Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    109s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2022 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.7MB

  • MD5

    0869629e5fc4b5b7088fee6b06038d17

  • SHA1

    ddfc132d410fc3c38e3fda093ca3cf76fe1a843f

  • SHA256

    5ec3a8d538cf38f9be9ba8419dee05bf711b70baf155ae6d6728ab15444fd24c

  • SHA512

    20733334a1ecd38c23d21360035b88e4ec4aa84b498ebf159afb321dd2426c24afe2a7085f6b5e95ac8aa8030d7f92dabf6219288c2eac23048f97e59be57138

  • SSDEEP

    24576:LnAUWkcdUd7MyD0LeFwIXyua+cBLYkxChx4Q:UUWkcdUd7fD0iFx3pc3xChxd

Score
10/10
redlinelogsdiller cloud (sup: @mr_golds)discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Sup: @mr_golds)

C2

51.89.201.21:7161

Attributes
  • auth_value

    56c6f7b9024c076f0a96931453da7e56

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      C:\Users\Admin\AppData\Local\Temp\file.exe
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://bestrealprizes.life/?u=lq1pd08&o=hdck0gl
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1756
      • C:\Users\Admin\AppData\Local\Temp\setup.exe
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:572
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          4⤵
            PID:1032

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      d15aaa7c9be910a9898260767e2490e1

      SHA1

      2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

      SHA256

      f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

      SHA512

      7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      bfba4d93e8c24aa28df36d22846034a9

      SHA1

      1216f20626fa5fce072f71144102fb028fc2ea45

      SHA256

      fd1f44987c98f672870eb8df24e0c29e0bed7c0cff0e24080b3db34a52e45eb4

      SHA512

      19d05f751a7f5dc94d3be79c8948ab55135384d2d98864812b4f165df6c7c29de07209a92e6d7aedc9a5005c2f580b188de5adee2c6f6be1c2105e279d1428f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\setup.exe
      Filesize

      345KB

      MD5

      074f4690e37f519e136a17d673fb023c

      SHA1

      6ae97f82fafb429df5c4af4e1f708fa72570cedb

      SHA256

      b642e29066bc94c378a3de14ba7263ab2190aa4b7c140a667014e388b1fa1da8

      SHA512

      b3f268cc367d21d5454c906c23a6830677631c0dc1deb6b1ee3d39fba9e9fec7f9b557f0714a75a0bfff1e72416db15bca7d6757f2089024d4ad55d47a3bc9b7

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PIXBT60Y.txt
      Filesize

      608B

      MD5

      6f8650424a716a29648ed66a0b0529d9

      SHA1

      e1ce6ab0acdd51a2c025bff4a413018d8c4ca1b2

      SHA256

      93636e1a9f6471e353731987e0b4bd992efa310c4d3b47f204b7ae2017599ae5

      SHA512

      5a078db4011db059acc29ba508eb7f70cfaad164d993f8b29c364e6e4ec2089ae48b1a8ddac88fac186846aaeac1149e7245dfeb2d0582151802de34b96bec52

      Download Submit
    • \Users\Admin\AppData\Local\Temp\setup.exe
      Filesize

      345KB

      MD5

      074f4690e37f519e136a17d673fb023c

      SHA1

      6ae97f82fafb429df5c4af4e1f708fa72570cedb

      SHA256

      b642e29066bc94c378a3de14ba7263ab2190aa4b7c140a667014e388b1fa1da8

      SHA512

      b3f268cc367d21d5454c906c23a6830677631c0dc1deb6b1ee3d39fba9e9fec7f9b557f0714a75a0bfff1e72416db15bca7d6757f2089024d4ad55d47a3bc9b7

      Download Submit
    • \Users\Admin\AppData\Local\Temp\setup.exe
      Filesize

      345KB

      MD5

      074f4690e37f519e136a17d673fb023c

      SHA1

      6ae97f82fafb429df5c4af4e1f708fa72570cedb

      SHA256

      b642e29066bc94c378a3de14ba7263ab2190aa4b7c140a667014e388b1fa1da8

      SHA512

      b3f268cc367d21d5454c906c23a6830677631c0dc1deb6b1ee3d39fba9e9fec7f9b557f0714a75a0bfff1e72416db15bca7d6757f2089024d4ad55d47a3bc9b7

      Download Submit
    • memory/572-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1032-77-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1032-74-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1032-89-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1032-88-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1032-86-0x0000000140003FEC-mapping.dmp
      Download
    • memory/1032-85-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1032-75-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1032-79-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1032-80-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1032-83-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1032-84-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1032-82-0x0000000140000000-0x0000000140023000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1044-54-0x00000000010A0000-0x0000000001262000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1044-57-0x0000000000FD0000-0x0000000001062000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1044-56-0x0000000075501000-0x0000000075503000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1044-55-0x0000000000C20000-0x0000000000CCE000-memory.dmp
      Filesize

      696KB

      Download
    • memory/1628-58-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1628-59-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1628-61-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1628-63-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1628-62-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1628-68-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1628-66-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1628-64-0x0000000000422176-mapping.dmp
      Download