Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2022 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.7MB

  • MD5

    0869629e5fc4b5b7088fee6b06038d17

  • SHA1

    ddfc132d410fc3c38e3fda093ca3cf76fe1a843f

  • SHA256

    5ec3a8d538cf38f9be9ba8419dee05bf711b70baf155ae6d6728ab15444fd24c

  • SHA512

    20733334a1ecd38c23d21360035b88e4ec4aa84b498ebf159afb321dd2426c24afe2a7085f6b5e95ac8aa8030d7f92dabf6219288c2eac23048f97e59be57138

  • SSDEEP

    24576:LnAUWkcdUd7MyD0LeFwIXyua+cBLYkxChx4Q:UUWkcdUd7fD0iFx3pc3xChxd

Score
10/10
redlinelogsdiller cloud (sup: @mr_golds)discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Sup: @mr_golds)

C2

51.89.201.21:7161

Attributes
  • auth_value

    56c6f7b9024c076f0a96931453da7e56

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      C:\Users\Admin\AppData\Local\Temp\file.exe
      2⤵
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://bestrealprizes.life/?u=lq1pd08&o=hdck0gl
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:912
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:912 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1816
      • C:\Users\Admin\AppData\Local\Temp\setup.exe
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          4⤵
            PID:1584

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      d15aaa7c9be910a9898260767e2490e1

      SHA1

      2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

      SHA256

      f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

      SHA512

      7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f4bf53053d293f9031c93d0abdd14689

      SHA1

      79402166e98b8dd67c8bd4ef4d784766a25c7fdb

      SHA256

      fd92f766c3d5837c1847787732c04445bd992a22ae08b6575fe44406b5b073bf

      SHA512

      2716bfb02296e24e31af043cd998e1844e75055f097379f16606d2d13ec9081f9c127ad1246b54c01768cf0676c87205d0c066195420b843e8af2ed6a9e14a01

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\setup.exe
      Filesize

      345KB

      MD5

      074f4690e37f519e136a17d673fb023c

      SHA1

      6ae97f82fafb429df5c4af4e1f708fa72570cedb

      SHA256

      b642e29066bc94c378a3de14ba7263ab2190aa4b7c140a667014e388b1fa1da8

      SHA512

      b3f268cc367d21d5454c906c23a6830677631c0dc1deb6b1ee3d39fba9e9fec7f9b557f0714a75a0bfff1e72416db15bca7d6757f2089024d4ad55d47a3bc9b7

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DVQXPJVE.txt
      Filesize

      608B

      MD5

      8568cd8544dd1058e7269cdaa1e9e085

      SHA1

      47a56cbc9f4779caba6249145bfdef6f81445e38

      SHA256

      d1e44ed879612787483382a8d677a1f3b8d189866b6aba9a92199d93a8e89a2a

      SHA512

      3516f70c28e25d7295e30b9748c91dc9803e0d938f80e74367f5b3c5c8d87febca14dbf0f011a4cff04b68599dc4413196ac2f64b3aa0c4ea9652a91d49a6fc8

      Download Submit
    • \Users\Admin\AppData\Local\Temp\setup.exe
      Filesize

      345KB

      MD5

      074f4690e37f519e136a17d673fb023c

      SHA1

      6ae97f82fafb429df5c4af4e1f708fa72570cedb

      SHA256

      b642e29066bc94c378a3de14ba7263ab2190aa4b7c140a667014e388b1fa1da8

      SHA512

      b3f268cc367d21d5454c906c23a6830677631c0dc1deb6b1ee3d39fba9e9fec7f9b557f0714a75a0bfff1e72416db15bca7d6757f2089024d4ad55d47a3bc9b7

      Download Submit
    • \Users\Admin\AppData\Local\Temp\setup.exe
      Filesize

      345KB

      MD5

      074f4690e37f519e136a17d673fb023c

      SHA1

      6ae97f82fafb429df5c4af4e1f708fa72570cedb

      SHA256

      b642e29066bc94c378a3de14ba7263ab2190aa4b7c140a667014e388b1fa1da8

      SHA512

      b3f268cc367d21d5454c906c23a6830677631c0dc1deb6b1ee3d39fba9e9fec7f9b557f0714a75a0bfff1e72416db15bca7d6757f2089024d4ad55d47a3bc9b7

      Download Submit
    • memory/1372-62-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1372-59-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1372-63-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1372-64-0x0000000000422176-mapping.dmp
      Download
    • memory/1372-66-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1372-68-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1372-61-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1372-58-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1584-74-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1584-77-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1584-85-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1584-86-0x0000000140003FEC-mapping.dmp
      Download
    • memory/1584-84-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1584-83-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1584-82-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1584-80-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1584-79-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1584-89-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1584-75-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1584-88-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1836-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1912-54-0x0000000000CE0000-0x0000000000EA2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1912-57-0x0000000004D90000-0x0000000004E22000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1912-56-0x00000000763F1000-0x00000000763F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1912-55-0x00000000009A0000-0x0000000000A4E000-memory.dmp
      Filesize

      696KB

      Download