Behavioral Report

General

Target

edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
Size

12KB
MD5

665a89d53afdaca17a8a3255a2c37b4e
SHA1

f988d7aa9c15fd002b1f7ab2a0a5fd273e592bbd
SHA256

edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69
SHA512

7c57ea122646b4f44967c99e5cf52c8d62afa6d846bf65bcbbd8935e512136552e2d2af4cfdcb2b504c6ccd9a5c2d2a81de9992933a7c3d56f0407e18c0535eb
SSDEEP

192:bMXUSWUFL+SV/sDRI/yih5g9WuiEguKkyosMpp:UdL+SV/o6KOdhlosa

Score

10^/10

nanocore redline cheat evasion infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

95.70.139.81:54984

Attributes

activate_away_mode
false
backup_connection_host
95.70.139.81
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-30T10:14:00.566684636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e4d3027f-8fb7-4ea0-9c1d-c3d2f2a203b5
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
95.70.139.81
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

redline

Botnet

cheat

C2

51.103.25.183:12220

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload ⋅ 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4500-330-0x000000000041932E-mapping.dmp	family_redline
behavioral1/memory/4500-370-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE ⋅ 1 IoCs

Processes:

RuntimeBroker.exe

pid process

1572 RuntimeBroker.exe

Adds Run key to start application ⋅ 2 TTPs 1 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Service = "C:\\Program Files (x86)\\UPNP Service\\upnpsv.exe"	RuntimeBroker.exe

Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs
evasion trojan

TTPs:

System Information Discovery

Processes:

RuntimeBroker.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe

Suspicious use of SetThreadContext ⋅ 2 IoCs

Processes:

edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exeedcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe

description	pid	process	target process
PID 3504 set thread context of 3564	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3564 set thread context of 4500	3564	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe

Drops file in Program Files directory ⋅ 2 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
File created	C:\Program Files (x86)\UPNP Service\upnpsv.exe	RuntimeBroker.exe
File opened for modification	C:\Program Files (x86)\UPNP Service\upnpsv.exe	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses ⋅ 9 IoCs

Processes:

RuntimeBroker.exe

pid	process
1572	RuntimeBroker.exe
1572	RuntimeBroker.exe
1572	RuntimeBroker.exe
1572	RuntimeBroker.exe
1572	RuntimeBroker.exe
1572	RuntimeBroker.exe
1572	RuntimeBroker.exe
1572	RuntimeBroker.exe
1572	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs

Processes:

RuntimeBroker.exe

pid process

1572 RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken ⋅ 5 IoCs

Processes:

edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exeedcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exeRuntimeBroker.exeedcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe

description	pid	process
Token: SeDebugPrivilege	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
Token: SeDebugPrivilege	3564	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
Token: SeDebugPrivilege	1572	RuntimeBroker.exe
Token: SeDebugPrivilege	1572	RuntimeBroker.exe
Token: SeDebugPrivilege	4500	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe

Suspicious use of WriteProcessMemory ⋅ 19 IoCs

Processes:

edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exeedcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe

C:\Users\Admin\AppData\Local\Temp\edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe

"C:\Users\Admin\AppData\Local\Temp\edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe"

Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:3504

C:\Users\Admin\AppData\Local\Temp\edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe

"C:\Users\Admin\AppData\Local\Temp\edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe"

Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:3564

C:\Users\Admin\AppData\Local\Temp\edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe

"C:\Users\Admin\AppData\Local\Temp\edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe"

Suspicious use of AdjustPrivilegeToken

PID:4500

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken

PID:1572

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe.log
MD5
08c8e9f31c97d670b3b55d9708f00f99

SHA1
3d260c74e6511af2c088b334aa3c4ac78d50266e

SHA256
bc6a45daa91bb3a1b671ff5a5103d6f376a0867fc6b4db942ccc32739907cfec

SHA512
f3df85cdb8c088d5fecb1e5c925ab519e8a66914b908de6df7d481ca0ca0498a67076e27e528c271400237c778eb448c01d07c43a700cb1a98e90d33c98fa170

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
MD5
b8acd01e82aa51978bd727ea2d0c1e8f

