Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 01:16
Behavioral task
behavioral1
Sample
13b80a5b971d1c6fe4a37234dff4d1d5.exe
Resource
win7-20220715-en
General
-
Target
13b80a5b971d1c6fe4a37234dff4d1d5.exe
-
Size
274KB
-
MD5
13b80a5b971d1c6fe4a37234dff4d1d5
-
SHA1
99c3dff0b01aa403bacc058b552ac597702ab366
-
SHA256
d47f6b63f0442a8a7aa10503401180fd337fbdd5ec7388f1505cce1d39a36638
-
SHA512
8a0508411681cdaee2e134b669ebcb73e71fbd49ef2baba456cce1d58376bf8fd173c174850db30983e424f9960b9d893ea478e0ea88766fc4a6ab48cc599625
Malware Config
Extracted
redline
cheat
172.93.144.171:50831
Extracted
njrat
0.7d
HacKed
172.93.231.202:5552
dd7d6bc98a38de1b5ca51955ad0f1fec
-
reg_key
dd7d6bc98a38de1b5ca51955ad0f1fec
-
splitter
|'|'|
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\1.exe family_redline C:\Users\Admin\AppData\Roaming\1.exe family_redline behavioral2/memory/2720-145-0x0000000000100000-0x000000000011E000-memory.dmp family_redline -
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 3 IoCs
Processes:
1.exeServer.exeNumify v2.0.exepid process 2720 1.exe 2716 Server.exe 2344 Numify v2.0.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13b80a5b971d1c6fe4a37234dff4d1d5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation 13b80a5b971d1c6fe4a37234dff4d1d5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dd7d6bc98a38de1b5ca51955ad0f1fec = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dd7d6bc98a38de1b5ca51955ad0f1fec = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4248 2344 WerFault.exe Numify v2.0.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1.exepid process 2720 1.exe 2720 1.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
AUDIODG.EXE1.exeServer.exedescription pid process Token: 33 5096 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5096 AUDIODG.EXE Token: SeDebugPrivilege 2720 1.exe Token: SeDebugPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe Token: 33 2716 Server.exe Token: SeIncBasePriorityPrivilege 2716 Server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13b80a5b971d1c6fe4a37234dff4d1d5.exeServer.exedescription pid process target process PID 4472 wrote to memory of 2720 4472 13b80a5b971d1c6fe4a37234dff4d1d5.exe 1.exe PID 4472 wrote to memory of 2720 4472 13b80a5b971d1c6fe4a37234dff4d1d5.exe 1.exe PID 4472 wrote to memory of 2720 4472 13b80a5b971d1c6fe4a37234dff4d1d5.exe 1.exe PID 4472 wrote to memory of 2716 4472 13b80a5b971d1c6fe4a37234dff4d1d5.exe Server.exe PID 4472 wrote to memory of 2716 4472 13b80a5b971d1c6fe4a37234dff4d1d5.exe Server.exe PID 4472 wrote to memory of 2716 4472 13b80a5b971d1c6fe4a37234dff4d1d5.exe Server.exe PID 4472 wrote to memory of 2344 4472 13b80a5b971d1c6fe4a37234dff4d1d5.exe Numify v2.0.exe PID 4472 wrote to memory of 2344 4472 13b80a5b971d1c6fe4a37234dff4d1d5.exe Numify v2.0.exe PID 4472 wrote to memory of 2344 4472 13b80a5b971d1c6fe4a37234dff4d1d5.exe Numify v2.0.exe PID 2716 wrote to memory of 2848 2716 Server.exe netsh.exe PID 2716 wrote to memory of 2848 2716 Server.exe netsh.exe PID 2716 wrote to memory of 2848 2716 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13b80a5b971d1c6fe4a37234dff4d1d5.exe"C:\Users\Admin\AppData\Local\Temp\13b80a5b971d1c6fe4a37234dff4d1d5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Numify v2.0.exe"C:\Users\Admin\AppData\Roaming\Numify v2.0.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 9043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2344 -ip 23441⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x310 0x30c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\1.exeFilesize
