Analysis
-
max time kernel
76s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2022 23:00
Static task
static1
Behavioral task
behavioral1
Sample
Document.pdf.scr
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
Document.pdf.scr
Resource
win10v2004-20220721-en
General
-
Target
Document.pdf.scr
-
Size
700.0MB
-
MD5
2b2400b8f0d578e12b79193ad0ca4de9
-
SHA1
f9d9f1cdb93a0344e71692260d04d5f2f820d7d5
-
SHA256
50c4600abe6b9a01aa19a65d6525b0507f943271df564bd7e019e3b5ffa98274
-
SHA512
6b1b6608476f339ea3ba37b02178a606b51759e4e27e838680c5dc95c5d3e30d712e4dede45c15e9e2b8adbdaea4ae11de9be33b843d0b5aeca4c89fa38565b6
Malware Config
Extracted
redline
4
62.204.41.139:25190
-
auth_value
e3f1c684b72f36028881fd28e808729c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2596-142-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Document.pdf.scrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation Document.pdf.scr -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Document.pdf.scrdescription pid process target process PID 944 set thread context of 2596 944 Document.pdf.scr AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeDocument.pdf.scrAppLaunch.exepid process 4388 powershell.exe 4388 powershell.exe 944 Document.pdf.scr 944 Document.pdf.scr 2596 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Document.pdf.scrpowershell.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 944 Document.pdf.scr Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 2596 AppLaunch.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Document.pdf.scrdescription pid process target process PID 944 wrote to memory of 4388 944 Document.pdf.scr powershell.exe PID 944 wrote to memory of 4388 944 Document.pdf.scr powershell.exe PID 944 wrote to memory of 4388 944 Document.pdf.scr powershell.exe PID 944 wrote to memory of 2596 944 Document.pdf.scr AppLaunch.exe PID 944 wrote to memory of 2596 944 Document.pdf.scr AppLaunch.exe PID 944 wrote to memory of 2596 944 Document.pdf.scr AppLaunch.exe PID 944 wrote to memory of 2596 944 Document.pdf.scr AppLaunch.exe PID 944 wrote to memory of 2596 944 Document.pdf.scr AppLaunch.exe PID 944 wrote to memory of 2596 944 Document.pdf.scr AppLaunch.exe PID 944 wrote to memory of 2596 944 Document.pdf.scr AppLaunch.exe PID 944 wrote to memory of 2596 944 Document.pdf.scr AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document.pdf.scr"C:\Users\Admin\AppData\Local\Temp\Document.pdf.scr" /S1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/944-130-0x00000000002B0000-0x00000000005CC000-memory.dmpFilesize
3.1MB
-
memory/944-131-0x0000000005EF0000-0x0000000006494000-memory.dmpFilesize
5.6MB
-
memory/944-132-0x0000000005B30000-0x0000000005B52000-memory.dmpFilesize
136KB
-
memory/2596-150-0x0000000008090000-0x00000000080E0000-memory.dmpFilesize
320KB
-
memory/2596-151-0x0000000008D40000-0x0000000008F02000-memory.dmpFilesize
1.8MB
-
memory/2596-152-0x0000000009B00000-0x000000000A02C000-memory.dmpFilesize
5.2MB
-
memory/2596-145-0x0000000007CE0000-0x0000000007DEA000-memory.dmpFilesize
1.0MB
-
memory/2596-149-0x0000000005F20000-0x0000000005F3E000-memory.dmpFilesize
120KB
-
memory/2596-148-0x0000000005F60000-0x0000000005FF2000-memory.dmpFilesize
584KB
-
memory/2596-147-0x0000000005E40000-0x0000000005EB6000-memory.dmpFilesize
472KB
-
memory/2596-146-0x0000000007C10000-0x0000000007C4C000-memory.dmpFilesize
240KB
-
memory/2596-141-0x0000000000000000-mapping.dmp
-
memory/2596-142-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2596-143-0x00000000062D0000-0x00000000068E8000-memory.dmpFilesize
6.1MB
-
memory/2596-144-0x0000000006250000-0x0000000006262000-memory.dmpFilesize
72KB
-
memory/4388-135-0x0000000005020000-0x0000000005648000-memory.dmpFilesize
6.2MB
-
memory/4388-140-0x0000000006250000-0x000000000626A000-memory.dmpFilesize
104KB
-
memory/4388-139-0x0000000007420000-0x0000000007A9A000-memory.dmpFilesize
6.5MB
-
memory/4388-138-0x0000000005D70000-0x0000000005D8E000-memory.dmpFilesize
120KB
-
memory/4388-137-0x0000000005730000-0x0000000005796000-memory.dmpFilesize
408KB
-
memory/4388-136-0x00000000056C0000-0x0000000005726000-memory.dmpFilesize
408KB
-
memory/4388-134-0x0000000002790000-0x00000000027C6000-memory.dmpFilesize
216KB
-
memory/4388-133-0x0000000000000000-mapping.dmp