Analysis
-
max time kernel
75s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
24-09-2022 15:31
General
-
Target
tmp.exe
-
Size
3.9MB
-
MD5
d60909eb4d445d948740877e759b7b83
-
SHA1
dc8a672358fa25efbcefb5e4074aab7acdb413a6
-
SHA256
2d241ce3d2981c29545a11c13ec0ecd7e021759d35dea0c762bb0c63bb1b555d
-
SHA512
d10292ff78b4e14569d8b96170d0da905b1beb45a1bd76ff7fe7d43b5b72ef079bae7ce68c01759f46b5fb4fc60d367c1cc78fbc676b3adca947f45f58c18242
-
SSDEEP
98304:FvJ7zh1f+X5wDg+kkq/0j+TdWRRsuwaxhYDU4PQv2Vph2XpR:RPl+XWkkqMaTdWb0aDv2VpC
Malware Config
Extracted
redline
Crypt_Mastif
194.36.177.60:81
-
auth_value
26018289184445b16046125f5e616df6
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
-
YTStealer payload 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\22windows_64.exe"C:\Users\Admin\AppData\Local\Temp\22windows_64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57e88081fcf716d85992bb3af3d9b6454
SHA12153780fbc71061b0102a7a7b665349e1013e250
SHA2565ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2
SHA512ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD52fa3c163449dce4a79f324a6c96286fb
SHA1f575ab12432c7bb6afc58a4093f62464244c3cf6
SHA2569aac36402f8d17e64c675c608f79670a013fab2bfc101e21fb668058179ce41f
SHA512f6e2446e3ba463782dca06db2a5294bff5d020f89157999fbbc7c7fee7791b881a1e54efd12aa5222cb81a8f78779c7598499300086764e6e77347a0aa7bac11
-
Filesize
4.0MB
MD5eaaad4f36853f423ee62272e125708ff
SHA171c045b6a66fef5dd1f20faefbce8df88c890788
SHA2561901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901
SHA51205292ae056faf45359b62d8feb6926c1144623e997df0893b9a74e423b84761f2ab6e3786c7fc5d7784e3ae9bff7c2e21166cbb7723f6315538357e674587431
-
Filesize
4.0MB
MD5eaaad4f36853f423ee62272e125708ff
SHA171c045b6a66fef5dd1f20faefbce8df88c890788
SHA2561901ae31080f9b8f7c419290eab011086a00355a0451e9f634f545f771753901
SHA51205292ae056faf45359b62d8feb6926c1144623e997df0893b9a74e423b84761f2ab6e3786c7fc5d7784e3ae9bff7c2e21166cbb7723f6315538357e674587431
-
Filesize
3.9MB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
104KB
-
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
408KB
-
-
Filesize
14.1MB
-
Filesize
14.1MB
-
Filesize
14.1MB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
5.2MB
-
Filesize
72KB
-
-
Filesize
160KB
-
Filesize
6.1MB
-
Filesize
136KB
-
Filesize
10.8MB
-
-
Filesize
10.8MB