Analysis
-
max time kernel
37s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-05-2022 16:26
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20220414-en
General
-
Target
Setup.exe
-
Size
2.2MB
-
MD5
775e498a631f09987d0e1945c47a01aa
-
SHA1
df5de4d57d5ce1ac849940e1c4906ffbc36efb6d
-
SHA256
f2fbdc1e852712d8b0a1f6c7090d9fc81694c9604cff9b48900f596431d47158
-
SHA512
ccef0c27f1a7c2cfbe791628f841374ce232069fcae97ded44211df91ace6505dc63ba8381bcfcccda586dd611283b35115fcce707780ec31ec5111a9b592885
Malware Config
Extracted
redline
194.93.2.28:46378
-
auth_value
97e69692d8403a5aff22422dec2740bd
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid process target process PID 556 set thread context of 2000 556 Setup.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1960 556 WerFault.exe Setup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 2000 AppLaunch.exe 2000 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 2000 AppLaunch.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Setup.exedescription pid process target process PID 556 wrote to memory of 2000 556 Setup.exe AppLaunch.exe PID 556 wrote to memory of 2000 556 Setup.exe AppLaunch.exe PID 556 wrote to memory of 2000 556 Setup.exe AppLaunch.exe PID 556 wrote to memory of 2000 556 Setup.exe AppLaunch.exe PID 556 wrote to memory of 2000 556 Setup.exe AppLaunch.exe PID 556 wrote to memory of 2000 556 Setup.exe AppLaunch.exe PID 556 wrote to memory of 2000 556 Setup.exe AppLaunch.exe PID 556 wrote to memory of 2000 556 Setup.exe AppLaunch.exe PID 556 wrote to memory of 2000 556 Setup.exe AppLaunch.exe PID 556 wrote to memory of 1960 556 Setup.exe WerFault.exe PID 556 wrote to memory of 1960 556 Setup.exe WerFault.exe PID 556 wrote to memory of 1960 556 Setup.exe WerFault.exe PID 556 wrote to memory of 1960 556 Setup.exe WerFault.exe PID 556 wrote to memory of 1960 556 Setup.exe WerFault.exe PID 556 wrote to memory of 1960 556 Setup.exe WerFault.exe PID 556 wrote to memory of 1960 556 Setup.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 362⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/556-54-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/1960-65-0x0000000000000000-mapping.dmp
-
memory/2000-78-0x000000006E290000-0x000000006EFAD000-memory.dmpFilesize
13.1MB
-
memory/2000-64-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2000-63-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2000-79-0x0000000072040000-0x0000000072A50000-memory.dmpFilesize
10.1MB
-
memory/2000-57-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2000-80-0x000000006F480000-0x000000006F5A3000-memory.dmpFilesize
1.1MB
-
memory/2000-68-0x0000000071860000-0x0000000072040000-memory.dmpFilesize
7.9MB
-
memory/2000-69-0x0000000070550000-0x000000007185F000-memory.dmpFilesize
19.1MB
-
memory/2000-70-0x0000000070260000-0x0000000070548000-memory.dmpFilesize
2.9MB
-
memory/2000-71-0x000000006FFA0000-0x000000007025B000-memory.dmpFilesize
2.7MB
-
memory/2000-72-0x00000000741D0000-0x00000000741F0000-memory.dmpFilesize
128KB
-
memory/2000-73-0x000000006F860000-0x000000006FF9E000-memory.dmpFilesize
7.2MB
-
memory/2000-74-0x000000006F790000-0x000000006F859000-memory.dmpFilesize
804KB
-
memory/2000-75-0x000000006F630000-0x000000006F72C000-memory.dmpFilesize
1008KB
-
memory/2000-76-0x000000006F150000-0x000000006F2DB000-memory.dmpFilesize
1.5MB
-
memory/2000-77-0x000000006EFB0000-0x000000006F144000-memory.dmpFilesize
1.6MB
-
memory/2000-95-0x000000006FFA0000-0x000000007025B000-memory.dmpFilesize
2.7MB
-
memory/2000-62-0x000000000041736E-mapping.dmp
-
memory/2000-67-0x0000000072C40000-0x0000000073FCF000-memory.dmpFilesize
19.6MB
-
memory/2000-81-0x000000006E090000-0x000000006E0F3000-memory.dmpFilesize
396KB
-
memory/2000-82-0x000000006DFC0000-0x000000006E08F000-memory.dmpFilesize
828KB
-
memory/2000-83-0x000000006D130000-0x000000006DE86000-memory.dmpFilesize
13.3MB
-
memory/2000-84-0x000000006CE10000-0x000000006D12B000-memory.dmpFilesize
3.1MB
-
memory/2000-85-0x0000000072040000-0x0000000072A50000-memory.dmpFilesize
10.1MB
-
memory/2000-86-0x0000000071860000-0x0000000072040000-memory.dmpFilesize
7.9MB
-
memory/2000-87-0x000000006F480000-0x000000006F5A3000-memory.dmpFilesize
1.1MB
-
memory/2000-88-0x000000006D130000-0x000000006DE86000-memory.dmpFilesize
13.3MB
-
memory/2000-89-0x000000006F860000-0x000000006FF9E000-memory.dmpFilesize
7.2MB
-
memory/2000-90-0x000000006F790000-0x000000006F859000-memory.dmpFilesize
804KB
-
memory/2000-91-0x0000000072C40000-0x0000000073FCF000-memory.dmpFilesize
19.6MB
-
memory/2000-92-0x000000006F150000-0x000000006F2DB000-memory.dmpFilesize
1.5MB
-
memory/2000-93-0x000000006EFB0000-0x000000006F144000-memory.dmpFilesize
1.6MB
-
memory/2000-94-0x0000000070550000-0x000000007185F000-memory.dmpFilesize
19.1MB
-
memory/2000-55-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2000-96-0x000000006E290000-0x000000006EFAD000-memory.dmpFilesize
13.1MB