Analysis
-
max time kernel
109s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-06-2022 09:18
Static task
static1
Behavioral task
behavioral1
Sample
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa.exe
Resource
win10v2004-20220414-en
General
-
Target
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa.exe
-
Size
871KB
-
MD5
a33ffa539d35983e470e67e722b80c38
-
SHA1
42568a103dfce00691c6177772cb74c1683cad10
-
SHA256
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86
-
SHA512
9d4235ea23bfc12aec194dfdbba1c1a05796e40d6f13b2fa43f73e7a544d2bec888e405e0f35270c356e21fa7a35740f0057262528f43061a5649b61d5d1b467
Malware Config
Extracted
redline
1
109.107.172.33:37679
-
auth_value
c6427f7951ed507d26d241ad4f19d1a6
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3332-147-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
Installer_ovl_sig.exepid process 1832 Installer_ovl_sig.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Installer_ovl_sig.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Installer_ovl_sig.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa.exeInstaller_ovl_sig.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DOSBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\DOSB\\DOSBox.exe\"" Installer_ovl_sig.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Installer_ovl_sig.exedescription pid process target process PID 1832 set thread context of 3332 1832 Installer_ovl_sig.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2668 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeInstaller_ovl_sig.exeInstallUtil.exepid process 2376 powershell.exe 2376 powershell.exe 1832 Installer_ovl_sig.exe 1832 Installer_ovl_sig.exe 3332 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeInstaller_ovl_sig.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 1832 Installer_ovl_sig.exe Token: SeDebugPrivilege 3332 InstallUtil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa.exeInstaller_ovl_sig.execmd.exedescription pid process target process PID 2736 wrote to memory of 1832 2736 c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa.exe Installer_ovl_sig.exe PID 2736 wrote to memory of 1832 2736 c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa.exe Installer_ovl_sig.exe PID 2736 wrote to memory of 1832 2736 c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa.exe Installer_ovl_sig.exe PID 1832 wrote to memory of 2376 1832 Installer_ovl_sig.exe powershell.exe PID 1832 wrote to memory of 2376 1832 Installer_ovl_sig.exe powershell.exe PID 1832 wrote to memory of 2376 1832 Installer_ovl_sig.exe powershell.exe PID 1832 wrote to memory of 3500 1832 Installer_ovl_sig.exe cmd.exe PID 1832 wrote to memory of 3500 1832 Installer_ovl_sig.exe cmd.exe PID 1832 wrote to memory of 3500 1832 Installer_ovl_sig.exe cmd.exe PID 3500 wrote to memory of 2668 3500 cmd.exe timeout.exe PID 3500 wrote to memory of 2668 3500 cmd.exe timeout.exe PID 3500 wrote to memory of 2668 3500 cmd.exe timeout.exe PID 1832 wrote to memory of 3332 1832 Installer_ovl_sig.exe InstallUtil.exe PID 1832 wrote to memory of 3332 1832 Installer_ovl_sig.exe InstallUtil.exe PID 1832 wrote to memory of 3332 1832 Installer_ovl_sig.exe InstallUtil.exe PID 1832 wrote to memory of 3332 1832 Installer_ovl_sig.exe InstallUtil.exe PID 1832 wrote to memory of 3332 1832 Installer_ovl_sig.exe InstallUtil.exe PID 1832 wrote to memory of 3332 1832 Installer_ovl_sig.exe InstallUtil.exe PID 1832 wrote to memory of 3332 1832 Installer_ovl_sig.exe InstallUtil.exe PID 1832 wrote to memory of 3332 1832 Installer_ovl_sig.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa.exe"C:\Users\Admin\AppData\Local\Temp\c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl_sig.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl_sig.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 8;Start-Sleep -Seconds 10;3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 373⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 374⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl_sig.exeFilesize
362.6MB
MD57a83d80e4ad9fcd1d47c4327e1717649
SHA16ec747c0ca8b5d85c30bf0e7708610d74e4b3567
SHA25667a47e7385060b787efeb924f628e755411a5ccd3440447811c3da12b8000251
SHA512a5b6b8b7b69022c5322d1a7480591f8293b66a3f6cbdda37ad79459751980f268ac3e030d6d97152eadbe73ec6344fbdd6aa78e9d7ffcb75c820487ec8182db3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl_sig.exeFilesize
362.6MB
MD57a83d80e4ad9fcd1d47c4327e1717649
SHA16ec747c0ca8b5d85c30bf0e7708610d74e4b3567
SHA25667a47e7385060b787efeb924f628e755411a5ccd3440447811c3da12b8000251
SHA512a5b6b8b7b69022c5322d1a7480591f8293b66a3f6cbdda37ad79459751980f268ac3e030d6d97152eadbe73ec6344fbdd6aa78e9d7ffcb75c820487ec8182db3
-
memory/1832-130-0x0000000000000000-mapping.dmp
-
memory/1832-133-0x0000000000790000-0x00000000007D0000-memory.dmpFilesize
256KB
-
memory/1832-145-0x0000000006430000-0x00000000064C2000-memory.dmpFilesize
584KB
-
memory/2376-142-0x0000000006D40000-0x0000000006D5A000-memory.dmpFilesize
104KB
-
memory/2376-134-0x0000000000000000-mapping.dmp
-
memory/2376-137-0x00000000057F0000-0x0000000005812000-memory.dmpFilesize
136KB
-
memory/2376-138-0x0000000005ED0000-0x0000000005F36000-memory.dmpFilesize
408KB
-
memory/2376-139-0x0000000005FB0000-0x0000000006016000-memory.dmpFilesize
408KB
-
memory/2376-140-0x00000000067C0000-0x00000000067DE000-memory.dmpFilesize
120KB
-
memory/2376-141-0x0000000007E70000-0x00000000084EA000-memory.dmpFilesize
6.5MB
-
memory/2376-135-0x0000000005200000-0x0000000005236000-memory.dmpFilesize
216KB
-
memory/2376-136-0x00000000058A0000-0x0000000005EC8000-memory.dmpFilesize
6.2MB
-
memory/2668-144-0x0000000000000000-mapping.dmp
-
memory/3332-146-0x0000000000000000-mapping.dmp
-
memory/3332-147-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3332-148-0x00000000058E0000-0x0000000005EF8000-memory.dmpFilesize
6.1MB
-
memory/3332-149-0x0000000005350000-0x0000000005362000-memory.dmpFilesize
72KB
-
memory/3332-150-0x0000000005480000-0x000000000558A000-memory.dmpFilesize
1.0MB
-
memory/3332-151-0x00000000053B0000-0x00000000053EC000-memory.dmpFilesize
240KB
-
memory/3332-152-0x00000000056F0000-0x0000000005766000-memory.dmpFilesize
472KB
-
memory/3332-153-0x00000000064B0000-0x0000000006A54000-memory.dmpFilesize
5.6MB
-
memory/3332-154-0x0000000005F00000-0x0000000005F1E000-memory.dmpFilesize
120KB
-
memory/3332-155-0x0000000006E90000-0x0000000007052000-memory.dmpFilesize
1.8MB
-
memory/3332-156-0x0000000007590000-0x0000000007ABC000-memory.dmpFilesize
5.2MB
-
memory/3500-143-0x0000000000000000-mapping.dmp