SHA1
85cadde22b54b6aebc7c111076662afc4928c0f9

SHA256
c160a9b16e380bc7229c13ab12c02167fa7a33e64ae32f7d687e11902a523c4f

SHA512
9e8f641a5110bbc3a4343a449a4fa5e1d5ea50d07224844e869d1905755a2b5cc0dfa20612c34b9668ad7c3408276ff98ddca5e682c4ad8658e97f466518ebe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
MD5
b8acd01e82aa51978bd727ea2d0c1e8f

SHA1
85cadde22b54b6aebc7c111076662afc4928c0f9

SHA256
c160a9b16e380bc7229c13ab12c02167fa7a33e64ae32f7d687e11902a523c4f

SHA512
9e8f641a5110bbc3a4343a449a4fa5e1d5ea50d07224844e869d1905755a2b5cc0dfa20612c34b9668ad7c3408276ff98ddca5e682c4ad8658e97f466518ebe6

Download Submit
memory/1572-191-0x0000000000000000-mapping.dmp

Download
memory/1572-267-0x000000006FB60000-0x0000000070110000-memory.dmp

Download
memory/1572-417-0x000000006FB60000-0x0000000070110000-memory.dmp

Download
memory/3504-152-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-143-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-120-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-121-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-122-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-123-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-124-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-125-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-126-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-127-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-128-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-129-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-130-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-131-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-132-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-133-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-134-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-135-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-136-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-137-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-138-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-139-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-140-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-141-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-142-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-158-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-144-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-145-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-146-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-147-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-148-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-149-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-150-0x0000000000540000-0x000000000054A000-memory.dmp

Download
memory/3504-151-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-118-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-153-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-154-0x0000000004D50000-0x0000000004DEC000-memory.dmp

Download
memory/3504-155-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-117-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-186-0x00000000028E0000-0x00000000028EC000-memory.dmp

Download
memory/3504-119-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-159-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-160-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-161-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-162-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-163-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-164-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-165-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-166-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-167-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-168-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-169-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-170-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-171-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-172-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-173-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-174-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-175-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-176-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-177-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-178-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-179-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-180-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-181-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-182-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-157-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3504-156-0x00000000771E0000-0x000000007736E000-memory.dmp

Download
memory/3564-253-0x0000000000400000-0x0000000000456000-memory.dmp

Download
memory/3564-324-0x0000000002830000-0x0000000002854000-memory.dmp

Download
memory/3564-188-0x0000000000451392-mapping.dmp

Download
memory/4500-330-0x000000000041932E-mapping.dmp

Download
memory/4500-370-0x0000000000400000-0x000000000041E000-memory.dmp

Download
memory/4500-373-0x00000000054B0000-0x0000000005AB6000-memory.dmp

Download
memory/4500-375-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Download
memory/4500-390-0x0000000004EA0000-0x0000000004EEB000-memory.dmp

Download
memory/4500-397-0x00000000050B0000-0x00000000051BA000-memory.dmp

Download
memory/4500-380-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Download

description	pid	process	target process
PID 3504 wrote to memory of 3564	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3504 wrote to memory of 3564	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3504 wrote to memory of 3564	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3504 wrote to memory of 3564	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3504 wrote to memory of 3564	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3504 wrote to memory of 3564	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3504 wrote to memory of 3564	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3504 wrote to memory of 3564	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3504 wrote to memory of 1572	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	RuntimeBroker.exe
PID 3504 wrote to memory of 1572	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	RuntimeBroker.exe
PID 3504 wrote to memory of 1572	3504	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	RuntimeBroker.exe
PID 3564 wrote to memory of 4500	3564	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3564 wrote to memory of 4500	3564	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3564 wrote to memory of 4500	3564	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3564 wrote to memory of 4500	3564	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3564 wrote to memory of 4500	3564	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3564 wrote to memory of 4500	3564	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3564 wrote to memory of 4500	3564	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe
PID 3564 wrote to memory of 4500	3564	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe	edcb1e5d5fc952793cd6ed30262a5787d92655e7b6e09d6b186057e6b8e92d69.exe

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads