Analysis
-
max time kernel
87s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 17:26
Static task
static1
Behavioral task
behavioral1
Sample
1c5c68369bf3d0d615edfc3d760070f7.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1c5c68369bf3d0d615edfc3d760070f7.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
1c5c68369bf3d0d615edfc3d760070f7.exe
-
Size
2.4MB
-
MD5
1c5c68369bf3d0d615edfc3d760070f7
-
SHA1
ccb0d2e9f74b55b77313dbbb01024161b6ad9112
-
SHA256
a8946790919846ad03640f1ac35962e092e96ba02344a004a65eae31c7080d17
-
SHA512
082935677bc3b2277dd5d404072307f5fbeb10c3acdee601a1abef7f95a9fa61d8c4fe59d31d217ebce4c8ac7ec843b7b92a298a5eca5ce7230bf58ef49f0caa
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
1c5c68369bf3d0d615edfc3d760070f7.exedescription pid process target process PID 4836 set thread context of 346968 4836 1c5c68369bf3d0d615edfc3d760070f7.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 347124 4836 WerFault.exe 1c5c68369bf3d0d615edfc3d760070f7.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
1c5c68369bf3d0d615edfc3d760070f7.exeAppLaunch.exedescription pid process target process PID 4836 wrote to memory of 346968 4836 1c5c68369bf3d0d615edfc3d760070f7.exe AppLaunch.exe PID 4836 wrote to memory of 346968 4836 1c5c68369bf3d0d615edfc3d760070f7.exe AppLaunch.exe PID 4836 wrote to memory of 346968 4836 1c5c68369bf3d0d615edfc3d760070f7.exe AppLaunch.exe PID 4836 wrote to memory of 346968 4836 1c5c68369bf3d0d615edfc3d760070f7.exe AppLaunch.exe PID 4836 wrote to memory of 346968 4836 1c5c68369bf3d0d615edfc3d760070f7.exe AppLaunch.exe PID 346968 wrote to memory of 347032 346968 AppLaunch.exe AppLaunch.exe PID 346968 wrote to memory of 347032 346968 AppLaunch.exe AppLaunch.exe PID 346968 wrote to memory of 347032 346968 AppLaunch.exe AppLaunch.exe PID 346968 wrote to memory of 347052 346968 AppLaunch.exe AppLaunch.exe PID 346968 wrote to memory of 347052 346968 AppLaunch.exe AppLaunch.exe PID 346968 wrote to memory of 347052 346968 AppLaunch.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c5c68369bf3d0d615edfc3d760070f7.exe"C:\Users\Admin\AppData\Local\Temp\1c5c68369bf3d0d615edfc3d760070f7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 3440922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4836 -ip 48361⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/346968-130-0x0000000000000000-mapping.dmp
-
memory/346968-131-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/346968-137-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/347032-138-0x0000000000000000-mapping.dmp
-
memory/347052-139-0x0000000000000000-mapping.dmp