Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 16:30
Static task
static1
Behavioral task
behavioral1
Sample
BOT_SETUP2022/SETUP.exe
Resource
win7-20220812-en
General
-
Target
BOT_SETUP2022/SETUP.exe
-
Size
5.5MB
-
MD5
ed40898f7e28068cf4b1ced8b502395c
-
SHA1
b148b0033ee8a6d0158ebec162a263b668fa9510
-
SHA256
5d8f2f6b4203e5785450eb6968570e5fd07de1f4627f75416e175ac53b0b9bd7
-
SHA512
566379fab2bb6f71b264ff5381375313b9eb0d0b3a46e89001648c3d38a867124ec970feb3bc4f9963253b885e47021291e1d64457fb89de0d176c2a61c261e2
-
SSDEEP
98304:ESAjmq5KGe4EaQmMKYBoyXdjOHn/R0lrUg1Cd1PYQIRGrPqVg3bEGM07rAWmI+T:ESumoKGNLoKYqyXVOfarUgTQ4GrPUibE
Malware Config
Extracted
redline
185.200.191.18:80
-
auth_value
f902a77d89afd7a0dcc0127007a4bb3c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/163308-147-0x0000000000600000-0x0000000000620000-memory.dmp family_redline behavioral2/memory/4800-154-0x0000000000400000-0x00000000009E6000-memory.dmp family_redline -
YTStealer payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5024-148-0x00000000004A0000-0x00000000012B2000-memory.dmp family_ytstealer behavioral2/memory/5024-162-0x00000000004A0000-0x00000000012B2000-memory.dmp family_ytstealer -
Executes dropped EXE 2 IoCs
Processes:
@heis999_crypted.exe1467997772.exepid process 4800 @heis999_crypted.exe 5024 1467997772.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\1467997772.exe upx C:\Users\Admin\AppData\Roaming\1467997772.exe upx behavioral2/memory/5024-140-0x00000000004A0000-0x00000000012B2000-memory.dmp upx behavioral2/memory/5024-148-0x00000000004A0000-0x00000000012B2000-memory.dmp upx behavioral2/memory/5024-162-0x00000000004A0000-0x00000000012B2000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
@heis999_crypted.exedescription pid process target process PID 4800 set thread context of 163308 4800 @heis999_crypted.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 163388 powershell.exe 163388 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
@heis999_crypted.exepowershell.exedescription pid process Token: 33 4800 @heis999_crypted.exe Token: SeIncBasePriorityPrivilege 4800 @heis999_crypted.exe Token: SeDebugPrivilege 163388 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SETUP.exe@heis999_crypted.exe1467997772.exedescription pid process target process PID 2372 wrote to memory of 4800 2372 SETUP.exe @heis999_crypted.exe PID 2372 wrote to memory of 4800 2372 SETUP.exe @heis999_crypted.exe PID 2372 wrote to memory of 4800 2372 SETUP.exe @heis999_crypted.exe PID 2372 wrote to memory of 5024 2372 SETUP.exe 1467997772.exe PID 2372 wrote to memory of 5024 2372 SETUP.exe 1467997772.exe PID 4800 wrote to memory of 163308 4800 @heis999_crypted.exe AppLaunch.exe PID 4800 wrote to memory of 163308 4800 @heis999_crypted.exe AppLaunch.exe PID 4800 wrote to memory of 163308 4800 @heis999_crypted.exe AppLaunch.exe PID 4800 wrote to memory of 163308 4800 @heis999_crypted.exe AppLaunch.exe PID 4800 wrote to memory of 163308 4800 @heis999_crypted.exe AppLaunch.exe PID 5024 wrote to memory of 163388 5024 1467997772.exe powershell.exe PID 5024 wrote to memory of 163388 5024 1467997772.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BOT_SETUP2022\SETUP.exe"C:\Users\Admin\AppData\Local\Temp\BOT_SETUP2022\SETUP.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\@heis999_crypted.exeC:\Users\Admin\AppData\Roaming\@heis999_crypted.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\1467997772.exeC:\Users\Admin\AppData\Roaming\1467997772.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\1467997772.exeFilesize
