Analysis
-
max time kernel
63s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2022 20:44
Static task
static1
Behavioral task
behavioral1
Sample
5DDFCF4815E94C48F1031CED6E010868.exe
Resource
win7-20220901-en
General
-
Target
5DDFCF4815E94C48F1031CED6E010868.exe
-
Size
4.6MB
-
MD5
5ddfcf4815e94c48f1031ced6e010868
-
SHA1
a4e2383b7ef2b19279dab80c1393fa0bf49bd160
-
SHA256
8d73bdbb7100a3189c890f3c579c245bd19c75f5ace2aee9bb0fb3a11072f48d
-
SHA512
828dc460f0961fc0a6e503aca6089b41ad64ed3cd20c7bdf31d390f25b889cb03ca244ab76ac7da4934a74e793055576b11505528e32a0f20ca41186782fe888
-
SSDEEP
98304:EupPsMZmR207JGQUs0tYapHunTkOr8hGRWtg6hYemraATFotYuoz:Euplmk00psYAkOr6tgECXTGeuI
Malware Config
Extracted
redline
45.138.74.121:80
-
auth_value
b9baf351bc89181c836a21fda4084a03
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/100148-140-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
YTStealer payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/388-149-0x0000000000980000-0x000000000179B000-memory.dmp family_ytstealer behavioral2/memory/388-156-0x0000000000980000-0x000000000179B000-memory.dmp family_ytstealer -
Executes dropped EXE 2 IoCs
Processes:
@colored_tea_breakfast_crypted.exe5075132399.exepid process 4928 @colored_tea_breakfast_crypted.exe 388 5075132399.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\5075132399.exe upx C:\Users\Admin\AppData\Roaming\5075132399.exe upx behavioral2/memory/388-138-0x0000000000980000-0x000000000179B000-memory.dmp upx behavioral2/memory/388-149-0x0000000000980000-0x000000000179B000-memory.dmp upx behavioral2/memory/388-156-0x0000000000980000-0x000000000179B000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
@colored_tea_breakfast_crypted.exedescription pid process target process PID 4928 set thread context of 100148 4928 @colored_tea_breakfast_crypted.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeAppLaunch.exepid process 3504 powershell.exe 3504 powershell.exe 100148 AppLaunch.exe 100148 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AppLaunch.exepowershell.exedescription pid process Token: SeDebugPrivilege 100148 AppLaunch.exe Token: SeDebugPrivilege 3504 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5DDFCF4815E94C48F1031CED6E010868.exe@colored_tea_breakfast_crypted.exe5075132399.exedescription pid process target process PID 2364 wrote to memory of 4928 2364 5DDFCF4815E94C48F1031CED6E010868.exe @colored_tea_breakfast_crypted.exe PID 2364 wrote to memory of 4928 2364 5DDFCF4815E94C48F1031CED6E010868.exe @colored_tea_breakfast_crypted.exe PID 2364 wrote to memory of 4928 2364 5DDFCF4815E94C48F1031CED6E010868.exe @colored_tea_breakfast_crypted.exe PID 2364 wrote to memory of 388 2364 5DDFCF4815E94C48F1031CED6E010868.exe 5075132399.exe PID 2364 wrote to memory of 388 2364 5DDFCF4815E94C48F1031CED6E010868.exe 5075132399.exe PID 4928 wrote to memory of 100148 4928 @colored_tea_breakfast_crypted.exe AppLaunch.exe PID 4928 wrote to memory of 100148 4928 @colored_tea_breakfast_crypted.exe AppLaunch.exe PID 4928 wrote to memory of 100148 4928 @colored_tea_breakfast_crypted.exe AppLaunch.exe PID 4928 wrote to memory of 100148 4928 @colored_tea_breakfast_crypted.exe AppLaunch.exe PID 4928 wrote to memory of 100148 4928 @colored_tea_breakfast_crypted.exe AppLaunch.exe PID 388 wrote to memory of 3504 388 5075132399.exe powershell.exe PID 388 wrote to memory of 3504 388 5075132399.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe"C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exeC:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5075132399.exeC:\Users\Admin\AppData\Roaming\5075132399.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\5075132399.exeFilesize
4.1MB
MD539c82e2f3a3c5d438aeafae69664b525
SHA10f000990a2f611801248fe953a665bf28775698d
SHA256c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59
SHA51230f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d
-
C:\Users\Admin\AppData\Roaming\5075132399.exeFilesize
4.1MB
MD539c82e2f3a3c5d438aeafae69664b525
SHA10f000990a2f611801248fe953a665bf28775698d
SHA256c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59
SHA51230f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d
-
C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exeFilesize
1.2MB
MD54b7a101c5d6583f67fa574f7d9eab212
SHA188f34c4b0491dc3490fdce653d43a2f1b45943a5
SHA2566adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5
SHA512449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb
-
C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exeFilesize
1.2MB
MD54b7a101c5d6583f67fa574f7d9eab212
SHA188f34c4b0491dc3490fdce653d43a2f1b45943a5
SHA2566adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5
SHA512449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb
-
memory/388-138-0x0000000000980000-0x000000000179B000-memory.dmpFilesize
14.1MB
-
memory/388-135-0x0000000000000000-mapping.dmp
-
memory/388-149-0x0000000000980000-0x000000000179B000-memory.dmpFilesize
14.1MB
-
memory/388-156-0x0000000000980000-0x000000000179B000-memory.dmpFilesize
14.1MB
-
memory/3504-161-0x00007FFA67200000-0x00007FFA67CC1000-memory.dmpFilesize
10.8MB
-
memory/3504-154-0x00007FFA67200000-0x00007FFA67CC1000-memory.dmpFilesize
10.8MB
-
memory/3504-151-0x00000236F4B20000-0x00000236F4B42000-memory.dmpFilesize
136KB
-
memory/3504-150-0x0000000000000000-mapping.dmp
-
memory/4928-132-0x0000000000000000-mapping.dmp
-
memory/100148-148-0x0000000005010000-0x000000000504C000-memory.dmpFilesize
240KB
-
memory/100148-147-0x0000000004FB0000-0x0000000004FC2000-memory.dmpFilesize
72KB
-
memory/100148-146-0x0000000005070000-0x000000000517A000-memory.dmpFilesize
1.0MB
-
memory/100148-152-0x00000000061A0000-0x0000000006206000-memory.dmpFilesize
408KB
-
memory/100148-153-0x00000000068D0000-0x0000000006E74000-memory.dmpFilesize
5.6MB
-
memory/100148-155-0x0000000006430000-0x00000000064C2000-memory.dmpFilesize
584KB
-
memory/100148-145-0x00000000054F0000-0x0000000005B08000-memory.dmpFilesize
6.1MB
-
memory/100148-140-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/100148-157-0x00000000066A0000-0x0000000006862000-memory.dmpFilesize
1.8MB
-
memory/100148-158-0x00000000073B0000-0x00000000078DC000-memory.dmpFilesize
5.2MB
-
memory/100148-159-0x0000000006E80000-0x0000000006EF6000-memory.dmpFilesize
472KB
-
memory/100148-160-0x0000000006620000-0x0000000006670000-memory.dmpFilesize
320KB
-
memory/100148-139-0x0000000000000000-mapping.dmp