Analysis
-
max time kernel
90s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 16:41
Static task
static1
Behavioral task
behavioral1
Sample
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
Resource
win7-20220414-en
General
-
Target
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
-
Size
530KB
-
MD5
4bf2eedfff6695b5f3fea01022c77b46
-
SHA1
6e08f77c366deb75ccc05c7e095132ca967d2dca
-
SHA256
a3e02076203fb0a1c203265a9e9592f11fdc0d0e77a1d4591ece152f913092fa
-
SHA512
d868367ef491593472eefe5009d5543b71f342406d4cc3a45c24e978a8c2112fe1da7a283918847dd7da4dfd5189d2559a9eebb6c7621ce9c4946513d3037c49
Malware Config
Extracted
redline
Choi
192.99.175.89:49887
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/792-142-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exedescription pid process target process PID 2512 set thread context of 792 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exepowershell.exeA3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exepid process 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe 3928 powershell.exe 3928 powershell.exe 792 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe 792 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exepowershell.exeA3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exedescription pid process Token: SeDebugPrivilege 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe Token: SeDebugPrivilege 3928 powershell.exe Token: SeDebugPrivilege 792 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exedescription pid process target process PID 2512 wrote to memory of 3928 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe powershell.exe PID 2512 wrote to memory of 3928 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe powershell.exe PID 2512 wrote to memory of 3928 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe powershell.exe PID 2512 wrote to memory of 2024 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe schtasks.exe PID 2512 wrote to memory of 2024 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe schtasks.exe PID 2512 wrote to memory of 2024 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe schtasks.exe PID 2512 wrote to memory of 792 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 2512 wrote to memory of 792 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 2512 wrote to memory of 792 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 2512 wrote to memory of 792 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 2512 wrote to memory of 792 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 2512 wrote to memory of 792 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 2512 wrote to memory of 792 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe PID 2512 wrote to memory of 792 2512 A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe"C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bIsxcujH.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bIsxcujH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCB.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe"C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
C:\Users\Admin\AppData\Local\Temp\tmpDCB.tmpFilesize
1KB
MD537805c1e3c06b1284417892ff77dc362
SHA1945451e62e84948f881ca8226db5f732186c1c1e
SHA256a4b1459fe0a02ed5fe2d3536482d2a1fc12fee080998fd9a350ea0d6216fa291
SHA51210a37749c8e342042fb54c9716cd6ba1e680de30fa6b4124c51e52cfd39b12c3f3d33b20db3fb26658eb39a5ba777f236e74bbcab2360a8716d490f7ad601769
-
memory/792-146-0x0000000005A70000-0x0000000006088000-memory.dmpFilesize
6.1MB
-
memory/792-162-0x0000000007020000-0x000000000754C000-memory.dmpFilesize
5.2MB
-
memory/792-150-0x0000000005630000-0x000000000573A000-memory.dmpFilesize
1.0MB
-
memory/792-147-0x0000000005320000-0x0000000005332000-memory.dmpFilesize
72KB
-
memory/792-164-0x0000000006C50000-0x0000000006C6E000-memory.dmpFilesize
120KB
-
memory/792-161-0x0000000006920000-0x0000000006AE2000-memory.dmpFilesize
1.8MB
-
memory/792-148-0x0000000005380000-0x00000000053BC000-memory.dmpFilesize
240KB
-
memory/792-163-0x0000000006B70000-0x0000000006BE6000-memory.dmpFilesize
472KB
-
memory/792-141-0x0000000000000000-mapping.dmp
-
memory/792-142-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2024-137-0x0000000000000000-mapping.dmp
-
memory/2512-134-0x0000000007B20000-0x0000000007BBC000-memory.dmpFilesize
624KB
-
memory/2512-130-0x0000000000C60000-0x0000000000CEA000-memory.dmpFilesize
552KB
-
memory/2512-135-0x0000000009240000-0x00000000092A6000-memory.dmpFilesize
408KB
-
memory/2512-133-0x0000000005710000-0x000000000571A000-memory.dmpFilesize
40KB
-
memory/2512-132-0x0000000005550000-0x00000000055E2000-memory.dmpFilesize
584KB
-
memory/2512-131-0x0000000005A00000-0x0000000005FA4000-memory.dmpFilesize
5.6MB
-
memory/3928-138-0x00000000028A0000-0x00000000028D6000-memory.dmpFilesize
216KB
-
memory/3928-149-0x00000000061A0000-0x00000000061BE000-memory.dmpFilesize
120KB
-
memory/3928-151-0x0000000007180000-0x00000000071B2000-memory.dmpFilesize
200KB
-
memory/3928-152-0x0000000070EC0000-0x0000000070F0C000-memory.dmpFilesize
304KB
-
memory/3928-153-0x0000000006770000-0x000000000678E000-memory.dmpFilesize
120KB
-
memory/3928-154-0x0000000007B00000-0x000000000817A000-memory.dmpFilesize
6.5MB
-
memory/3928-155-0x00000000074B0000-0x00000000074CA000-memory.dmpFilesize
104KB
-
memory/3928-156-0x0000000007520000-0x000000000752A000-memory.dmpFilesize
40KB
-
memory/3928-157-0x0000000007730000-0x00000000077C6000-memory.dmpFilesize
600KB
-
memory/3928-158-0x00000000076E0000-0x00000000076EE000-memory.dmpFilesize
56KB
-
memory/3928-159-0x00000000077F0000-0x000000000780A000-memory.dmpFilesize
104KB
-
memory/3928-160-0x00000000077D0000-0x00000000077D8000-memory.dmpFilesize
32KB
-
memory/3928-144-0x0000000005180000-0x00000000051E6000-memory.dmpFilesize
408KB
-
memory/3928-143-0x00000000050E0000-0x0000000005102000-memory.dmpFilesize
136KB
-
memory/3928-140-0x0000000005310000-0x0000000005938000-memory.dmpFilesize
6.2MB
-
memory/3928-136-0x0000000000000000-mapping.dmp