Analysis
-
max time kernel
51s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29-08-2022 09:41
General
-
Target
Panel.exe
-
Size
9.3MB
-
MD5
f4e19b67ef27af1434151a512860574e
-
SHA1
56304fc2729974124341e697f3b21c84a8dd242a
-
SHA256
c7a8709013ada38fc2e1ceb3b15631f2aea8e156eb3f0aa197e02df1259a493a
-
SHA512
a92e73d58c51bb74618987f06166f52a65ed1525410aec1b8e377ea8547c1123e313e13e305310f7a750c4561756d87ff558670bf4df8b62ea874d6f7c14ca77
-
SSDEEP
196608:mJQaPHrQqXs140qMhu8369sV+HLz9SKUeNdDhHidVI1SM52n3iWuUZ/c1sxXoP3p:mJQaPHrQqXs140qMhu8369sV+HLz9SKI
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 31 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Panel.exe"C:\Users\Admin\AppData\Local\Temp\Panel.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Panel.exe"C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2096 -s 22203⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4844 -s 26202⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4844 -ip 48441⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 508 -p 2096 -ip 20961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2096-2723-0x000000002083A000-0x000000002083D000-memory.dmpFilesize
12KB
-
memory/2096-3987-0x000000002083D000-0x0000000020840000-memory.dmpFilesize
12KB
-
memory/2096-3988-0x0000000020840000-0x0000000020845000-memory.dmpFilesize
20KB
-
memory/2096-3989-0x0000000020845000-0x000000002084A000-memory.dmpFilesize
20KB
-
memory/2096-3986-0x00007FF8CB870000-0x00007FF8CC331000-memory.dmpFilesize
10.8MB
-
memory/2096-3984-0x000000000054C000-0x000000000054F000-memory.dmpFilesize
12KB
-
memory/2096-3971-0x000000002084A000-0x000000002084F000-memory.dmpFilesize
20KB
-
memory/2096-3865-0x000000002083A000-0x000000002083D000-memory.dmpFilesize
12KB
-
memory/2096-3657-0x0000000020837000-0x000000002083A000-memory.dmpFilesize
12KB
-
memory/2096-3659-0x0000000020845000-0x000000002084A000-memory.dmpFilesize
20KB
-
memory/2096-2051-0x0000000000000000-mapping.dmp
-
memory/2096-3293-0x0000000020840000-0x0000000020845000-memory.dmpFilesize
20KB
-
memory/2096-3292-0x0000000020830000-0x0000000020833000-memory.dmpFilesize
12KB
-
memory/2096-3161-0x000000000054C000-0x000000000054F000-memory.dmpFilesize
12KB
-
memory/2096-3035-0x000000002083D000-0x0000000020840000-memory.dmpFilesize
12KB
-
memory/2096-2982-0x00007FF8CB870000-0x00007FF8CC331000-memory.dmpFilesize
10.8MB
-
memory/2096-2479-0x0000000020837000-0x000000002083A000-memory.dmpFilesize
12KB
-
memory/2096-2257-0x0000000020830000-0x0000000020833000-memory.dmpFilesize
12KB
-
memory/2096-2158-0x000000000054C000-0x000000000054F000-memory.dmpFilesize
12KB
-
memory/2096-2085-0x000000001AC40000-0x000000001ADE0000-memory.dmpFilesize
1.6MB
-
memory/2096-2083-0x00007FF8CB870000-0x00007FF8CC331000-memory.dmpFilesize
10.8MB
-
memory/2096-3985-0x0000000020830000-0x0000000020833000-memory.dmpFilesize
12KB
-
memory/4844-189-0x000000001DAB0000-0x000000001DABA000-memory.dmpFilesize
40KB
-
memory/4844-2326-0x000000000053C000-0x000000000053F000-memory.dmpFilesize
12KB
-
memory/4844-477-0x0000000020830000-0x0000000020833000-memory.dmpFilesize
