Analysis

  • max time kernel
    48s
  • max time network
    57s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2022 20:44

General

  • Target

    5DDFCF4815E94C48F1031CED6E010868.exe

  • Size

    4.6MB

  • MD5

    5ddfcf4815e94c48f1031ced6e010868

  • SHA1

    a4e2383b7ef2b19279dab80c1393fa0bf49bd160

  • SHA256

    8d73bdbb7100a3189c890f3c579c245bd19c75f5ace2aee9bb0fb3a11072f48d

  • SHA512

    828dc460f0961fc0a6e503aca6089b41ad64ed3cd20c7bdf31d390f25b889cb03ca244ab76ac7da4934a74e793055576b11505528e32a0f20ca41186782fe888

  • SSDEEP

    98304:EupPsMZmR207JGQUs0tYapHunTkOr8hGRWtg6hYemraATFotYuoz:Euplmk00psYAkOr6tgECXTGeuI

Malware Config

Extracted

Family

redline

C2

45.138.74.121:80

Attributes
  • auth_value

    b9baf351bc89181c836a21fda4084a03

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 4 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

  • YTStealer payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 5 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe
    "C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
      C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:92208
        • C:\Users\Admin\AppData\Local\Temp\Starter.exe
          "C:\Users\Admin\AppData\Local\Temp\Starter.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:92504
    • C:\Users\Admin\AppData\Roaming\5075132399.exe
      C:\Users\Admin\AppData\Roaming\5075132399.exe
      2⤵
      • Executes dropped EXE
      PID:4020

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Starter.exe
    Filesize

    18KB

    MD5

    e9716ff7745b73a8ce8dd146737dd6b1

    SHA1

    7556845b4bb4ffa12bc25d85fabf699881310cf1

    SHA256

    f89e45132fac0092760b11fb7ee37f92d2ec9b83d37ec6f50843366d78862e05

    SHA512

    c9938bde8d3f4fd0966f79373c0e6214269b93b39b8e943c90ad494379a63919655972e0569deda8d22d441926e2b11b461553c5f93048b03022d9743a0b9f1e

  • C:\Users\Admin\AppData\Local\Temp\Starter.exe
    Filesize

    18KB

    MD5

    e9716ff7745b73a8ce8dd146737dd6b1

    SHA1

    7556845b4bb4ffa12bc25d85fabf699881310cf1

    SHA256

    f89e45132fac0092760b11fb7ee37f92d2ec9b83d37ec6f50843366d78862e05

    SHA512

    c9938bde8d3f4fd0966f79373c0e6214269b93b39b8e943c90ad494379a63919655972e0569deda8d22d441926e2b11b461553c5f93048b03022d9743a0b9f1e

  • C:\Users\Admin\AppData\Roaming\5075132399.exe
    Filesize

    4.1MB

    MD5

    39c82e2f3a3c5d438aeafae69664b525

    SHA1

    0f000990a2f611801248fe953a665bf28775698d

    SHA256

    c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59

    SHA512

    30f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d

  • C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
    Filesize

    1.2MB

    MD5

    4b7a101c5d6583f67fa574f7d9eab212

    SHA1

    88f34c4b0491dc3490fdce653d43a2f1b45943a5

    SHA256

    6adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5

    SHA512

    449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb

  • \Users\Admin\AppData\Local\Temp\Starter.exe
    Filesize

    18KB

    MD5

    e9716ff7745b73a8ce8dd146737dd6b1

    SHA1

    7556845b4bb4ffa12bc25d85fabf699881310cf1

    SHA256

    f89e45132fac0092760b11fb7ee37f92d2ec9b83d37ec6f50843366d78862e05

    SHA512

    c9938bde8d3f4fd0966f79373c0e6214269b93b39b8e943c90ad494379a63919655972e0569deda8d22d441926e2b11b461553c5f93048b03022d9743a0b9f1e

  • \Users\Admin\AppData\Roaming\5075132399.exe
    Filesize

    4.1MB

    MD5

    39c82e2f3a3c5d438aeafae69664b525

    SHA1

    0f000990a2f611801248fe953a665bf28775698d

    SHA256

    c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59

    SHA512

    30f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d

  • \Users\Admin\AppData\Roaming\5075132399.exe
    Filesize

    4.1MB

    MD5

    39c82e2f3a3c5d438aeafae69664b525

    SHA1

    0f000990a2f611801248fe953a665bf28775698d

    SHA256

    c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59

    SHA512

    30f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d

  • \Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
    Filesize

    1.2MB

    MD5

    4b7a101c5d6583f67fa574f7d9eab212

    SHA1

    88f34c4b0491dc3490fdce653d43a2f1b45943a5

    SHA256

    6adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5

    SHA512

    449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb

  • \Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
    Filesize

    1.2MB

    MD5

    4b7a101c5d6583f67fa574f7d9eab212

    SHA1

    88f34c4b0491dc3490fdce653d43a2f1b45943a5

    SHA256

    6adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5

    SHA512

    449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb

  • memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmp
    Filesize

    8KB

  • memory/1548-57-0x0000000000000000-mapping.dmp
  • memory/4020-75-0x0000000000B10000-0x000000000192B000-memory.dmp
    Filesize

    14.1MB

  • memory/4020-63-0x0000000000B10000-0x000000000192B000-memory.dmp
    Filesize

    14.1MB

  • memory/4020-61-0x0000000000000000-mapping.dmp
  • memory/92208-71-0x00000000000B27CE-mapping.dmp
  • memory/92208-72-0x0000000000090000-0x00000000000B8000-memory.dmp
    Filesize

    160KB

  • memory/92208-73-0x0000000000090000-0x00000000000B8000-memory.dmp
    Filesize

    160KB

  • memory/92208-66-0x0000000000090000-0x00000000000B8000-memory.dmp
    Filesize

    160KB

  • memory/92208-64-0x0000000000090000-0x00000000000B8000-memory.dmp
    Filesize

    160KB

  • memory/92504-77-0x0000000000000000-mapping.dmp
  • memory/92504-81-0x0000000000AD0000-0x0000000000ADA000-memory.dmp
    Filesize

    40KB