Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02-09-2022 17:44
General
-
Target
file.exe
-
Size
2.2MB
-
MD5
106adc0183d444263d6675db1a2e9540
-
SHA1
d4479ce12196290bea418795e36628a136021949
-
SHA256
5cf09ada20a1467a9f031f8253ca916e3a61d1a399ad64153e63d6ed140f7ee3
-
SHA512
921aa6487e6bb524fab9dad94b59c65f2a567965d845490fd5ada5c27be3e23889d22700591ca581cf639c6662b33d61d3e42b2fe87a52482050edd5a91110fb
-
SSDEEP
49152:F70aLyun15F4UfHlSQWeBGnWSglFJp+uRp4LgCBAvQlAXHzziRy2oqIR7R4j:FAaLyun15FHnJsWJ0oH4lAgSJR2
Malware Config
Extracted
redline
5
116.203.187.3:14916
-
auth_value
febe6965b41d2583ad2bb6b5aa23cfd5
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 302⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mnr.exe"C:\Users\Admin\AppData\Local\Temp\mnr.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACAAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D1E556C8-D857-4BDD-B033-F857A07FC714} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mnr.exeC:\Users\Admin\AppData\Roaming\mnr.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD583f5b59561ffd68339e06f5e007537bf
SHA1235df5c30aeba5f1f2fa93ea93a18f31f863460d
SHA256dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a
SHA512cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7
-
Filesize
1.1MB
MD583f5b59561ffd68339e06f5e007537bf
SHA1235df5c30aeba5f1f2fa93ea93a18f31f863460d
SHA256dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a
SHA512cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7
-
Filesize
7KB
MD51d644f1f9e4ab38d6b11e7264c10732d
SHA1e120d38c6000034095be82fd0348292ac5b5fded
SHA25663caa9114e2c93633a365ce604b35c2e46f76b160c1682216b3522e864ef4dbf
SHA512bc1f7f512125861478e9c8a92345b17c9baf3723243c3dc32c2978cf96175b764844db08c954ff776857e7bed09d992876b7845a464248f58b32fa7820e7a4e9
-
Filesize
1.1MB
MD583f5b59561ffd68339e06f5e007537bf
SHA1235df5c30aeba5f1f2fa93ea93a18f31f863460d
SHA256dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a
SHA512cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7
-
Filesize
1.1MB
MD583f5b59561ffd68339e06f5e007537bf
SHA1235df5c30aeba5f1f2fa93ea93a18f31f863460d
SHA256dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a
SHA512cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.1MB
MD583f5b59561ffd68339e06f5e007537bf
SHA1235df5c30aeba5f1f2fa93ea93a18f31f863460d
SHA256dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a
SHA512cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7
-
Filesize
1.1MB
MD583f5b59561ffd68339e06f5e007537bf
SHA1235df5c30aeba5f1f2fa93ea93a18f31f863460d
SHA256dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a
SHA512cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7
-
Filesize
3.0MB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
8KB
-
-
Filesize
128KB
-
Filesize
128KB
-
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
2.1MB
-
Filesize
8KB
-
Filesize
2.2MB
-
Filesize
5.7MB
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
1.1MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
-
-
Filesize
444KB
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
344KB
-
Filesize
2.0MB
-
Filesize
1.2MB
-
Filesize
264KB
-
Filesize
1.1MB
-
Filesize
9.9MB
-
Filesize
876KB
-
Filesize
988KB
-
Filesize
452KB
-
Filesize
432KB
-
Filesize
1.1MB
-
Filesize
636KB
-
Filesize
624KB
-
Filesize
412KB
-
Filesize
1000KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
432KB
-
Filesize
580KB
-
Filesize
124KB
-
Filesize
452KB
-
Filesize
1.1MB
-
Filesize
636KB
-
Filesize
1.1MB
-
Filesize
1000KB
-
Filesize
412KB
-
Filesize
624KB
-
Filesize
444KB
-
Filesize
988KB
-
Filesize
876KB
-
Filesize
336KB
-
Filesize
264KB
-
Filesize
9.9MB
-
Filesize
1.2MB
-
Filesize
2.0MB
-
Filesize
264KB
-
Filesize
304KB
-
Filesize
860KB
-
Filesize
124KB
-
Filesize
92KB
-
-
Filesize
136KB
-
Filesize
312KB
-
Filesize
664KB
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
344KB