Analysis
-
max time kernel
74s -
max time network
78s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 16:41
Static task
static1
Behavioral task
behavioral1
Sample
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
Resource
win7-20220414-en
General
-
Target
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
-
Size
530KB
-
MD5
4bf2eedfff6695b5f3fea01022c77b46
-
SHA1
6e08f77c366deb75ccc05c7e095132ca967d2dca
-
SHA256
a3e02076203fb0a1c203265a9e9592f11fdc0d0e77a1d4591ece152f913092fa
-
SHA512
d868367ef491593472eefe5009d5543b71f342406d4cc3a45c24e978a8c2112fe1da7a283918847dd7da4dfd5189d2559a9eebb6c7621ce9c4946513d3037c49
Malware Config
Extracted
redline
Choi
192.99.175.89:49887
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/568-66-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/568-67-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/568-68-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/568-69-0x000000000041932E-mapping.dmp family_redline behavioral1/memory/568-71-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/568-73-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exedescription pid process target process PID 1972 set thread context of 568 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exepowershell.exeA3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exepid process 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe 1268 powershell.exe 568 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe 568 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exepowershell.exeA3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exedescription pid process Token: SeDebugPrivilege 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 568 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exedescription pid process target process PID 1972 wrote to memory of 1268 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe powershell.exe PID 1972 wrote to memory of 1268 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe powershell.exe PID 1972 wrote to memory of 1268 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe powershell.exe PID 1972 wrote to memory of 1268 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe powershell.exe PID 1972 wrote to memory of 1712 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe schtasks.exe PID 1972 wrote to memory of 1712 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe schtasks.exe PID 1972 wrote to memory of 1712 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe schtasks.exe PID 1972 wrote to memory of 1712 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe schtasks.exe PID 1972 wrote to memory of 568 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 1972 wrote to memory of 568 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 1972 wrote to memory of 568 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 1972 wrote to memory of 568 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 1972 wrote to memory of 568 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 1972 wrote to memory of 568 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 1972 wrote to memory of 568 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 1972 wrote to memory of 568 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 1972 wrote to memory of 568 1972 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe"C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bIsxcujH.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bIsxcujH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC5B0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe"C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC5B0.tmpFilesize
1KB
MD57ccaa9e66043562051514c4189eadb4b
SHA143df71ea13f999774230aa1e29da9a805ff08d6c
SHA256dc38bc410eebe507c2938a811318db9d64e7b5c62b21aa9aa70faa2b68dcb645
SHA512ac96d1efe2b5e9068fc9decfd108a28515c3281ec7a805e577a2bb99e46b1c1c6f1fd2603dc5ae49e3c2e0853ad7a5891e6cdba21b534b83c2a0b2681ecba326
-
memory/568-68-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/568-69-0x000000000041932E-mapping.dmp
-
memory/568-64-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/568-66-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/568-67-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/568-73-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/568-71-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/568-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1268-58-0x0000000000000000-mapping.dmp
-
memory/1268-76-0x000000006ECF0000-0x000000006F29B000-memory.dmpFilesize
5.7MB
-
memory/1268-75-0x000000006ECF0000-0x000000006F29B000-memory.dmpFilesize
5.7MB
-
memory/1712-59-0x0000000000000000-mapping.dmp
-
memory/1972-54-0x0000000001390000-0x000000000141A000-memory.dmpFilesize
552KB
-
memory/1972-56-0x0000000000580000-0x0000000000592000-memory.dmpFilesize
72KB
-
memory/1972-57-0x0000000005DA0000-0x0000000005E02000-memory.dmpFilesize
392KB
-
memory/1972-62-0x00000000011F0000-0x000000000120E000-memory.dmpFilesize
120KB
-
memory/1972-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB