Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
11-08-2022 16:03
Static task
static1
Behavioral task
behavioral1
Sample
GrandTheftAutoVcheat.exe
Resource
win7-20220718-en
General
-
Target
GrandTheftAutoVcheat.exe
-
Size
421KB
-
MD5
58fc3bb157e30334818c6f8a184ed14a
-
SHA1
e89d26ebdd8585840094db45d60968455bcfd822
-
SHA256
0c30a372c59133044f5e0c6c7a4779515f64b2a3f03c0ee66549c3216873a1dd
-
SHA512
91a4cfe6cbab2db859eec1c0e24da16c77d88d17d9355ada82ab4728cd7b522387c864a6c379313f75f1334d4e78322cc7808d25703f3c72bcc74e56438ad895
Malware Config
Extracted
redline
@foruman
185.106.92.226:40788
-
auth_value
bd15c39173a26033961a0c806b2b4684
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/944-55-0x0000000000880000-0x00000000008A0000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
tmp84B.tmp.exepid process 1220 tmp84B.tmp.exe -
Loads dropped DLL 5 IoCs
Processes:
WerFault.exepid process 848 WerFault.exe 848 WerFault.exe 848 WerFault.exe 848 WerFault.exe 848 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 848 1220 WerFault.exe tmp84B.tmp.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
GrandTheftAutoVcheat.exepid process 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe 944 GrandTheftAutoVcheat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
GrandTheftAutoVcheat.exedescription pid process Token: SeDebugPrivilege 944 GrandTheftAutoVcheat.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
GrandTheftAutoVcheat.exetmp84B.tmp.exedescription pid process target process PID 944 wrote to memory of 1220 944 GrandTheftAutoVcheat.exe tmp84B.tmp.exe PID 944 wrote to memory of 1220 944 GrandTheftAutoVcheat.exe tmp84B.tmp.exe PID 944 wrote to memory of 1220 944 GrandTheftAutoVcheat.exe tmp84B.tmp.exe PID 944 wrote to memory of 1220 944 GrandTheftAutoVcheat.exe tmp84B.tmp.exe PID 1220 wrote to memory of 848 1220 tmp84B.tmp.exe WerFault.exe PID 1220 wrote to memory of 848 1220 tmp84B.tmp.exe WerFault.exe PID 1220 wrote to memory of 848 1220 tmp84B.tmp.exe WerFault.exe PID 1220 wrote to memory of 848 1220 tmp84B.tmp.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GrandTheftAutoVcheat.exe"C:\Users\Admin\AppData\Local\Temp\GrandTheftAutoVcheat.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp84B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp84B.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 443⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp84B.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp84B.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp84B.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp84B.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp84B.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
\Users\Admin\AppData\Local\Temp\tmp84B.tmp.exeFilesize
52KB
MD5d8e1495b46cded57eb1423b8bb789834
SHA1db64bc20550e51c602dbb92d07c8f02842efebcc
SHA256aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8
SHA5128b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb
-
memory/848-58-0x0000000000000000-mapping.dmp
-
memory/944-54-0x000000013F8B0000-0x000000013F91E000-memory.dmpFilesize
440KB
-
memory/944-55-0x0000000000880000-0x00000000008A0000-memory.dmpFilesize
128KB
-
memory/1220-56-0x0000000000000000-mapping.dmp