Analysis
-
max time kernel
424s -
max time network
432s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
10-10-2022 08:25
Static task
static1
Behavioral task
behavioral1
Sample
MicrosoftRuntimeComponents.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
MicrosoftRuntimeComponents.exe
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
MicrosoftRuntimeComponents.exe
Resource
win10v2004-20220812-en
General
-
Target
MicrosoftRuntimeComponents.exe
-
Size
833.5MB
-
MD5
ad71745bcb2bb1d4a79ec5c75062d09b
-
SHA1
4545aecb1eb4c1a24641512b90b66782fea36fc9
-
SHA256
a91873b251e1715b1e8b08e11625ff41299101145532ec7d2dfc2a388e3ba7b0
-
SHA512
47f8bc782f58bcf469dee10ec729e919be561dc21c74231516aca3451b989381ed70b30629575a182a9e4f93f17f085ef468003d2480b003e9ac710af9ec1dfa
-
SSDEEP
12288:GnjoJLD6/JnWZQzjFeM6DJOjB9sTTHymtrGj2PLpKDqXt1M4fN1rslbEpWxUF3HM:CnYQb6VOOiqE+U4fNRzHOS
Malware Config
Extracted
redline
4
65.108.208.77:7079
-
auth_value
5960e9132cc19aa61f05cfde86bd2272
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
MicrosoftRuntimeComponents.exedescription pid process target process PID 1348 set thread context of 1664 1348 MicrosoftRuntimeComponents.exe MicrosoftRuntimeComponents.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MicrosoftRuntimeComponents.exepid process 1664 MicrosoftRuntimeComponents.exe 1664 MicrosoftRuntimeComponents.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MicrosoftRuntimeComponents.exeMicrosoftRuntimeComponents.exedescription pid process Token: SeDebugPrivilege 1348 MicrosoftRuntimeComponents.exe Token: SeDebugPrivilege 1664 MicrosoftRuntimeComponents.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
MicrosoftRuntimeComponents.exedescription pid process target process PID 1348 wrote to memory of 1664 1348 MicrosoftRuntimeComponents.exe MicrosoftRuntimeComponents.exe PID 1348 wrote to memory of 1664 1348 MicrosoftRuntimeComponents.exe MicrosoftRuntimeComponents.exe PID 1348 wrote to memory of 1664 1348 MicrosoftRuntimeComponents.exe MicrosoftRuntimeComponents.exe PID 1348 wrote to memory of 1664 1348 MicrosoftRuntimeComponents.exe MicrosoftRuntimeComponents.exe PID 1348 wrote to memory of 1664 1348 MicrosoftRuntimeComponents.exe MicrosoftRuntimeComponents.exe PID 1348 wrote to memory of 1664 1348 MicrosoftRuntimeComponents.exe MicrosoftRuntimeComponents.exe PID 1348 wrote to memory of 1664 1348 MicrosoftRuntimeComponents.exe MicrosoftRuntimeComponents.exe PID 1348 wrote to memory of 1664 1348 MicrosoftRuntimeComponents.exe MicrosoftRuntimeComponents.exe PID 1348 wrote to memory of 1664 1348 MicrosoftRuntimeComponents.exe MicrosoftRuntimeComponents.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exeC:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1348-54-0x0000000000D30000-0x0000000000EB0000-memory.dmpFilesize
1.5MB
-
memory/1348-55-0x0000000005DE0000-0x0000000005E90000-memory.dmpFilesize
704KB
-
memory/1348-56-0x0000000005140000-0x00000000051D2000-memory.dmpFilesize
584KB
-
memory/1664-57-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1664-58-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1664-60-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1664-61-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1664-62-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1664-63-0x0000000000417BDE-mapping.dmp
-
memory/1664-65-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1664-67-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1664-68-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB