Overview

overview

10

Static

static

Document.pdf.scr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    61s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 07:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document.pdf.scr.exe

  • Size

    2.1MB

  • MD5

    93dd6479d9333cac3202b3ea9502a07c

  • SHA1

    27ba3ddc97cb409b9d9b7c61dfb442c1c4655bee

  • SHA256

    801e8af2f94a4b713c6d137eaa2c604b31b238038a6ffd6d7543b0089cc88ab9

  • SHA512

    948f9a6ce1a02437263b2a6ad332e7a3c5e751776c9fe455b0aa605ac99dd87611b4a1386c4ba908d65455fa012228f99ba4a2501956afb8cc7ceaa03475f7e9

Score
10/10
redline1infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

1

C2

62.204.41.139:25190

Attributes
  • auth_value

    2c239ad7c28c8eab1f9626557bb9457a

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Document.pdf.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\Document.pdf.scr.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3660
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1176
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      2⤵
        PID:100
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        2⤵
          PID:3340
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:208

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/100-140-0x0000000000000000-mapping.dmp
        Download
      • memory/208-148-0x00000000054A0000-0x0000000005516000-memory.dmp
        Filesize

        472KB

        Download
      • memory/208-147-0x0000000005160000-0x000000000519C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/208-153-0x0000000006E30000-0x0000000006FF2000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/208-142-0x0000000000000000-mapping.dmp
        Download
      • memory/208-151-0x0000000005DA0000-0x0000000005DBE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/208-150-0x0000000006230000-0x00000000067D4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/208-149-0x00000000055C0000-0x0000000005652000-memory.dmp
        Filesize

        584KB

        Download
      • memory/208-146-0x0000000005230000-0x000000000533A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/208-143-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/208-144-0x0000000005660000-0x0000000005C78000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/208-154-0x0000000007530000-0x0000000007A5C000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/208-152-0x0000000006C10000-0x0000000006C60000-memory.dmp
        Filesize

        320KB

        Download
      • memory/208-145-0x0000000005100000-0x0000000005112000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1176-139-0x0000000006910000-0x000000000692A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1176-138-0x0000000007C90000-0x000000000830A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/1176-132-0x0000000000000000-mapping.dmp
        Download
      • memory/1176-137-0x0000000006440000-0x000000000645E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1176-136-0x0000000005E50000-0x0000000005EB6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1176-135-0x0000000005D70000-0x0000000005DD6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1176-134-0x00000000056A0000-0x0000000005CC8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/1176-133-0x0000000002B30000-0x0000000002B66000-memory.dmp
        Filesize

        216KB

        Download
      • memory/3340-141-0x0000000000000000-mapping.dmp
        Download
      • memory/3660-131-0x0000000005D40000-0x0000000005D62000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3660-130-0x0000000000520000-0x0000000000746000-memory.dmp
        Filesize

        2.1MB

        Download