Analysis
-
max time kernel
56s -
max time network
72s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
30-07-2022 12:27
Static task
static1
Behavioral task
behavioral1
Sample
Installer.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
Installer.exe
Resource
win10v2004-20220721-en
General
-
Target
Installer.exe
-
Size
700.0MB
-
MD5
40d4f96d2d61e133fb1e5ed913519d1a
-
SHA1
c568b67141ad743982b06ccd1cdbb28450971c63
-
SHA256
338c709ef0a8f67f35d7482ad902486e0d2bf2eb5c4ec88822fff879ea410ca3
-
SHA512
dbca0f7032299078279580efa349758e7f305d3c3c7748b7ab8adb971e6bf12c46f12a2e1a468d542bcf701a6261d818f6e2a8b13ad005adae3cd8a1fb8ad4da
Malware Config
Extracted
redline
mix2
185.215.113.98:8942
-
auth_value
0c8a87333f20ae8c0f5b594039fbada9
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1692-65-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1692-64-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1692-66-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1692-67-0x000000000041ADDE-mapping.dmp family_redline behavioral1/memory/1692-69-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1692-71-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Installer.exedescription pid process target process PID 608 set thread context of 1692 608 Installer.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1588 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Installer.exeInstallUtil.exepid process 608 Installer.exe 1692 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 1692 InstallUtil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Installer.execmd.exedescription pid process target process PID 608 wrote to memory of 1116 608 Installer.exe cmd.exe PID 608 wrote to memory of 1116 608 Installer.exe cmd.exe PID 608 wrote to memory of 1116 608 Installer.exe cmd.exe PID 608 wrote to memory of 1116 608 Installer.exe cmd.exe PID 1116 wrote to memory of 1588 1116 cmd.exe timeout.exe PID 1116 wrote to memory of 1588 1116 cmd.exe timeout.exe PID 1116 wrote to memory of 1588 1116 cmd.exe timeout.exe PID 1116 wrote to memory of 1588 1116 cmd.exe timeout.exe PID 608 wrote to memory of 1692 608 Installer.exe InstallUtil.exe PID 608 wrote to memory of 1692 608 Installer.exe InstallUtil.exe PID 608 wrote to memory of 1692 608 Installer.exe InstallUtil.exe PID 608 wrote to memory of 1692 608 Installer.exe InstallUtil.exe PID 608 wrote to memory of 1692 608 Installer.exe InstallUtil.exe PID 608 wrote to memory of 1692 608 Installer.exe InstallUtil.exe PID 608 wrote to memory of 1692 608 Installer.exe InstallUtil.exe PID 608 wrote to memory of 1692 608 Installer.exe InstallUtil.exe PID 608 wrote to memory of 1692 608 Installer.exe InstallUtil.exe PID 608 wrote to memory of 1692 608 Installer.exe InstallUtil.exe PID 608 wrote to memory of 1692 608 Installer.exe InstallUtil.exe PID 608 wrote to memory of 1692 608 Installer.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/608-54-0x0000000000390000-0x0000000000478000-memory.dmpFilesize
928KB
-
memory/608-55-0x0000000001F70000-0x0000000001FC6000-memory.dmpFilesize
344KB
-
memory/608-56-0x0000000004A00000-0x0000000004A7E000-memory.dmpFilesize
504KB
-
memory/608-57-0x0000000007020000-0x000000000706C000-memory.dmpFilesize
304KB
-
memory/608-58-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1116-59-0x0000000000000000-mapping.dmp
-
memory/1588-60-0x0000000000000000-mapping.dmp
-
memory/1692-61-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1692-62-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1692-65-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1692-64-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1692-66-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1692-67-0x000000000041ADDE-mapping.dmp
-
memory/1692-69-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1692-71-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB