Overview

overview

10

Static

static

installer.exe

windows7-x64

10

installer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    10-09-2022 10:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    installer.exe

  • Size

    7.5MB

  • MD5

    c1b44db2990ba08e43d65fa81e154449

  • SHA1

    9216a86f23f7cf335e2e98c147aa5f312717eecd

  • SHA256

    6cca9fef66cc8fdb27871f8fb01e870734343c5c3fa480f5518d5d02e90afd42

  • SHA512

    c5f68344ee1c973270305215704aba551acf9efad0a7b19980068c3c1444e2ad5b244015894dffcee9278e094f2a66f538d7b3e0e19b7ec921058748752f1d4a

  • SSDEEP

    196608:+F+hlISnMzMMbIVE58i1J3/vjN6FS1xv5Rq9ZuzPt:c+l/wkVESi1xv/5Y9Z+

Score
10/10
redline3108_ruzkidiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

3108_RUZKI

C2

213.219.247.199:9452

Attributes
  • auth_value

    f71fed1cd094e4e1eb7ad1c53e542bca

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\installer.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    PID:2028
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" /release
      2⤵
      • Gathers network information
      PID:2156
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" /renew
      2⤵
      • Gathers network information
      PID:2256
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:368
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb6f4f50,0x7fefb6f4f60,0x7fefb6f4f70
      2⤵
        PID:1700
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1284 /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1472
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1140 /prefetch:2
        2⤵
          PID:516
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1748 /prefetch:8
          2⤵
            PID:1788
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1
            2⤵
              PID:1528
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
              2⤵
                PID:1388
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
                2⤵
                  PID:1212
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3340 /prefetch:2
                  2⤵
                    PID:1932
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
                    2⤵
                      PID:1940
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3556 /prefetch:8
                      2⤵
                        PID:2072
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3668 /prefetch:8
                        2⤵
                          PID:2080
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1012 /prefetch:8
                          2⤵
                            PID:2496
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=540 /prefetch:8
                            2⤵
                              PID:2540
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1692 /prefetch:1
                              2⤵
                                PID:2580
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,221456879150697785,13352914304664906130,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
                                2⤵
                                  PID:2704

                              Network

                              MITRE ATT&CK Matrix ATT&CK v6

                              Initial Access

                              Execution

                              Command-Line Interface

                              1
                              T1059

                              Persistence

                              Privilege Escalation

                              Defense Evasion

                              Credential Access

                              Credentials in Files

                              2
                              T1081

                              Discovery

                              Query Registry

                              2
                              T1012

                              System Information Discovery

                              3
                              T1082

                              Lateral Movement

                              Collection

                              Data from Local System

                              2
                              T1005

                              Exfiltration

                              Command and Control

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                Filesize

                                180KB

                                MD5

                                f7d9ad7a38d1d2bd634e98cca13b92f4

                                SHA1

                                8042160a17fb77c7569fdcd48b1ec70831021b4e

                                SHA256

                                7adbbde4d56c428a3d466b090a7f437e40024eaa8255ac40bf99e78daa6fecac

                                SHA512

                                17607da9843966354359613a9432abbd187da1b849110e17572d2583971461df3882d73994aa50b5f5cdbbbb10f309a9c599591372a765c5e9de3e7926c75980

                                Download Submit
                              • \??\pipe\crashpad_368_VESLUYNFFQIHVHFR
                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                Download Submit
                              • memory/2028-54-0x0000000000CF0000-0x0000000001478000-memory.dmp
                                Filesize

                                7.5MB

                                Download
                              • memory/2028-55-0x0000000075A71000-0x0000000075A73000-memory.dmp
                                Filesize

                                8KB

                                Download
                              • memory/2028-56-0x00000000055F0000-0x000000000565A000-memory.dmp
                                Filesize

                                424KB

                                Download
                              • memory/2156-58-0x0000000000000000-mapping.dmp
                                Download
                              • memory/2204-61-0x0000000000400000-0x0000000000420000-memory.dmp
                                Filesize

                                128KB

                                Download
                              • memory/2204-63-0x0000000000400000-0x0000000000420000-memory.dmp
                                Filesize

                                128KB

                                Download
                              • memory/2204-64-0x0000000000400000-0x0000000000420000-memory.dmp
                                Filesize

                                128KB

                                Download
                              • memory/2204-66-0x000000000041ADD2-mapping.dmp
                                Download
                              • memory/2204-65-0x0000000000400000-0x0000000000420000-memory.dmp
                                Filesize

                                128KB

                                Download
                              • memory/2204-68-0x0000000000400000-0x0000000000420000-memory.dmp
                                Filesize

                                128KB

                                Download
                              • memory/2204-70-0x0000000000400000-0x0000000000420000-memory.dmp
                                Filesize

                                128KB

                                Download
                              • memory/2204-60-0x0000000000400000-0x0000000000420000-memory.dmp
                                Filesize

                                128KB

                                Download
                              • memory/2256-71-0x0000000000000000-mapping.dmp
                                Download