b5d820d1dc96d9ec4f4f35fa4fa1c5859dd925c949f0f6270af80a12ede9f9ac45f4a979aea7f8d4da459ed05cd1b7bdd5ed7
-
\Users\Admin\AppData\Local\Temp\Fvdfggf.exeFilesize
172KB
MD5e124d6fab64aa638922bc7861998fa8c
SHA13420d895a8ef834eaf85c800fb83b1eca0a7816e
SHA256de8f8f5217cc3fca88d5261c8ad2c3115750ccf4f7bf3e7904760af2014959e3
SHA512b456215751eeda2f5b633cd52b5b5d820d1dc96d9ec4f4f35fa4fa1c5859dd925c949f0f6270af80a12ede9f9ac45f4a979aea7f8d4da459ed05cd1b7bdd5ed7
-
memory/1440-66-0x000000000041BC2E-mapping.dmp
-
memory/1440-69-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1440-70-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1632-64-0x0000000000408430-mapping.dmp
-
memory/1632-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1988-59-0x0000000000000000-mapping.dmp
-
memory/2028-56-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/2028-65-0x0000000002690000-0x0000000002697000-memory.dmpFilesize
28KB