12KB
-
memory/4844-1025-0x0000000020837000-0x000000002083A000-memory.dmpFilesize
12KB
-
memory/4844-1157-0x000000002083A000-0x000000002083D000-memory.dmpFilesize
12KB
-
memory/4844-1154-0x00007FF8CB870000-0x00007FF8CC331000-memory.dmpFilesize
10.8MB
-
memory/4844-1311-0x000000002083D000-0x0000000020840000-memory.dmpFilesize
12KB
-
memory/4844-1462-0x000000000053C000-0x000000000053F000-memory.dmpFilesize
12KB
-
memory/4844-197-0x000000001DD60000-0x000000001DEA2000-memory.dmpFilesize
1.3MB
-
memory/4844-196-0x000000001DD60000-0x000000001DEA2000-memory.dmpFilesize
1.3MB
-
memory/4844-159-0x00007FF8CB870000-0x00007FF8CC331000-memory.dmpFilesize
10.8MB
-
memory/4844-194-0x000000001DAB0000-0x000000001DABA000-memory.dmpFilesize
40KB
-
memory/4844-193-0x000000001DAB0000-0x000000001DABA000-memory.dmpFilesize
40KB
-
memory/4844-2119-0x0000000020837000-0x000000002083A000-memory.dmpFilesize
12KB
-
memory/4844-2120-0x0000000020845000-0x000000002084A000-memory.dmpFilesize
20KB
-
memory/4844-192-0x000000001DAB0000-0x000000001DABA000-memory.dmpFilesize
40KB
-
memory/4844-2157-0x000000002083A000-0x000000002083D000-memory.dmpFilesize
12KB
-
memory/4844-190-0x00007FF8C9C30000-0x00007FF8C9D7E000-memory.dmpFilesize
1.3MB
-
memory/4844-2321-0x000000002083D000-0x0000000020840000-memory.dmpFilesize
12KB
-
memory/4844-2324-0x00007FF8CB870000-0x00007FF8CC331000-memory.dmpFilesize
10.8MB
-
memory/4844-2325-0x000000002084A000-0x000000002084F000-memory.dmpFilesize
20KB
-
memory/4844-217-0x000000000053C000-0x000000000053F000-memory.dmpFilesize
12KB
-
memory/4844-2328-0x0000000020830000-0x0000000020833000-memory.dmpFilesize
12KB
-
memory/4844-2330-0x0000000020840000-0x0000000020845000-memory.dmpFilesize
20KB
-
memory/4844-2331-0x0000000020845000-0x000000002084A000-memory.dmpFilesize
20KB
-
memory/4844-133-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/4844-132-0x00007FF8CB870000-0x00007FF8CC331000-memory.dmpFilesize
10.8MB
-
memory/4844-182-0x000000001DAA0000-0x000000001DAAA000-memory.dmpFilesize
40KB
-
memory/4844-180-0x000000001DAA0000-0x000000001DAAA000-memory.dmpFilesize
40KB
-
memory/4844-178-0x000000001DAA0000-0x000000001DAAA000-memory.dmpFilesize
40KB
-
memory/4844-176-0x000000001DAA0000-0x000000001DAAA000-memory.dmpFilesize
40KB
-
memory/4844-158-0x000000001DD60000-0x000000001DEA2000-memory.dmpFilesize
1.3MB
-
memory/4844-160-0x000000001AB30000-0x000000001ACD0000-memory.dmpFilesize
1.6MB
-
memory/4844-151-0x000000001D990000-0x000000001DAD2000-memory.dmpFilesize
1.3MB
-
memory/4844-146-0x000000001D990000-0x000000001DAD2000-memory.dmpFilesize
1.3MB
-
memory/4844-144-0x000000001D990000-0x000000001DAD2000-memory.dmpFilesize
1.3MB
-
memory/4844-140-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/4844-1722-0x0000000020830000-0x0000000020833000-memory.dmpFilesize
12KB
-
memory/4844-136-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/4844-1598-0x0000000020840000-0x0000000020845000-memory.dmpFilesize
20KB
-
memory/4844-138-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/4844-134-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB