Analysis
-
max time kernel
56s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 07:23
Static task
static1
Behavioral task
behavioral1
Sample
Document.pdf.scr.exe
Resource
win10v2004-20220721-en
General
-
Target
Document.pdf.scr.exe
-
Size
2.1MB
-
MD5
93dd6479d9333cac3202b3ea9502a07c
-
SHA1
27ba3ddc97cb409b9d9b7c61dfb442c1c4655bee
-
SHA256
801e8af2f94a4b713c6d137eaa2c604b31b238038a6ffd6d7543b0089cc88ab9
-
SHA512
948f9a6ce1a02437263b2a6ad332e7a3c5e751776c9fe455b0aa605ac99dd87611b4a1386c4ba908d65455fa012228f99ba4a2501956afb8cc7ceaa03475f7e9
Malware Config
Extracted
redline
1
62.204.41.139:25190
-
auth_value
2c239ad7c28c8eab1f9626557bb9457a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/208-143-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Document.pdf.scr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation Document.pdf.scr.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Document.pdf.scr.exedescription pid process target process PID 3660 set thread context of 208 3660 Document.pdf.scr.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exeDocument.pdf.scr.exeAppLaunch.exepid process 1176 powershell.exe 1176 powershell.exe 3660 Document.pdf.scr.exe 3660 Document.pdf.scr.exe 3660 Document.pdf.scr.exe 3660 Document.pdf.scr.exe 3660 Document.pdf.scr.exe 3660 Document.pdf.scr.exe 3660 Document.pdf.scr.exe 3660 Document.pdf.scr.exe 3660 Document.pdf.scr.exe 3660 Document.pdf.scr.exe 208 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Document.pdf.scr.exepowershell.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 3660 Document.pdf.scr.exe Token: SeDebugPrivilege 1176 powershell.exe Token: SeDebugPrivilege 208 AppLaunch.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Document.pdf.scr.exedescription pid process target process PID 3660 wrote to memory of 1176 3660 Document.pdf.scr.exe powershell.exe PID 3660 wrote to memory of 1176 3660 Document.pdf.scr.exe powershell.exe PID 3660 wrote to memory of 1176 3660 Document.pdf.scr.exe powershell.exe PID 3660 wrote to memory of 100 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 100 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 100 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 3340 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 3340 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 3340 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 208 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 208 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 208 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 208 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 208 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 208 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 208 3660 Document.pdf.scr.exe AppLaunch.exe PID 3660 wrote to memory of 208 3660 Document.pdf.scr.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document.pdf.scr.exe"C:\Users\Admin\AppData\Local\Temp\Document.pdf.scr.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/100-140-0x0000000000000000-mapping.dmp
-
memory/208-148-0x00000000054A0000-0x0000000005516000-memory.dmpFilesize
472KB
-
memory/208-147-0x0000000005160000-0x000000000519C000-memory.dmpFilesize
240KB
-
memory/208-153-0x0000000006E30000-0x0000000006FF2000-memory.dmpFilesize
1.8MB
-
memory/208-142-0x0000000000000000-mapping.dmp
-
memory/208-151-0x0000000005DA0000-0x0000000005DBE000-memory.dmpFilesize
120KB
-
memory/208-150-0x0000000006230000-0x00000000067D4000-memory.dmpFilesize
5.6MB
-
memory/208-149-0x00000000055C0000-0x0000000005652000-memory.dmpFilesize
584KB
-
memory/208-146-0x0000000005230000-0x000000000533A000-memory.dmpFilesize
1.0MB
-
memory/208-143-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/208-144-0x0000000005660000-0x0000000005C78000-memory.dmpFilesize
6.1MB
-
memory/208-154-0x0000000007530000-0x0000000007A5C000-memory.dmpFilesize
5.2MB
-
memory/208-152-0x0000000006C10000-0x0000000006C60000-memory.dmpFilesize
320KB
-
memory/208-145-0x0000000005100000-0x0000000005112000-memory.dmpFilesize
72KB
-
memory/1176-139-0x0000000006910000-0x000000000692A000-memory.dmpFilesize
104KB
-
memory/1176-138-0x0000000007C90000-0x000000000830A000-memory.dmpFilesize
6.5MB
-
memory/1176-132-0x0000000000000000-mapping.dmp
-
memory/1176-137-0x0000000006440000-0x000000000645E000-memory.dmpFilesize
120KB
-
memory/1176-136-0x0000000005E50000-0x0000000005EB6000-memory.dmpFilesize
408KB
-
memory/1176-135-0x0000000005D70000-0x0000000005DD6000-memory.dmpFilesize
408KB
-
memory/1176-134-0x00000000056A0000-0x0000000005CC8000-memory.dmpFilesize
6.2MB
-
memory/1176-133-0x0000000002B30000-0x0000000002B66000-memory.dmpFilesize
216KB
-
memory/3340-141-0x0000000000000000-mapping.dmp
-
memory/3660-131-0x0000000005D40000-0x0000000005D62000-memory.dmpFilesize
136KB
-
memory/3660-130-0x0000000000520000-0x0000000000746000-memory.dmpFilesize
2.1MB