Analysis
-
max time kernel
300s -
max time network
293s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2022 00:37
Static task
static1
Behavioral task
behavioral1
Sample
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe
Resource
win10v2004-20220812-en
General
-
Target
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe
-
Size
345KB
-
MD5
f1d121ab68b439ac310fb79119ffb044
-
SHA1
f952140c206d96843baa79f2e0e8454c07fa683a
-
SHA256
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c
-
SHA512
ca0a381a392f9ac1c2954042759955b50e6c1fa735609ac69710658e51c48191f0d99469847b3ebf3f40ce854cb0595387ad986aeacbb5ebd8d05666746e6d6d
-
SSDEEP
6144:GK5lpVV+1MszHze0x/qgMyy4oh5VyrsyaO6enVX9Pv71L8Er8:Hv1YzeDyy4osa6ljQE
Malware Config
Extracted
redline
875784825
79.137.192.6:8362
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/92800-158-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
setup23.exeMoUSO.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup23.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MoUSO.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
setup23.exeMoUSO.exewatchdog.exepid process 3740 setup23.exe 1280 MoUSO.exe 3772 watchdog.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
setup23.exeMoUSO.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion setup23.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion setup23.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MoUSO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MoUSO.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
setup23.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation setup23.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
MoUSO.exesetup23.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine MoUSO.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine setup23.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
setup23.exeMoUSO.exepid process 3740 setup23.exe 1280 MoUSO.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exewatchdog.exedescription pid process target process PID 840 set thread context of 2612 840 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe RegSvcs.exe PID 3772 set thread context of 92800 3772 watchdog.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
setup23.exeMoUSO.exepid process 3740 setup23.exe 3740 setup23.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe 1280 MoUSO.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 92800 vbc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exeRegSvcs.exesetup23.exewatchdog.exedescription pid process target process PID 840 wrote to memory of 2612 840 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe RegSvcs.exe PID 840 wrote to memory of 2612 840 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe RegSvcs.exe PID 840 wrote to memory of 2612 840 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe RegSvcs.exe PID 840 wrote to memory of 2612 840 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe RegSvcs.exe PID 840 wrote to memory of 2612 840 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe RegSvcs.exe PID 840 wrote to memory of 2612 840 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe RegSvcs.exe PID 840 wrote to memory of 2612 840 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe RegSvcs.exe PID 840 wrote to memory of 2612 840 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe RegSvcs.exe PID 840 wrote to memory of 2612 840 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe RegSvcs.exe PID 840 wrote to memory of 2612 840 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe RegSvcs.exe PID 840 wrote to memory of 2612 840 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe RegSvcs.exe PID 2612 wrote to memory of 3740 2612 RegSvcs.exe setup23.exe PID 2612 wrote to memory of 3740 2612 RegSvcs.exe setup23.exe PID 2612 wrote to memory of 3740 2612 RegSvcs.exe setup23.exe PID 3740 wrote to memory of 2368 3740 setup23.exe schtasks.exe PID 3740 wrote to memory of 2368 3740 setup23.exe schtasks.exe PID 3740 wrote to memory of 2368 3740 setup23.exe schtasks.exe PID 2612 wrote to memory of 3772 2612 RegSvcs.exe watchdog.exe PID 2612 wrote to memory of 3772 2612 RegSvcs.exe watchdog.exe PID 2612 wrote to memory of 3772 2612 RegSvcs.exe watchdog.exe PID 3772 wrote to memory of 92800 3772 watchdog.exe vbc.exe PID 3772 wrote to memory of 92800 3772 watchdog.exe vbc.exe PID 3772 wrote to memory of 92800 3772 watchdog.exe vbc.exe PID 3772 wrote to memory of 92800 3772 watchdog.exe vbc.exe PID 3772 wrote to memory of 92800 3772 watchdog.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe"C:\Users\Admin\AppData\Local\Temp\5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup23.exe"C:\Users\Admin\AppData\Local\Temp\setup23.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exe"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
