Analysis
-
max time kernel
96s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-09-2022 17:47
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
2.2MB
-
MD5
106adc0183d444263d6675db1a2e9540
-
SHA1
d4479ce12196290bea418795e36628a136021949
-
SHA256
5cf09ada20a1467a9f031f8253ca916e3a61d1a399ad64153e63d6ed140f7ee3
-
SHA512
921aa6487e6bb524fab9dad94b59c65f2a567965d845490fd5ada5c27be3e23889d22700591ca581cf639c6662b33d61d3e42b2fe87a52482050edd5a91110fb
-
SSDEEP
49152:F70aLyun15F4UfHlSQWeBGnWSglFJp+uRp4LgCBAvQlAXHzziRy2oqIR7R4j:FAaLyun15FHnJsWJ0oH4lAgSJR2
Malware Config
Extracted
redline
5
116.203.187.3:14916
-
auth_value
febe6965b41d2583ad2bb6b5aa23cfd5
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1948-70-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1948-71-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1948-72-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1948-73-0x000000000041ADBA-mapping.dmp family_redline behavioral1/memory/1948-75-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1948-77-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tehtosfc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gsvigc\\Tehtosfc.exe\"" file.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1788 set thread context of 1948 1788 file.exe file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exefile.exepowershell.exefile.exepid process 980 powershell.exe 1788 file.exe 1612 powershell.exe 1788 file.exe 1948 file.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exefile.exepowershell.exefile.exedescription pid process Token: SeDebugPrivilege 980 powershell.exe Token: SeDebugPrivilege 1788 file.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 1948 file.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
file.exedescription pid process target process PID 1788 wrote to memory of 980 1788 file.exe powershell.exe PID 1788 wrote to memory of 980 1788 file.exe powershell.exe PID 1788 wrote to memory of 980 1788 file.exe powershell.exe PID 1788 wrote to memory of 980 1788 file.exe powershell.exe PID 1788 wrote to memory of 1612 1788 file.exe powershell.exe PID 1788 wrote to memory of 1612 1788 file.exe powershell.exe PID 1788 wrote to memory of 1612 1788 file.exe powershell.exe PID 1788 wrote to memory of 1612 1788 file.exe powershell.exe PID 1788 wrote to memory of 1164 1788 file.exe file.exe PID 1788 wrote to memory of 1164 1788 file.exe file.exe PID 1788 wrote to memory of 1164 1788 file.exe file.exe PID 1788 wrote to memory of 1164 1788 file.exe file.exe PID 1788 wrote to memory of 1948 1788 file.exe file.exe PID 1788 wrote to memory of 1948 1788 file.exe file.exe PID 1788 wrote to memory of 1948 1788 file.exe file.exe PID 1788 wrote to memory of 1948 1788 file.exe file.exe PID 1788 wrote to memory of 1948 1788 file.exe file.exe PID 1788 wrote to memory of 1948 1788 file.exe file.exe PID 1788 wrote to memory of 1948 1788 file.exe file.exe PID 1788 wrote to memory of 1948 1788 file.exe file.exe PID 1788 wrote to memory of 1948 1788 file.exe file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 302⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5d1f26c8aef6cb54dd7e1a8b59417b3ce
SHA1c42d13fd87e44dc30f7586416e83419a9d36688c
SHA25651cf868f944943fa5a10a577623bf21db8ea8d3944284b529797d1794df8ad97
SHA5125217022049bd8c331b2d91850c8ead2ea2671629d93e74dd97e49889409f12914a4ebc04b393aa000c56f469bb0581ffb2505a4e8e028ad3e37569524004e344
-
memory/980-59-0x00000000713B0000-0x000000007195B000-memory.dmpFilesize
5.7MB
-
memory/980-56-0x0000000000000000-mapping.dmp
-
memory/980-58-0x00000000713B0000-0x000000007195B000-memory.dmpFilesize
5.7MB
-
memory/1612-64-0x000000006F500000-0x000000006FAAB000-memory.dmpFilesize
5.7MB
-
memory/1612-61-0x0000000000000000-mapping.dmp
-
memory/1612-65-0x000000006F500000-0x000000006FAAB000-memory.dmpFilesize
5.7MB
-
memory/1612-66-0x000000006F500000-0x000000006FAAB000-memory.dmpFilesize
5.7MB
-
memory/1788-60-0x0000000005920000-0x0000000005B44000-memory.dmpFilesize
2.1MB
-
memory/1788-55-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/1788-54-0x0000000001090000-0x00000000012C6000-memory.dmpFilesize
2.2MB
-
memory/1948-67-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1948-68-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1948-70-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1948-71-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1948-72-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1948-73-0x000000000041ADBA-mapping.dmp
-
memory/1948-75-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1948-77-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB