Analysis

  • max time kernel
    63s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2022 20:44

General

  • Target

    5DDFCF4815E94C48F1031CED6E010868.exe

  • Size

    4.6MB

  • MD5

    5ddfcf4815e94c48f1031ced6e010868

  • SHA1

    a4e2383b7ef2b19279dab80c1393fa0bf49bd160

  • SHA256

    8d73bdbb7100a3189c890f3c579c245bd19c75f5ace2aee9bb0fb3a11072f48d

  • SHA512

    828dc460f0961fc0a6e503aca6089b41ad64ed3cd20c7bdf31d390f25b889cb03ca244ab76ac7da4934a74e793055576b11505528e32a0f20ca41186782fe888

  • SSDEEP

    98304:EupPsMZmR207JGQUs0tYapHunTkOr8hGRWtg6hYemraATFotYuoz:Euplmk00psYAkOr6tgECXTGeuI

Malware Config

Extracted

Family

redline

C2

45.138.74.121:80

Attributes
  • auth_value

    b9baf351bc89181c836a21fda4084a03

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • YTStealer

    YTStealer is a malware designed to steal YouTube authentication cookies.

  • YTStealer payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe
    "C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
      C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:100148
    • C:\Users\Admin\AppData\Roaming\5075132399.exe
      C:\Users\Admin\AppData\Roaming\5075132399.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:388
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "" "Get-WmiObject Win32_PortConnector"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3504

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\5075132399.exe
    Filesize

    4.1MB

    MD5

    39c82e2f3a3c5d438aeafae69664b525

    SHA1

    0f000990a2f611801248fe953a665bf28775698d

    SHA256

    c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59

    SHA512

    30f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d

  • C:\Users\Admin\AppData\Roaming\5075132399.exe
    Filesize

    4.1MB

    MD5

    39c82e2f3a3c5d438aeafae69664b525

    SHA1

    0f000990a2f611801248fe953a665bf28775698d

    SHA256

    c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59

    SHA512

    30f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d

  • C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
    Filesize

    1.2MB

    MD5

    4b7a101c5d6583f67fa574f7d9eab212

    SHA1

    88f34c4b0491dc3490fdce653d43a2f1b45943a5

    SHA256

    6adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5

    SHA512

    449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb

  • C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
    Filesize

    1.2MB

    MD5

    4b7a101c5d6583f67fa574f7d9eab212

    SHA1

    88f34c4b0491dc3490fdce653d43a2f1b45943a5

    SHA256

    6adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5

    SHA512

    449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb

  • memory/388-138-0x0000000000980000-0x000000000179B000-memory.dmp
    Filesize

    14.1MB

  • memory/388-135-0x0000000000000000-mapping.dmp
  • memory/388-149-0x0000000000980000-0x000000000179B000-memory.dmp
    Filesize

    14.1MB

  • memory/388-156-0x0000000000980000-0x000000000179B000-memory.dmp
    Filesize

    14.1MB

  • memory/3504-161-0x00007FFA67200000-0x00007FFA67CC1000-memory.dmp
    Filesize

    10.8MB

  • memory/3504-154-0x00007FFA67200000-0x00007FFA67CC1000-memory.dmp
    Filesize

    10.8MB

  • memory/3504-151-0x00000236F4B20000-0x00000236F4B42000-memory.dmp
    Filesize

    136KB

  • memory/3504-150-0x0000000000000000-mapping.dmp
  • memory/4928-132-0x0000000000000000-mapping.dmp
  • memory/100148-148-0x0000000005010000-0x000000000504C000-memory.dmp
    Filesize

    240KB

  • memory/100148-147-0x0000000004FB0000-0x0000000004FC2000-memory.dmp
    Filesize

    72KB

  • memory/100148-146-0x0000000005070000-0x000000000517A000-memory.dmp
    Filesize

    1.0MB

  • memory/100148-152-0x00000000061A0000-0x0000000006206000-memory.dmp
    Filesize

    408KB

  • memory/100148-153-0x00000000068D0000-0x0000000006E74000-memory.dmp
    Filesize

    5.6MB

  • memory/100148-155-0x0000000006430000-0x00000000064C2000-memory.dmp
    Filesize

    584KB

  • memory/100148-145-0x00000000054F0000-0x0000000005B08000-memory.dmp
    Filesize

    6.1MB

  • memory/100148-140-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

  • memory/100148-157-0x00000000066A0000-0x0000000006862000-memory.dmp
    Filesize

    1.8MB

  • memory/100148-158-0x00000000073B0000-0x00000000078DC000-memory.dmp
    Filesize

    5.2MB

  • memory/100148-159-0x0000000006E80000-0x0000000006EF6000-memory.dmp
    Filesize

    472KB

  • memory/100148-160-0x0000000006620000-0x0000000006670000-memory.dmp
    Filesize

    320KB

  • memory/100148-139-0x0000000000000000-mapping.dmp