95KB
MD5ccf820a2ee76cc79c17cac85fa4428f0
SHA1c5ff7ee0d5108f716cb6b7b65d2ca2af89cba30a
SHA25651069bf54448fc28f346df8d97234087d4b3d37f844dc9f814d19d201335f6b0
SHA512bf2ab49162087e0c9de54a91874e05f63bf148f39818578fffebfc40aeef396bf947b9689ad9011499746fb3a94813ff5fa2cfea27d3ac775028dc9074cdfa97
-
C:\Users\Admin\AppData\Roaming\1.exeFilesize
95KB
MD5ccf820a2ee76cc79c17cac85fa4428f0
SHA1c5ff7ee0d5108f716cb6b7b65d2ca2af89cba30a
SHA25651069bf54448fc28f346df8d97234087d4b3d37f844dc9f814d19d201335f6b0
SHA512bf2ab49162087e0c9de54a91874e05f63bf148f39818578fffebfc40aeef396bf947b9689ad9011499746fb3a94813ff5fa2cfea27d3ac775028dc9074cdfa97
-
C:\Users\Admin\AppData\Roaming\Numify v2.0.exeFilesize
76KB
MD5d06e55b0be32a71ee7266c9a9a50af55
SHA16ca0597232b4bb8f77646cb031716011ba1ccb48
SHA2566d8b7dc3a54f0e4af610bcc7eb838e975eb15fe0c4f925c99776b16813cc2be8
SHA5128049b083815ffb99a9e8aee8614b65c1a1ae96d3fbde59c4ff6d0c3d29e32c2c430d1548d2bd3918d14069e833ef475d777f80f220777b499a48acde64c1a3f6
-
C:\Users\Admin\AppData\Roaming\Numify v2.0.exeFilesize
76KB
MD5d06e55b0be32a71ee7266c9a9a50af55
SHA16ca0597232b4bb8f77646cb031716011ba1ccb48
SHA2566d8b7dc3a54f0e4af610bcc7eb838e975eb15fe0c4f925c99776b16813cc2be8
SHA5128049b083815ffb99a9e8aee8614b65c1a1ae96d3fbde59c4ff6d0c3d29e32c2c430d1548d2bd3918d14069e833ef475d777f80f220777b499a48acde64c1a3f6
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
23KB
MD5125473bb19de33511417de332bb82850
SHA1d0e8a425a402944ae64c4a34fb5fab4bed0b752a
SHA256372565d528d4613208919f935d09f1c5bf5a5e9b803b16ffd6bb3d19fd415f70
SHA5121b96082cd5b2560ef63812d2572f7fe7e6b575641e5e6e91f4e6300557147976e19c7e775a8f0e781da834c77c94d5f43a3a7e5c687715289f33be534544b84c
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
23KB
MD5125473bb19de33511417de332bb82850
SHA1d0e8a425a402944ae64c4a34fb5fab4bed0b752a
SHA256372565d528d4613208919f935d09f1c5bf5a5e9b803b16ffd6bb3d19fd415f70
SHA5121b96082cd5b2560ef63812d2572f7fe7e6b575641e5e6e91f4e6300557147976e19c7e775a8f0e781da834c77c94d5f43a3a7e5c687715289f33be534544b84c
-
memory/2344-144-0x0000000000830000-0x000000000084A000-memory.dmpFilesize
104KB
-
memory/2344-139-0x0000000000000000-mapping.dmp
-
memory/2344-149-0x0000000005170000-0x0000000005202000-memory.dmpFilesize
584KB
-
memory/2716-152-0x0000000074DD0000-0x0000000075381000-memory.dmpFilesize
5.7MB
-
memory/2716-135-0x0000000000000000-mapping.dmp
-
memory/2716-141-0x0000000074DD0000-0x0000000075381000-memory.dmpFilesize
5.7MB
-
memory/2720-145-0x0000000000100000-0x000000000011E000-memory.dmpFilesize
120KB
-
memory/2720-151-0x0000000004D80000-0x0000000004E8A000-memory.dmpFilesize
1.0MB
-
memory/2720-146-0x0000000005170000-0x0000000005788000-memory.dmpFilesize
6.1MB
-
memory/2720-147-0x0000000004A70000-0x0000000004A82000-memory.dmpFilesize
72KB
-
memory/2720-148-0x0000000004AD0000-0x0000000004B0C000-memory.dmpFilesize
240KB
-
memory/2720-158-0x0000000006740000-0x000000000675E000-memory.dmpFilesize
120KB
-
memory/2720-157-0x00000000066A0000-0x0000000006716000-memory.dmpFilesize
472KB
-
memory/2720-156-0x0000000006240000-0x00000000062A6000-memory.dmpFilesize
408KB
-
memory/2720-133-0x0000000000000000-mapping.dmp
-
memory/2720-153-0x0000000006070000-0x0000000006232000-memory.dmpFilesize
1.8MB
-
memory/2720-154-0x0000000006770000-0x0000000006C9C000-memory.dmpFilesize
5.2MB
-
memory/2720-155-0x0000000007250000-0x00000000077F4000-memory.dmpFilesize
5.6MB
-
memory/2848-150-0x0000000000000000-mapping.dmp
-
memory/4472-132-0x0000000074DD0000-0x0000000075381000-memory.dmpFilesize
5.7MB
-
memory/4472-143-0x0000000074DD0000-0x0000000075381000-memory.dmpFilesize
5.7MB