Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe
Resource
win10v2004-20220721-en
General
-
Target
86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe
-
Size
2.5MB
-
MD5
d5646c90a8af09a6e669a8e471005bbd
-
SHA1
526b70c4b3762c8983e8bb19b57ada1f75c52b19
-
SHA256
86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7
-
SHA512
4d948f4923877f29fe64991c90ea3a6c08473bc61cb6573151039e12a52f7a70d4e721c3888985df6d90cdeeb093cc36074d68597448d00e37f9f011af07645e
Malware Config
Extracted
redline
@ternetyFPL
62.204.41.144:14096
-
auth_value
449f565b5fc3449e1b02eaa2fe5a56dd
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/201264-131-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
iog.execonhost.exesvchost.exeGet-Variable.exeMoUSO.exeGet-Variable.exepid process 201472 iog.exe 201500 conhost.exe 201516 svchost.exe 201280 Get-Variable.exe 1828 MoUSO.exe 1208 Get-Variable.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.execonhost.exeGet-Variable.exeGet-Variable.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation Get-Variable.exe Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation Get-Variable.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exedescription pid process target process PID 3356 set thread context of 201264 3356 86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 201628 schtasks.exe 201712 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AppLaunch.exeMoUSO.exepid process 201264 AppLaunch.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe 1828 MoUSO.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AppLaunch.exepowershell.exedescription pid process Token: SeDebugPrivilege 201264 AppLaunch.exe Token: SeDebugPrivilege 4168 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exeAppLaunch.exeiog.execonhost.exesvchost.exepowershell.exedescription pid process target process PID 3356 wrote to memory of 201264 3356 86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe AppLaunch.exe PID 3356 wrote to memory of 201264 3356 86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe AppLaunch.exe PID 3356 wrote to memory of 201264 3356 86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe AppLaunch.exe PID 3356 wrote to memory of 201264 3356 86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe AppLaunch.exe PID 3356 wrote to memory of 201264 3356 86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe AppLaunch.exe PID 201264 wrote to memory of 201472 201264 AppLaunch.exe iog.exe PID 201264 wrote to memory of 201472 201264 AppLaunch.exe iog.exe PID 201264 wrote to memory of 201472 201264 AppLaunch.exe iog.exe PID 201472 wrote to memory of 201500 201472 iog.exe conhost.exe PID 201472 wrote to memory of 201500 201472 iog.exe conhost.exe PID 201472 wrote to memory of 201500 201472 iog.exe conhost.exe PID 201472 wrote to memory of 201516 201472 iog.exe svchost.exe PID 201472 wrote to memory of 201516 201472 iog.exe svchost.exe PID 201472 wrote to memory of 201516 201472 iog.exe svchost.exe PID 201500 wrote to memory of 201628 201500 conhost.exe schtasks.exe PID 201500 wrote to memory of 201628 201500 conhost.exe schtasks.exe PID 201500 wrote to memory of 201628 201500 conhost.exe schtasks.exe PID 201516 wrote to memory of 201712 201516 svchost.exe schtasks.exe PID 201516 wrote to memory of 201712 201516 svchost.exe schtasks.exe PID 201516 wrote to memory of 201712 201516 svchost.exe schtasks.exe PID 201516 wrote to memory of 201280 201516 svchost.exe Get-Variable.exe PID 201516 wrote to memory of 201280 201516 svchost.exe Get-Variable.exe PID 201516 wrote to memory of 201280 201516 svchost.exe Get-Variable.exe PID 4168 wrote to memory of 1208 4168 powershell.exe Get-Variable.exe PID 4168 wrote to memory of 1208 4168 powershell.exe Get-Variable.exe PID 4168 wrote to memory of 1208 4168 powershell.exe Get-Variable.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe"C:\Users\Admin\AppData\Local\Temp\86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iog.exe"C:\Users\Admin\AppData\Local\Temp\iog.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\conhost.exe"C:\ProgramData\conhost.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"5⤵
