Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 15:07
Static task
static1
Behavioral task
behavioral1
Sample
59713a068408f7f956a62ea5776a305f.exe
Resource
win7-20220715-en
General
-
Target
59713a068408f7f956a62ea5776a305f.exe
-
Size
795KB
-
MD5
59713a068408f7f956a62ea5776a305f
-
SHA1
b4908968edf3cc51c6e3d7351056c17df60eabb8
-
SHA256
ef51cd27a4e90f92b82791d972419291ec2aa98bb950e8b64447a8cc4d5207ac
-
SHA512
b416b5bfabaec0de704ae07b7110635a9485405fae4c45091b564edf76b3a1e2034df7e00944c43df520bd6b7eca6e7e30d3e551fb7ad938ccd5115cb5af7ea6
Malware Config
Extracted
redline
TPB
amrican-sport-live-stream.cc:4581
-
auth_value
9af3f668d2aa93965a3f83753e8ccb3f
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2100-138-0x0000000000400000-0x0000000000444000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
59713a068408f7f956a62ea5776a305f.exedescription pid process target process PID 2720 set thread context of 2100 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
59713a068408f7f956a62ea5776a305f.exeRegAsm.exepid process 2720 59713a068408f7f956a62ea5776a305f.exe 2720 59713a068408f7f956a62ea5776a305f.exe 2720 59713a068408f7f956a62ea5776a305f.exe 2720 59713a068408f7f956a62ea5776a305f.exe 2720 59713a068408f7f956a62ea5776a305f.exe 2720 59713a068408f7f956a62ea5776a305f.exe 2720 59713a068408f7f956a62ea5776a305f.exe 2720 59713a068408f7f956a62ea5776a305f.exe 2720 59713a068408f7f956a62ea5776a305f.exe 2720 59713a068408f7f956a62ea5776a305f.exe 2100 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
59713a068408f7f956a62ea5776a305f.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2720 59713a068408f7f956a62ea5776a305f.exe Token: SeDebugPrivilege 2100 RegAsm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
59713a068408f7f956a62ea5776a305f.exedescription pid process target process PID 2720 wrote to memory of 1820 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 1820 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 1820 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 4880 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 4880 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 4880 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 2100 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 2100 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 2100 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 2100 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 2100 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 2100 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 2100 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe PID 2720 wrote to memory of 2100 2720 59713a068408f7f956a62ea5776a305f.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\59713a068408f7f956a62ea5776a305f.exe"C:\Users\Admin\AppData\Local\Temp\59713a068408f7f956a62ea5776a305f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1820-135-0x0000000000000000-mapping.dmp
-
memory/2100-142-0x0000000005900000-0x000000000593C000-memory.dmpFilesize
240KB
-
memory/2100-143-0x0000000006950000-0x00000000069C6000-memory.dmpFilesize
472KB
-
memory/2100-139-0x0000000005E40000-0x0000000006458000-memory.dmpFilesize
6.1MB
-
memory/2100-147-0x000000000A2D0000-0x000000000A7FC000-memory.dmpFilesize
5.2MB
-
memory/2100-140-0x00000000058A0000-0x00000000058B2000-memory.dmpFilesize
72KB
-
memory/2100-146-0x0000000009650000-0x0000000009812000-memory.dmpFilesize
1.8MB
-
memory/2100-137-0x0000000000000000-mapping.dmp
-
memory/2100-141-0x00000000059D0000-0x0000000005ADA000-memory.dmpFilesize
1.0MB
-
memory/2100-145-0x0000000006E10000-0x0000000006E60000-memory.dmpFilesize
320KB
-
memory/2100-144-0x0000000006D20000-0x0000000006D3E000-memory.dmpFilesize
120KB
-
memory/2100-138-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2720-131-0x0000000005840000-0x0000000005862000-memory.dmpFilesize
136KB
-
memory/2720-130-0x0000000000CE0000-0x0000000000DAC000-memory.dmpFilesize
816KB
-
memory/2720-132-0x0000000005930000-0x0000000005996000-memory.dmpFilesize
408KB
-
memory/2720-133-0x0000000033D00000-0x0000000033D92000-memory.dmpFilesize
584KB
-
memory/2720-134-0x0000000034350000-0x00000000348F4000-memory.dmpFilesize
5.6MB
-
memory/4880-136-0x0000000000000000-mapping.dmp