4.0MB
MD53c1a35fa54ee724987c28716eb1f5631
SHA11dcee84fc37306c656b72d2143a59d8e64281819
SHA25693ad379a0fb0e682e9afa1f2e728f8fb5a39c15a7d13cd8b6c432d24d6064e57
SHA512e4c516d10dc3e05d334d38988724a2c5dafb73ecfcd1b4ee7351eccab889d2ac0f9a3799da2f4af626bb15e3a32aaf284c6b4d966a11539083916e7677fd29f2
-
C:\Users\Admin\AppData\Roaming\1467997772.exeFilesize
4.0MB
MD53c1a35fa54ee724987c28716eb1f5631
SHA11dcee84fc37306c656b72d2143a59d8e64281819
SHA25693ad379a0fb0e682e9afa1f2e728f8fb5a39c15a7d13cd8b6c432d24d6064e57
SHA512e4c516d10dc3e05d334d38988724a2c5dafb73ecfcd1b4ee7351eccab889d2ac0f9a3799da2f4af626bb15e3a32aaf284c6b4d966a11539083916e7677fd29f2
-
C:\Users\Admin\AppData\Roaming\@heis999_crypted.exeFilesize
4.5MB
MD537200dd4e6070cfbd52962142a37042c
SHA1db222cda218b9e4be1a7e9abd9c8dedb85740366
SHA256c6fe992dbabdd7e073740ba21ab8f96a1c34832d467c1312217a8e1b56d3818c
SHA512b63841cb308caffa82aa26506dc730e263874c5c0518b13f14658ff9a7e9116af2c40c0f5daf564916e78d3809268a0bb9c1334c4850d2e05623025c958726ee
-
C:\Users\Admin\AppData\Roaming\@heis999_crypted.exeFilesize
4.5MB
MD537200dd4e6070cfbd52962142a37042c
SHA1db222cda218b9e4be1a7e9abd9c8dedb85740366
SHA256c6fe992dbabdd7e073740ba21ab8f96a1c34832d467c1312217a8e1b56d3818c
SHA512b63841cb308caffa82aa26506dc730e263874c5c0518b13f14658ff9a7e9116af2c40c0f5daf564916e78d3809268a0bb9c1334c4850d2e05623025c958726ee
-
memory/4800-144-0x0000000000D20000-0x0000000000D23000-memory.dmpFilesize
12KB
-
memory/4800-132-0x0000000000000000-mapping.dmp
-
memory/4800-138-0x0000000000400000-0x00000000009E6000-memory.dmpFilesize
5.9MB
-
memory/4800-139-0x0000000000400000-0x00000000009E6000-memory.dmpFilesize
5.9MB
-
memory/4800-153-0x0000000001050000-0x00000000014B2000-memory.dmpFilesize
4.4MB
-
memory/4800-141-0x0000000000400000-0x00000000009E6000-memory.dmpFilesize
5.9MB
-
memory/4800-142-0x00000000001F0000-0x00000000001F4000-memory.dmpFilesize
16KB
-
memory/4800-143-0x0000000001050000-0x00000000014B2000-memory.dmpFilesize
4.4MB
-
memory/4800-154-0x0000000000400000-0x00000000009E6000-memory.dmpFilesize
5.9MB
-
memory/4800-145-0x0000000000400000-0x00000000009E6000-memory.dmpFilesize
5.9MB
-
memory/5024-134-0x0000000000000000-mapping.dmp
-
memory/5024-162-0x00000000004A0000-0x00000000012B2000-memory.dmpFilesize
14.1MB
-
memory/5024-148-0x00000000004A0000-0x00000000012B2000-memory.dmpFilesize
14.1MB
-
memory/5024-140-0x00000000004A0000-0x00000000012B2000-memory.dmpFilesize
14.1MB
-
memory/163308-146-0x0000000000000000-mapping.dmp
-
memory/163308-155-0x0000000005160000-0x0000000005778000-memory.dmpFilesize
6.1MB
-
memory/163308-156-0x0000000004BB0000-0x0000000004BC2000-memory.dmpFilesize
72KB
-
memory/163308-157-0x0000000004CE0000-0x0000000004DEA000-memory.dmpFilesize
1.0MB
-
memory/163308-158-0x0000000004C10000-0x0000000004C4C000-memory.dmpFilesize
240KB
-
memory/163308-147-0x0000000000600000-0x0000000000620000-memory.dmpFilesize
128KB
-
memory/163388-159-0x0000000000000000-mapping.dmp
-
memory/163388-160-0x0000029F2B4D0000-0x0000029F2B4F2000-memory.dmpFilesize
136KB
-
memory/163388-161-0x00007FF82D370000-0x00007FF82DE31000-memory.dmpFilesize
10.8MB
-
memory/163388-163-0x00007FF82D370000-0x00007FF82DE31000-memory.dmpFilesize
10.8MB