1KB
MD5d6b0775dc8b065f63eb1c316f861073c
SHA106053ace4e90b7b5e5ffd5ea60c508757332669a
SHA25641417649008fbe3872c14d033ea49da0b91898f24030b98f2d587626c3a95d4f
SHA5121bbf1436625d5a62f58ee44ac7dffa65291c727b6129990e0677edced90489ba051a6a325d99b8a232c532b41e7b4af49423d33a911dfab8ba56a93a5b63876c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
438B
MD5232d17b4cb2a97f9f1fbc40a74ef8a8a
SHA1995b252960f3d8028aad7d25448529028d3c7896
SHA25658754a45ae097847aa19f3aba79b8ff432f45cadc65fac5c62994998c26b2732
SHA512b499bee6356e8f7b91e82db8574384a1eadbd3875989adfb58e722fad0dbdf2c8a580b000e72709c551a52b0d503b8ef931cb87fbaead953797eab6554f58e93
-
C:\Users\Admin\AppData\Local\Temp\setup23.exeFilesize
1.3MB
MD55164546607112f8e62d25d4894705170
SHA18cec1cabfdd23909fa950ab6ff031da5fd6eb570
SHA256390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471
SHA512d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb
-
C:\Users\Admin\AppData\Local\Temp\setup23.exeFilesize
1.3MB
MD55164546607112f8e62d25d4894705170
SHA18cec1cabfdd23909fa950ab6ff031da5fd6eb570
SHA256390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471
SHA512d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exeFilesize
2.5MB
MD5735d324569e557ae7d943929e4ff87e9
SHA1141e0b89202dd8548c01d9ef55b7278222d8126b
SHA2564a3d5ca3d8e5b2e7a981c95b7229cf9d3de168be21c22b1bbfff1ee21b3b712e
SHA512db94ecc52a54309f1eccfb0f6f18c92bd0ef4c4849fe5a528f270262ce2929637c74d63d4959b4e4e4c845d926332f6b5fd3b78a82322871d256f7566d6f1bee
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exeFilesize
2.5MB
MD5735d324569e557ae7d943929e4ff87e9
SHA1141e0b89202dd8548c01d9ef55b7278222d8126b
SHA2564a3d5ca3d8e5b2e7a981c95b7229cf9d3de168be21c22b1bbfff1ee21b3b712e
SHA512db94ecc52a54309f1eccfb0f6f18c92bd0ef4c4849fe5a528f270262ce2929637c74d63d4959b4e4e4c845d926332f6b5fd3b78a82322871d256f7566d6f1bee
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD55164546607112f8e62d25d4894705170
SHA18cec1cabfdd23909fa950ab6ff031da5fd6eb570
SHA256390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471
SHA512d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD55164546607112f8e62d25d4894705170
SHA18cec1cabfdd23909fa950ab6ff031da5fd6eb570
SHA256390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471
SHA512d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb
-
memory/1280-168-0x0000000000920000-0x0000000000C8E000-memory.dmpFilesize
3.4MB
-
memory/1280-167-0x0000000000920000-0x0000000000C8E000-memory.dmpFilesize
3.4MB
-
memory/1280-152-0x0000000000920000-0x0000000000C8E000-memory.dmpFilesize
3.4MB
-
memory/1280-150-0x0000000000920000-0x0000000000C8E000-memory.dmpFilesize
3.4MB
-
memory/1280-151-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/2368-145-0x0000000000000000-mapping.dmp
-
memory/2612-132-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/2612-136-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/2612-155-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/2612-135-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/2612-133-0x0000000140003FAC-mapping.dmp
-
memory/2612-134-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/3740-142-0x0000000000650000-0x00000000009BE000-memory.dmpFilesize
3.4MB
-
memory/3740-147-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/3740-146-0x0000000000650000-0x00000000009BE000-memory.dmpFilesize
3.4MB
-
memory/3740-141-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/3740-137-0x0000000000000000-mapping.dmp
-
memory/3740-140-0x0000000000650000-0x00000000009BE000-memory.dmpFilesize
3.4MB
-
memory/3772-153-0x0000000000000000-mapping.dmp
-
memory/92800-165-0x0000000005010000-0x000000000504C000-memory.dmpFilesize
240KB
-
memory/92800-164-0x0000000004FB0000-0x0000000004FC2000-memory.dmpFilesize
72KB
-
memory/92800-163-0x0000000005590000-0x0000000005BA8000-memory.dmpFilesize
6.1MB
-
memory/92800-166-0x00000000052C0000-0x00000000053CA000-memory.dmpFilesize
1.0MB
-
memory/92800-158-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/92800-157-0x0000000000000000-mapping.dmp
-
memory/92800-169-0x0000000006320000-0x00000000064E2000-memory.dmpFilesize
1.8MB
-
memory/92800-170-0x0000000006A20000-0x0000000006F4C000-memory.dmpFilesize
5.2MB
-
memory/92800-171-0x00000000062B0000-0x0000000006316000-memory.dmpFilesize
408KB
-
memory/92800-172-0x0000000007500000-0x0000000007AA4000-memory.dmpFilesize
5.6MB
-
memory/92800-173-0x0000000006700000-0x0000000006776000-memory.dmpFilesize
472KB
-
memory/92800-174-0x0000000006820000-0x00000000068B2000-memory.dmpFilesize
584KB
-
memory/92800-175-0x00000000069E0000-0x00000000069FE000-memory.dmpFilesize
120KB