- Creates scheduled task(s)
-
C:\ProgramData\svchost.exe"C:\ProgramData\svchost.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True2⤵
- Executes dropped EXE
- Checks computer location settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\conhost.exeFilesize
123KB
MD5444b170a7bdc16d7fd17152db15903cd
SHA1b8be4f37da9f4c9c347f2df6917288706790d99c
SHA2569e4e0263e1c40a5604d9332437d93901d1e6fa8d59c15a1185c2a9490ce9ec3d
SHA5129914a66c7cb4b7661fd532354a2d72e3069bc811997a55ef447ae3e1e3b029e6f4f34a74bc1f97400b2f52b49bef48d1c8ef588c76974c430b493d298d8ada0f
-
C:\ProgramData\conhost.exeFilesize
123KB
MD5444b170a7bdc16d7fd17152db15903cd
SHA1b8be4f37da9f4c9c347f2df6917288706790d99c
SHA2569e4e0263e1c40a5604d9332437d93901d1e6fa8d59c15a1185c2a9490ce9ec3d
SHA5129914a66c7cb4b7661fd532354a2d72e3069bc811997a55ef447ae3e1e3b029e6f4f34a74bc1f97400b2f52b49bef48d1c8ef588c76974c430b493d298d8ada0f
-
C:\ProgramData\svchost.exeFilesize
140KB
MD5ad9c439c2a8bcae64c43f328ff11717c
SHA1a1e372fac21ee4d5ead0c803211cf23eeb9c597d
SHA256b481153e0b740d62b33602dd7f8e395b24fe2ca6d14c0b4906dcc7821728fd06
SHA5124523d20bd73df8a145854f5f907140dca981643edc6aadbe6c932c2723cf123a3d2dd623dfefac760b7a2454c3f7e46b2d5388a33e638735948212f1e6c33938
-
C:\ProgramData\svchost.exeFilesize
140KB
MD5ad9c439c2a8bcae64c43f328ff11717c
SHA1a1e372fac21ee4d5ead0c803211cf23eeb9c597d
SHA256b481153e0b740d62b33602dd7f8e395b24fe2ca6d14c0b4906dcc7821728fd06
SHA5124523d20bd73df8a145854f5f907140dca981643edc6aadbe6c932c2723cf123a3d2dd623dfefac760b7a2454c3f7e46b2d5388a33e638735948212f1e6c33938
-
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exeFilesize
140KB
MD5ad9c439c2a8bcae64c43f328ff11717c
SHA1a1e372fac21ee4d5ead0c803211cf23eeb9c597d
SHA256b481153e0b740d62b33602dd7f8e395b24fe2ca6d14c0b4906dcc7821728fd06
SHA5124523d20bd73df8a145854f5f907140dca981643edc6aadbe6c932c2723cf123a3d2dd623dfefac760b7a2454c3f7e46b2d5388a33e638735948212f1e6c33938
-
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exeFilesize
140KB
MD5ad9c439c2a8bcae64c43f328ff11717c
SHA1a1e372fac21ee4d5ead0c803211cf23eeb9c597d
SHA256b481153e0b740d62b33602dd7f8e395b24fe2ca6d14c0b4906dcc7821728fd06
SHA5124523d20bd73df8a145854f5f907140dca981643edc6aadbe6c932c2723cf123a3d2dd623dfefac760b7a2454c3f7e46b2d5388a33e638735948212f1e6c33938
-
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exeFilesize
140KB
MD5ad9c439c2a8bcae64c43f328ff11717c
SHA1a1e372fac21ee4d5ead0c803211cf23eeb9c597d
SHA256b481153e0b740d62b33602dd7f8e395b24fe2ca6d14c0b4906dcc7821728fd06
SHA5124523d20bd73df8a145854f5f907140dca981643edc6aadbe6c932c2723cf123a3d2dd623dfefac760b7a2454c3f7e46b2d5388a33e638735948212f1e6c33938
-
C:\Users\Admin\AppData\Local\Temp\iog.exeFilesize
280KB
MD56ce5c00d5fce03683fcb3ea3526a0338
SHA1bf9a9f1c5766f0b32282fb2146854b9c2512ae40
SHA25675bf5eb75f3044110bf3b14f358db9f42ad0aa677bfa78fed045aa52c01c07fe
SHA5127b0fbfc7fe8c264a83709e3697239f357ce1ae5356de3fce1b51c61d62812d76b2f63adff5f0f25deeab1bb8b1e847f8bf0ea4d95659680984326ad8824df501
-
C:\Users\Admin\AppData\Local\Temp\iog.exeFilesize
280KB
MD56ce5c00d5fce03683fcb3ea3526a0338
SHA1bf9a9f1c5766f0b32282fb2146854b9c2512ae40
