Analysis
-
max time kernel
107s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-05-2022 14:21
Static task
static1
Behavioral task
behavioral1
Sample
a76608f42563198c86f4a7f10ea910cc.exe
Resource
win7-20220414-en
General
-
Target
a76608f42563198c86f4a7f10ea910cc.exe
-
Size
374KB
-
MD5
a76608f42563198c86f4a7f10ea910cc
-
SHA1
8ea79e0e0523e9b7d1993ab08408d3b369c2a802
-
SHA256
05a3028bc4f10ff3387b486c171178f7d5a4864de59f6693d2dcbdae035820d1
-
SHA512
0bad64c511d78964da9397813876c49102cd34031dbdbd61304cef33136c82b3830bee8623ed7f4dc067f0b6c90956d5b04843c64b218458ad8a3cdf44378091
Malware Config
Extracted
redline
RuzkiUNIKALNO
193.233.48.58:38989
-
auth_value
c504b04cfbdd4bf85ce6195bcb37fba6
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1068-63-0x00000000009C0000-0x00000000009F4000-memory.dmp family_redline behavioral1/memory/1068-67-0x00000000009F0000-0x0000000000A24000-memory.dmp family_redline -
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
rrun.exe.exepid process 1068 rrun.exe.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a76608f42563198c86f4a7f10ea910cc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation a76608f42563198c86f4a7f10ea910cc.exe -
Loads dropped DLL 2 IoCs
Processes:
a76608f42563198c86f4a7f10ea910cc.exepid process 1092 a76608f42563198c86f4a7f10ea910cc.exe 1092 a76608f42563198c86f4a7f10ea910cc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ipinfo.io 17 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
a76608f42563198c86f4a7f10ea910cc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 a76608f42563198c86f4a7f10ea910cc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 a76608f42563198c86f4a7f10ea910cc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a76608f42563198c86f4a7f10ea910cc.exepid process 1092 a76608f42563198c86f4a7f10ea910cc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rrun.exe.exedescription pid process Token: SeDebugPrivilege 1068 rrun.exe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a76608f42563198c86f4a7f10ea910cc.exedescription pid process target process PID 1092 wrote to memory of 1068 1092 a76608f42563198c86f4a7f10ea910cc.exe rrun.exe.exe PID 1092 wrote to memory of 1068 1092 a76608f42563198c86f4a7f10ea910cc.exe rrun.exe.exe PID 1092 wrote to memory of 1068 1092 a76608f42563198c86f4a7f10ea910cc.exe rrun.exe.exe PID 1092 wrote to memory of 1068 1092 a76608f42563198c86f4a7f10ea910cc.exe rrun.exe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a76608f42563198c86f4a7f10ea910cc.exe"C:\Users\Admin\AppData\Local\Temp\a76608f42563198c86f4a7f10ea910cc.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\rrun.exe.exe"C:\Users\Admin\Pictures\Adobe Films\rrun.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Pictures\Adobe Films\rrun.exe.exeFilesize
415KB
MD577f3685864f058d9bd47298fb2741e04
SHA118b02934b2c22fb8786fdd03fba266a19bbaffd3
SHA2560556d888fbe5dbc66e2ff5acf9e82c9d971bfb5983a9fb9786b1956030506dc8
SHA512dd8cae914255e94c677588fda0409e3bb49db2451f7a8dfbccb5ac927a3ac6c8d5e1c8112d557a2ef196419335862020a8664ed45562137bd941b90f0709fb30
-
\Users\Admin\Pictures\Adobe Films\rrun.exe.exeFilesize
415KB
MD577f3685864f058d9bd47298fb2741e04
SHA118b02934b2c22fb8786fdd03fba266a19bbaffd3
SHA2560556d888fbe5dbc66e2ff5acf9e82c9d971bfb5983a9fb9786b1956030506dc8
SHA512dd8cae914255e94c677588fda0409e3bb49db2451f7a8dfbccb5ac927a3ac6c8d5e1c8112d557a2ef196419335862020a8664ed45562137bd941b90f0709fb30
-
\Users\Admin\Pictures\Adobe Films\rrun.exe.exeFilesize
415KB
MD577f3685864f058d9bd47298fb2741e04
SHA118b02934b2c22fb8786fdd03fba266a19bbaffd3
SHA2560556d888fbe5dbc66e2ff5acf9e82c9d971bfb5983a9fb9786b1956030506dc8
SHA512dd8cae914255e94c677588fda0409e3bb49db2451f7a8dfbccb5ac927a3ac6c8d5e1c8112d557a2ef196419335862020a8664ed45562137bd941b90f0709fb30
-
memory/1068-63-0x00000000009C0000-0x00000000009F4000-memory.dmpFilesize
208KB
-
memory/1068-61-0x0000000000000000-mapping.dmp
-
memory/1068-65-0x0000000000220000-0x000000000025A000-memory.dmpFilesize
232KB
-
memory/1068-64-0x0000000000AAE000-0x0000000000ADA000-memory.dmpFilesize
176KB
-
memory/1068-66-0x0000000000400000-0x0000000000930000-memory.dmpFilesize
5.2MB
-
memory/1068-67-0x00000000009F0000-0x0000000000A24000-memory.dmpFilesize
208KB
-
memory/1092-58-0x0000000005FD0000-0x0000000006190000-memory.dmpFilesize
1.8MB
-
memory/1092-57-0x0000000000400000-0x0000000002B7B000-memory.dmpFilesize
39.5MB
-
memory/1092-55-0x0000000002D3E000-0x0000000002D5A000-memory.dmpFilesize
112KB
-
memory/1092-56-0x0000000000230000-0x0000000000263000-memory.dmpFilesize
204KB
-
memory/1092-54-0x00000000765C1000-0x00000000765C3000-memory.dmpFilesize
8KB