Analysis
-
max time kernel
70s -
max time network
75s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
18-09-2022 22:17
Static task
static1
Behavioral task
behavioral1
Sample
8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
Resource
win10-20220812-en
General
-
Target
8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
-
Size
4.5MB
-
MD5
116ad7e88ec60629de63ceeed72ca6f0
-
SHA1
9cf771b5ad3a5c18679827337261b9a7b0a586cd
-
SHA256
8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856
-
SHA512
ecb5baf8a69125a27c0b381904d69f4046ee9e5a29557cb70614a32c95ea3c254b1e71f6ffcd2fba5ccc5df7c6740a2ac29b232b2c6f89ad037466c5cf7ec1cd
-
SSDEEP
98304:4+jjU7ShrX3uJXPhcHWSbjZxTap3mnR9zjMn:XfzhrX8c2WVxTamn7z
Malware Config
Extracted
redline
IMHOTEP
185.215.113.217:19618
-
auth_value
6ab091fd3a77232d89f167fd3318223a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1504-66-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1504-67-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1504-68-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1504-69-0x000000000042212E-mapping.dmp family_redline behavioral1/memory/1504-71-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1504-73-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exedescription pid process target process PID 1228 set thread context of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exe8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exeAppLaunch.exepid process 1880 powershell.exe 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe 1504 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exepowershell.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 1504 AppLaunch.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exedescription pid process target process PID 1228 wrote to memory of 1880 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe powershell.exe PID 1228 wrote to memory of 1880 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe powershell.exe PID 1228 wrote to memory of 1880 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe powershell.exe PID 1228 wrote to memory of 1880 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe powershell.exe PID 1228 wrote to memory of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe PID 1228 wrote to memory of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe PID 1228 wrote to memory of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe PID 1228 wrote to memory of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe PID 1228 wrote to memory of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe PID 1228 wrote to memory of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe PID 1228 wrote to memory of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe PID 1228 wrote to memory of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe PID 1228 wrote to memory of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe PID 1228 wrote to memory of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe PID 1228 wrote to memory of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe PID 1228 wrote to memory of 1504 1228 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe"C:\Users\Admin\AppData\Local\Temp\8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1228-54-0x0000000000220000-0x000000000069E000-memory.dmpFilesize
4.5MB
-
memory/1228-55-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1228-56-0x0000000005B50000-0x0000000005C0A000-memory.dmpFilesize
744KB
-
memory/1228-57-0x00000000006E0000-0x000000000072C000-memory.dmpFilesize
304KB
-
memory/1228-58-0x0000000002620000-0x00000000026B2000-memory.dmpFilesize
584KB
-
memory/1504-63-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1504-64-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1504-66-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1504-67-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1504-68-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1504-69-0x000000000042212E-mapping.dmp
-
memory/1504-71-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1504-73-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1880-61-0x000000006EDB0000-0x000000006F35B000-memory.dmpFilesize
5.7MB
-
memory/1880-62-0x000000006EDB0000-0x000000006F35B000-memory.dmpFilesize
5.7MB
-
memory/1880-59-0x0000000000000000-mapping.dmp