SHA25675bf5eb75f3044110bf3b14f358db9f42ad0aa677bfa78fed045aa52c01c07fe
SHA5127b0fbfc7fe8c264a83709e3697239f357ce1ae5356de3fce1b51c61d62812d76b2f63adff5f0f25deeab1bb8b1e847f8bf0ea4d95659680984326ad8824df501
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
123KB
MD5444b170a7bdc16d7fd17152db15903cd
SHA1b8be4f37da9f4c9c347f2df6917288706790d99c
SHA2569e4e0263e1c40a5604d9332437d93901d1e6fa8d59c15a1185c2a9490ce9ec3d
SHA5129914a66c7cb4b7661fd532354a2d72e3069bc811997a55ef447ae3e1e3b029e6f4f34a74bc1f97400b2f52b49bef48d1c8ef588c76974c430b493d298d8ada0f
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
123KB
MD5444b170a7bdc16d7fd17152db15903cd
SHA1b8be4f37da9f4c9c347f2df6917288706790d99c
SHA2569e4e0263e1c40a5604d9332437d93901d1e6fa8d59c15a1185c2a9490ce9ec3d
SHA5129914a66c7cb4b7661fd532354a2d72e3069bc811997a55ef447ae3e1e3b029e6f4f34a74bc1f97400b2f52b49bef48d1c8ef588c76974c430b493d298d8ada0f
-
memory/1208-176-0x0000000000000000-mapping.dmp
-
memory/1208-179-0x000000007F7A0000-0x000000007F7A7000-memory.dmpFilesize
28KB
-
memory/1208-178-0x000000007F7B0000-0x000000007F7CC000-memory.dmpFilesize
112KB
-
memory/1208-180-0x000000007F7B0000-0x000000007F7CC000-memory.dmpFilesize
112KB
-
memory/4168-172-0x000001AB4EA20000-0x000001AB4EA42000-memory.dmpFilesize
136KB
-
memory/4168-173-0x00007FFEAD300000-0x00007FFEADDC1000-memory.dmpFilesize
10.8MB
-
memory/4168-174-0x000001AB4EBA0000-0x000001AB4EBE4000-memory.dmpFilesize
272KB
-
memory/4168-175-0x000001AB4EFD0000-0x000001AB4F046000-memory.dmpFilesize
472KB
-
memory/4168-181-0x00007FFEAD300000-0x00007FFEADDC1000-memory.dmpFilesize
10.8MB
-
memory/201264-146-0x00000000071B0000-0x0000000007372000-memory.dmpFilesize
1.8MB
-
memory/201264-130-0x0000000000000000-mapping.dmp
-
memory/201264-131-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/201264-136-0x0000000005BA0000-0x00000000061B8000-memory.dmpFilesize
6.1MB
-
memory/201264-137-0x00000000055F0000-0x0000000005602000-memory.dmpFilesize
72KB
-
memory/201264-138-0x0000000005720000-0x000000000582A000-memory.dmpFilesize
1.0MB
-
memory/201264-139-0x0000000005650000-0x000000000568C000-memory.dmpFilesize
240KB
-
memory/201264-140-0x0000000005990000-0x0000000005A06000-memory.dmpFilesize
472KB
-
memory/201264-141-0x0000000005AB0000-0x0000000005B42000-memory.dmpFilesize
584KB
-
memory/201264-142-0x0000000006770000-0x0000000006D14000-memory.dmpFilesize
5.6MB
-
memory/201264-147-0x00000000078B0000-0x0000000007DDC000-memory.dmpFilesize
5.2MB
-
memory/201264-143-0x0000000005B70000-0x0000000005B8E000-memory.dmpFilesize
120KB
-
memory/201264-144-0x0000000006490000-0x00000000064F6000-memory.dmpFilesize
408KB
-
memory/201264-145-0x0000000006F90000-0x0000000006FE0000-memory.dmpFilesize
320KB
-
memory/201280-167-0x000000007EEC0000-0x000000007EEDC000-memory.dmpFilesize
112KB
-
memory/201280-162-0x0000000000000000-mapping.dmp
-
memory/201280-168-0x000000007EEB0000-0x000000007EEB7000-memory.dmpFilesize
28KB
-
memory/201280-169-0x000000007EEB0000-0x000000007EEB7000-memory.dmpFilesize
28KB
-
memory/201472-157-0x0000000000540000-0x0000000000588000-memory.dmpFilesize
288KB
-
memory/201472-148-0x0000000000000000-mapping.dmp
-
memory/201500-151-0x0000000000000000-mapping.dmp
-
memory/201516-164-0x000000007FE30000-0x000000007FE4C000-memory.dmpFilesize
112KB
-
memory/201516-159-0x000000007FE20000-0x000000007FE27000-memory.dmpFilesize
28KB
-
memory/201516-158-0x000000007FE30000-0x000000007FE4C000-memory.dmpFilesize
112KB
-
memory/201516-154-0x0000000000000000-mapping.dmp
-
memory/201516-166-0x000000007FE20000-0x000000007FE27000-memory.dmpFilesize
28KB
-
memory/201628-160-0x0000000000000000-mapping.dmp
-
memory/201712-161-0x0000000000000000-mapping.dmp