Analysis
-
max time kernel
57s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-09-2022 14:53
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
4fade52bc24fbd95f4ce91c088f7badf
-
SHA1
a0e46aa6a7cb670dd7d7f69b0d467b432e267fed
-
SHA256
f66e317ed473eefa183bd115409da21ae3a4c0a5ba63b71d8b71d78811293d1a
-
SHA512
669cb10a04b6a8231d625fdbdb46e9f94c08a559b607336344f1030ab436966beb98b557a6090ec272694211c747b49d4ffe9dd8eb5054126c7396b0e2716ca9
-
SSDEEP
98304:eVhpkZoduG52loermUrbd5oJ8y78qRS/f5XFTwkqj6evniyHStfyywG2iP:eVXjsG52loMmcGYqRQF86evzSFwG2iP
Malware Config
Extracted
redline
3108_RUZKI
213.219.247.199:9452
-
auth_value
f71fed1cd094e4e1eb7ad1c53e542bca
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/272-74-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/272-75-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/272-76-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/272-77-0x000000000041ADD2-mapping.dmp family_redline behavioral1/memory/272-79-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/272-81-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
Processes:
resource yara_rule behavioral1/memory/864-56-0x0000000000320000-0x0000000000A74000-memory.dmp themida behavioral1/memory/864-57-0x0000000000320000-0x0000000000A74000-memory.dmp themida behavioral1/memory/864-82-0x0000000000320000-0x0000000000A74000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
file.exepid process 864 file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 864 set thread context of 272 864 file.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
file.exepowershell.exepowershell.exeInstallUtil.exepid process 864 file.exe 1208 powershell.exe 864 file.exe 468 powershell.exe 272 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exefile.exepowershell.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1208 powershell.exe Token: SeDebugPrivilege 864 file.exe Token: SeDebugPrivilege 468 powershell.exe Token: SeDebugPrivilege 272 InstallUtil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
file.exedescription pid process target process PID 864 wrote to memory of 1208 864 file.exe powershell.exe PID 864 wrote to memory of 1208 864 file.exe powershell.exe PID 864 wrote to memory of 1208 864 file.exe powershell.exe PID 864 wrote to memory of 1208 864 file.exe powershell.exe PID 864 wrote to memory of 468 864 file.exe powershell.exe PID 864 wrote to memory of 468 864 file.exe powershell.exe PID 864 wrote to memory of 468 864 file.exe powershell.exe PID 864 wrote to memory of 468 864 file.exe powershell.exe PID 864 wrote to memory of 272 864 file.exe InstallUtil.exe PID 864 wrote to memory of 272 864 file.exe InstallUtil.exe PID 864 wrote to memory of 272 864 file.exe InstallUtil.exe PID 864 wrote to memory of 272 864 file.exe InstallUtil.exe PID 864 wrote to memory of 272 864 file.exe InstallUtil.exe PID 864 wrote to memory of 272 864 file.exe InstallUtil.exe PID 864 wrote to memory of 272 864 file.exe InstallUtil.exe PID 864 wrote to memory of 272 864 file.exe InstallUtil.exe PID 864 wrote to memory of 272 864 file.exe InstallUtil.exe PID 864 wrote to memory of 272 864 file.exe InstallUtil.exe PID 864 wrote to memory of 272 864 file.exe InstallUtil.exe PID 864 wrote to memory of 272 864 file.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 302⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5ae61b810dabf11e9af0b712bf474bf65
SHA1969cd5b3996a84a901f623cd9c94e45c274d2904
SHA256986eb55b9b11c2ee9de4fe65d434248138616474340ee3ad0b8255acb7574b2c
SHA512359754fd0962d6e100874bfdd9f4b385da9d20365ed20c8c29e17959aad08054d558a85a1d991fee8dca7f5bfef54109d961eb4551419e1814d45e2e7d8d7a4e
-
memory/272-81-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/272-79-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/272-77-0x000000000041ADD2-mapping.dmp
-
memory/272-76-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/272-75-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/272-74-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/272-72-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/272-71-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/468-69-0x000000006F310000-0x000000006F8BB000-memory.dmpFilesize
5.7MB
-
memory/468-70-0x000000006F310000-0x000000006F8BB000-memory.dmpFilesize
5.7MB
-
memory/468-66-0x0000000000000000-mapping.dmp
-
memory/864-62-0x0000000000320000-0x0000000000A74000-memory.dmpFilesize
7.3MB
-
memory/864-54-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/864-63-0x00000000770F0000-0x0000000077270000-memory.dmpFilesize
1.5MB
-
memory/864-65-0x0000000005610000-0x00000000057C4000-memory.dmpFilesize
1.7MB
-
memory/864-58-0x00000000770F0000-0x0000000077270000-memory.dmpFilesize
1.5MB
-
memory/864-57-0x0000000000320000-0x0000000000A74000-memory.dmpFilesize
7.3MB
-
memory/864-56-0x0000000000320000-0x0000000000A74000-memory.dmpFilesize
7.3MB
-
memory/864-82-0x0000000000320000-0x0000000000A74000-memory.dmpFilesize
7.3MB
-
memory/864-83-0x00000000770F0000-0x0000000077270000-memory.dmpFilesize
1.5MB
-
memory/1208-64-0x00000000711B0000-0x000000007175B000-memory.dmpFilesize
5.7MB
-
memory/1208-61-0x00000000711B0000-0x000000007175B000-memory.dmpFilesize
5.7MB
-
memory/1208-59-0x0000000000000000-mapping.dmp