Analysis
-
max time kernel
128s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-06-2022 08:50
Static task
static1
Behavioral task
behavioral1
Sample
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86.exe
Resource
win10v2004-20220414-en
General
-
Target
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86.exe
-
Size
871KB
-
MD5
a33ffa539d35983e470e67e722b80c38
-
SHA1
42568a103dfce00691c6177772cb74c1683cad10
-
SHA256
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86
-
SHA512
9d4235ea23bfc12aec194dfdbba1c1a05796e40d6f13b2fa43f73e7a544d2bec888e405e0f35270c356e21fa7a35740f0057262528f43061a5649b61d5d1b467
Malware Config
Extracted
redline
1
109.107.172.33:37679
-
auth_value
c6427f7951ed507d26d241ad4f19d1a6
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4732-147-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
Installer_ovl_sig.exepid process 5104 Installer_ovl_sig.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Installer_ovl_sig.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Installer_ovl_sig.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86.exeInstaller_ovl_sig.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DOSBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\DOSB\\DOSBox.exe\"" Installer_ovl_sig.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Installer_ovl_sig.exedescription pid process target process PID 5104 set thread context of 4732 5104 Installer_ovl_sig.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2540 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeInstaller_ovl_sig.exeInstallUtil.exepid process 892 powershell.exe 892 powershell.exe 5104 Installer_ovl_sig.exe 5104 Installer_ovl_sig.exe 4732 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeInstaller_ovl_sig.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 892 powershell.exe Token: SeDebugPrivilege 5104 Installer_ovl_sig.exe Token: SeDebugPrivilege 4732 InstallUtil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86.exeInstaller_ovl_sig.execmd.exedescription pid process target process PID 4688 wrote to memory of 5104 4688 c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86.exe Installer_ovl_sig.exe PID 4688 wrote to memory of 5104 4688 c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86.exe Installer_ovl_sig.exe PID 4688 wrote to memory of 5104 4688 c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86.exe Installer_ovl_sig.exe PID 5104 wrote to memory of 892 5104 Installer_ovl_sig.exe powershell.exe PID 5104 wrote to memory of 892 5104 Installer_ovl_sig.exe powershell.exe PID 5104 wrote to memory of 892 5104 Installer_ovl_sig.exe powershell.exe PID 5104 wrote to memory of 4780 5104 Installer_ovl_sig.exe cmd.exe PID 5104 wrote to memory of 4780 5104 Installer_ovl_sig.exe cmd.exe PID 5104 wrote to memory of 4780 5104 Installer_ovl_sig.exe cmd.exe PID 4780 wrote to memory of 2540 4780 cmd.exe timeout.exe PID 4780 wrote to memory of 2540 4780 cmd.exe timeout.exe PID 4780 wrote to memory of 2540 4780 cmd.exe timeout.exe PID 5104 wrote to memory of 4732 5104 Installer_ovl_sig.exe InstallUtil.exe PID 5104 wrote to memory of 4732 5104 Installer_ovl_sig.exe InstallUtil.exe PID 5104 wrote to memory of 4732 5104 Installer_ovl_sig.exe InstallUtil.exe PID 5104 wrote to memory of 4732 5104 Installer_ovl_sig.exe InstallUtil.exe PID 5104 wrote to memory of 4732 5104 Installer_ovl_sig.exe InstallUtil.exe PID 5104 wrote to memory of 4732 5104 Installer_ovl_sig.exe InstallUtil.exe PID 5104 wrote to memory of 4732 5104 Installer_ovl_sig.exe InstallUtil.exe PID 5104 wrote to memory of 4732 5104 Installer_ovl_sig.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86.exe"C:\Users\Admin\AppData\Local\Temp\c3dd01734e71fb98a201ee38d6dffb724ccb79c2041aa5ba68811c9b5693ae86.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl_sig.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl_sig.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 8;Start-Sleep -Seconds 10;3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 373⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 374⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl_sig.exeFilesize
362.6MB
MD57a83d80e4ad9fcd1d47c4327e1717649
SHA16ec747c0ca8b5d85c30bf0e7708610d74e4b3567
SHA25667a47e7385060b787efeb924f628e755411a5ccd3440447811c3da12b8000251
SHA512a5b6b8b7b69022c5322d1a7480591f8293b66a3f6cbdda37ad79459751980f268ac3e030d6d97152eadbe73ec6344fbdd6aa78e9d7ffcb75c820487ec8182db3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Installer_ovl_sig.exeFilesize
362.6MB
MD57a83d80e4ad9fcd1d47c4327e1717649
SHA16ec747c0ca8b5d85c30bf0e7708610d74e4b3567
SHA25667a47e7385060b787efeb924f628e755411a5ccd3440447811c3da12b8000251
SHA512a5b6b8b7b69022c5322d1a7480591f8293b66a3f6cbdda37ad79459751980f268ac3e030d6d97152eadbe73ec6344fbdd6aa78e9d7ffcb75c820487ec8182db3
-
memory/892-142-0x00000000068B0000-0x00000000068CA000-memory.dmpFilesize
104KB
-
memory/892-134-0x0000000000000000-mapping.dmp
-
memory/892-135-0x0000000002A00000-0x0000000002A36000-memory.dmpFilesize
216KB
-
memory/892-139-0x0000000005D40000-0x0000000005DA6000-memory.dmpFilesize
408KB
-
memory/892-137-0x0000000005360000-0x0000000005382000-memory.dmpFilesize
136KB
-
memory/892-138-0x0000000005410000-0x0000000005476000-memory.dmpFilesize
408KB
-
memory/892-136-0x00000000055A0000-0x0000000005BC8000-memory.dmpFilesize
6.2MB
-
memory/892-140-0x00000000063B0000-0x00000000063CE000-memory.dmpFilesize
120KB
-
memory/892-141-0x0000000007A20000-0x000000000809A000-memory.dmpFilesize
6.5MB
-
memory/2540-144-0x0000000000000000-mapping.dmp
-
memory/4732-146-0x0000000000000000-mapping.dmp
-
memory/4732-152-0x0000000006960000-0x0000000006F04000-memory.dmpFilesize
5.6MB
-
memory/4732-156-0x0000000007A90000-0x0000000007FBC000-memory.dmpFilesize
5.2MB
-
memory/4732-155-0x0000000007390000-0x0000000007552000-memory.dmpFilesize
1.8MB
-
memory/4732-154-0x0000000006920000-0x000000000693E000-memory.dmpFilesize
120KB
-
memory/4732-147-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4732-148-0x0000000005D90000-0x00000000063A8000-memory.dmpFilesize
6.1MB
-
memory/4732-149-0x00000000057F0000-0x0000000005802000-memory.dmpFilesize
72KB
-
memory/4732-150-0x0000000005920000-0x0000000005A2A000-memory.dmpFilesize
1.0MB
-
memory/4732-151-0x0000000005850000-0x000000000588C000-memory.dmpFilesize
240KB
-
memory/4732-153-0x0000000006820000-0x0000000006896000-memory.dmpFilesize
472KB
-
memory/4780-143-0x0000000000000000-mapping.dmp
-
memory/5104-145-0x0000000005EA0000-0x0000000005F32000-memory.dmpFilesize
584KB
-
memory/5104-133-0x0000000000330000-0x0000000000370000-memory.dmpFilesize
256KB
-
memory/5104-130-0x0000000000000000-mapping.dmp