Analysis
-
max time kernel
145s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2022, 15:31
General
-
Target
8a4b5176576b98b771d30995895093fea1241bf3a18b70b102ddd9d9d792744e.exe
-
Size
5.5MB
-
MD5
33aa563b86abcfa2aeb9dd00e51289fa
-
SHA1
694cc8fab1dc068353755a5240a81fd8a8e8a6e5
-
SHA256
8a4b5176576b98b771d30995895093fea1241bf3a18b70b102ddd9d9d792744e
-
SHA512
a8b327ebbec8685afb0da48d9f58d14190ee1765e23b091542ed1b8d7c36f60673c20ee2526a420b53b59563b9a11d1379b88807605959ba8fe32d38d8a6a3fa
-
SSDEEP
98304:AGgygITz1UdCYinJxNQvLkr1ndAo1A1ebIyIPwNTVg/Qb/73fd7VpZ7rN9Lb+6iV:8yzTz1UdCzJxp61e5IPwNVgy7bZ9LyAU
Malware Config
Extracted
redline
78.24.216.5:42717
-
auth_value
6687e352a0604d495c3851d248ebf06f
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x0008000000022f60-139.dat family_redline behavioral1/files/0x0008000000022f60-138.dat family_redline behavioral1/memory/4160-140-0x0000000000E20000-0x0000000000E40000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 3048 setup.exe 4160 8999.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 8a4b5176576b98b771d30995895093fea1241bf3a18b70b102ddd9d9d792744e.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe 3048 setup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3048 setup.exe Token: SeDebugPrivilege 4160 8999.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2220 wrote to memory of 3048 2220 8a4b5176576b98b771d30995895093fea1241bf3a18b70b102ddd9d9d792744e.exe 88 PID 2220 wrote to memory of 3048 2220 8a4b5176576b98b771d30995895093fea1241bf3a18b70b102ddd9d9d792744e.exe 88 PID 2220 wrote to memory of 3048 2220 8a4b5176576b98b771d30995895093fea1241bf3a18b70b102ddd9d9d792744e.exe 88 PID 2220 wrote to memory of 4160 2220 8a4b5176576b98b771d30995895093fea1241bf3a18b70b102ddd9d9d792744e.exe 90 PID 2220 wrote to memory of 4160 2220 8a4b5176576b98b771d30995895093fea1241bf3a18b70b102ddd9d9d792744e.exe 90 PID 2220 wrote to memory of 4160 2220 8a4b5176576b98b771d30995895093fea1241bf3a18b70b102ddd9d9d792744e.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a4b5176576b98b771d30995895093fea1241bf3a18b70b102ddd9d9d792744e.exe"C:\Users\Admin\AppData\Local\Temp\8a4b5176576b98b771d30995895093fea1241bf3a18b70b102ddd9d9d792744e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\8999.exe"C:\Users\Admin\AppData\Local\Temp\8999.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD50b174e99b13fdf6457499674f5a5d0c7
SHA1d50429c030cd8f8d6abdc39f58e4c4564cb43296
SHA25608949e1a10373bccfe4d0bc7a4d61fd8e9967f55dc1b09c11151ba6286ff084e
SHA512540995128a9f850eb755c365bebfcab1bc1a556fe1035e602c4e230f84f5f35d3f7fbe676c1be0783223c5e163bdeb2ba6373d06ab1c715952b917700cacbb75
-
Filesize
104KB
MD50b174e99b13fdf6457499674f5a5d0c7
SHA1d50429c030cd8f8d6abdc39f58e4c4564cb43296
SHA25608949e1a10373bccfe4d0bc7a4d61fd8e9967f55dc1b09c11151ba6286ff084e
SHA512540995128a9f850eb755c365bebfcab1bc1a556fe1035e602c4e230f84f5f35d3f7fbe676c1be0783223c5e163bdeb2ba6373d06ab1c715952b917700cacbb75
-
Filesize
5.4MB
MD5b492114ff1576b24a8be57cecfafe123
SHA1035157d2d7fc1f8fdebf917959179ce3c97cc9ce
SHA25646e7334be57868f538584058f6525f83d5ccde6af9ee43095b213da2cfd49a6f
SHA512e9bdc91ea3e475c33a2e1c3baf341f93144bb8067fb5de5a81ca5cc7984ef80103a7d157731176213b4b762002be49522f643129423c9a60614626ee4856cdc0
-
Filesize
5.4MB
MD5b492114ff1576b24a8be57cecfafe123
SHA1035157d2d7fc1f8fdebf917959179ce3c97cc9ce
SHA25646e7334be57868f538584058f6525f83d5ccde6af9ee43095b213da2cfd49a6f
SHA512e9bdc91ea3e475c33a2e1c3baf341f93144bb8067fb5de5a81ca5cc7984ef80103a7d157731176213b4b762002be49522f643129423c9a60614626ee4856cdc0