Analysis
-
max time kernel
91s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2022 17:47
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
54KB
-
MD5
1e2f6f150a9ed8419a02748c81220cbd
-
SHA1
e9dedbb568fe50dacfd909d560ca5c61ef60e93b
-
SHA256
cdb773860277224fd715015f6a4a1282b8202de3b654cdbc89f3aa5d8d7fe245
-
SHA512
b3d946f7845c4d29edc074cdf66774ff36fe0008661c2dc50c4e61eac7d295ae42884e693dc33fb40e3723ccb487e26ffc278c6085adeb23a59d4b505f4522cc
-
SSDEEP
1536:uZmQZtL4cCWP4AjMKHKvV34nw9YkpzySJ3gOTMnJvajD5:SZpjMKqvVInw9YkpzySJFZ
Malware Config
Extracted
redline
20.09
176.124.201.205:8800
-
auth_value
edabd6419a068519adaa84bf7ad79d04
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4704-144-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation file.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4324-132-0x00000000000E0000-0x00000000000F4000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 4324 set thread context of 4704 4324 file.exe file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exefile.exefile.exepid process 3976 powershell.exe 3976 powershell.exe 4324 file.exe 4324 file.exe 4324 file.exe 4324 file.exe 4704 file.exe 4704 file.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
file.exepowershell.exefile.exedescription pid process Token: SeDebugPrivilege 4324 file.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 4704 file.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
file.exedescription pid process target process PID 4324 wrote to memory of 3976 4324 file.exe powershell.exe PID 4324 wrote to memory of 3976 4324 file.exe powershell.exe PID 4324 wrote to memory of 3976 4324 file.exe powershell.exe PID 4324 wrote to memory of 4836 4324 file.exe file.exe PID 4324 wrote to memory of 4836 4324 file.exe file.exe PID 4324 wrote to memory of 4836 4324 file.exe file.exe PID 4324 wrote to memory of 4704 4324 file.exe file.exe PID 4324 wrote to memory of 4704 4324 file.exe file.exe PID 4324 wrote to memory of 4704 4324 file.exe file.exe PID 4324 wrote to memory of 4704 4324 file.exe file.exe PID 4324 wrote to memory of 4704 4324 file.exe file.exe PID 4324 wrote to memory of 4704 4324 file.exe file.exe PID 4324 wrote to memory of 4704 4324 file.exe file.exe PID 4324 wrote to memory of 4704 4324 file.exe file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logFilesize
1KB
MD5e87e48b105757e1c7563d1c719059733
SHA128a3f2b2e0672da2b531f4757d2b20b53032dafc
SHA2560aaf22dc84cc3fcfe53de7ccfed8e662247dfb7f1a9967032c88790d0c663461
SHA512bf19c5743143aee914a453c41189c722c9b90a5b8bf299cecf3e1f97656d32cd209ecb74da8aebc89bb41c27d189f73aaaabbc64fe383410c95dc76ad4218968
-
memory/3976-134-0x0000000000000000-mapping.dmp
-
memory/3976-135-0x0000000004F10000-0x0000000004F46000-memory.dmpFilesize
216KB
-
memory/3976-136-0x0000000005580000-0x0000000005BA8000-memory.dmpFilesize
6.2MB
-
memory/3976-137-0x0000000005D20000-0x0000000005D86000-memory.dmpFilesize
408KB
-
memory/3976-138-0x0000000005E80000-0x0000000005EE6000-memory.dmpFilesize
408KB
-
memory/3976-139-0x00000000064D0000-0x00000000064EE000-memory.dmpFilesize
120KB
-
memory/3976-140-0x0000000007CE0000-0x000000000835A000-memory.dmpFilesize
6.5MB
-
memory/3976-141-0x0000000006980000-0x000000000699A000-memory.dmpFilesize
104KB
-
memory/4324-132-0x00000000000E0000-0x00000000000F4000-memory.dmpFilesize
80KB
-
memory/4324-133-0x0000000008780000-0x00000000087A2000-memory.dmpFilesize
136KB
-
memory/4704-144-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4704-143-0x0000000000000000-mapping.dmp
-
memory/4704-146-0x00000000059C0000-0x0000000005FD8000-memory.dmpFilesize
6.1MB
-
memory/4704-147-0x0000000005540000-0x000000000564A000-memory.dmpFilesize
1.0MB
-
memory/4704-148-0x0000000005470000-0x0000000005482000-memory.dmpFilesize
72KB
-
memory/4704-149-0x00000000054D0000-0x000000000550C000-memory.dmpFilesize
240KB
-
memory/4704-150-0x0000000006590000-0x0000000006B34000-memory.dmpFilesize
5.6MB
-
memory/4704-151-0x00000000058B0000-0x0000000005942000-memory.dmpFilesize
584KB
-
memory/4704-152-0x0000000006D10000-0x0000000006ED2000-memory.dmpFilesize
1.8MB
-
memory/4704-153-0x0000000007410000-0x000000000793C000-memory.dmpFilesize
5.2MB
-
memory/4704-154-0x0000000006BC0000-0x0000000006C36000-memory.dmpFilesize
472KB
-
memory/4704-155-0x0000000006C40000-0x0000000006C90000-memory.dmpFilesize
320KB
-
memory/4836-142-0x0000000000000000-mapping.dmp