Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2022 12:08
Static task
static1
Behavioral task
behavioral1
Sample
5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exe
Resource
win10v2004-20220812-en
General
-
Target
5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exe
-
Size
5.6MB
-
MD5
4150f5451a5a36988ba3ea58680e38b5
-
SHA1
a8baf514a9c9d1ee1702505e5bb7c6a9bf1f6edf
-
SHA256
5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204
-
SHA512
ebeca4bd553aecc06207f7ce79cbd283dff7ffb2e37ec86f10bfef25396130999a8d002cc80b97c2be89f3a332bacfaa27d76728f6d3886b5e36a233f72a4a63
-
SSDEEP
98304:xJ4U0u0/kKdd7QPHgsRyrnnqTNPECnhgNwNCmsLQQLCgBDBrPSTnrbrX6K8X22pQ:xJykelxsRAqLgNwNCzJRVU3L8X2SNTz2
Malware Config
Extracted
redline
buildnewdomain3
hrabrlonian.xyz:81
-
auth_value
a3efc6defd0c20f4e41b9199dcafae6d
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 3748 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5004-154-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/5004-155-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
License Keys.exeLicense Keys.exeKiffAppE2.exesetup2.exesetup2.exesetup.exepid process 1572 License Keys.exe 4764 License Keys.exe 3412 KiffAppE2.exe 4196 setup2.exe 5004 setup2.exe 2136 setup.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exeLicense Keys.exeKiffAppE2.exesetup2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation License Keys.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation KiffAppE2.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation setup2.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exesetup.exepid process 4140 rundll32.exe 2136 setup.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\setup.exe agile_net C:\Users\Admin\AppData\Local\Temp\setup.exe agile_net behavioral2/memory/2136-169-0x0000000000A40000-0x0000000000B1E000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org 8 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
setup2.exedescription pid process target process PID 4196 set thread context of 5004 4196 setup2.exe setup2.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\resources.pak setup.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3496 4140 WerFault.exe rundll32.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
setup2.exesetup.exepid process 5004 setup2.exe 2136 setup.exe 2136 setup.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
KiffAppE2.exesetup2.exesetup.exedescription pid process Token: SeDebugPrivilege 3412 KiffAppE2.exe Token: SeDebugPrivilege 5004 setup2.exe Token: SeDebugPrivilege 2136 setup.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exeLicense Keys.exerundll32.exeKiffAppE2.exesetup2.exesetup2.exedescription pid process target process PID 3276 wrote to memory of 1572 3276 5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exe License Keys.exe PID 3276 wrote to memory of 1572 3276 5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exe License Keys.exe PID 3276 wrote to memory of 1572 3276 5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exe License Keys.exe PID 1572 wrote to memory of 4764 1572 License Keys.exe License Keys.exe PID 1572 wrote to memory of 4764 1572 License Keys.exe License Keys.exe PID 1572 wrote to memory of 4764 1572 License Keys.exe License Keys.exe PID 3276 wrote to memory of 3412 3276 5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exe KiffAppE2.exe PID 3276 wrote to memory of 3412 3276 5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exe KiffAppE2.exe PID 4136 wrote to memory of 4140 4136 rundll32.exe rundll32.exe PID 4136 wrote to memory of 4140 4136 rundll32.exe rundll32.exe PID 4136 wrote to memory of 4140 4136 rundll32.exe rundll32.exe PID 3412 wrote to memory of 4196 3412 KiffAppE2.exe setup2.exe PID 3412 wrote to memory of 4196 3412 KiffAppE2.exe setup2.exe PID 3412 wrote to memory of 4196 3412 KiffAppE2.exe setup2.exe PID 4196 wrote to memory of 5004 4196 setup2.exe setup2.exe PID 4196 wrote to memory of 5004 4196 setup2.exe setup2.exe PID 4196 wrote to memory of 5004 4196 setup2.exe setup2.exe PID 4196 wrote to memory of 5004 4196 setup2.exe setup2.exe PID 4196 wrote to memory of 5004 4196 setup2.exe setup2.exe PID 4196 wrote to memory of 5004 4196 setup2.exe setup2.exe PID 4196 wrote to memory of 5004 4196 setup2.exe setup2.exe PID 4196 wrote to memory of 5004 4196 setup2.exe setup2.exe PID 5004 wrote to memory of 2136 5004 setup2.exe setup.exe PID 5004 wrote to memory of 2136 5004 setup2.exe setup.exe PID 5004 wrote to memory of 2136 5004 setup2.exe setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exe"C:\Users\Admin\AppData\Local\Temp\5aa127bb62a6d76f7c86d3998051415594d9565432d5ba60a0fe253c7bce5204.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\License Keys.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\License Keys.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\License Keys.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\License Keys.exe" -q3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\setup2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\setup2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\setup2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\setup2.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4140 -ip 41401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup2.exe.logFilesize
789B
MD503d2df1e8834bc4ec1756735429b458c
SHA14ee6c0f5b04c8e0c5076219c5724032daab11d40
SHA256745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631
SHA5122482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exeFilesize
157KB
MD553f9c2f2f1a755fc04130fd5e9fcaff4
SHA13f517b5b64080dee853fc875921ba7c17cdc9169
SHA256e37fb761922a83426384d20cf959ea563df4575e6b9d4387f06129a47e7f848e
SHA51277c1247168dd1dc905ccddac4c9a7c1c85460094003a35d3ac4ed429c4283ae1b085fad3d7f30d0470a565ddedb3b514d28518aaac7e045d2c73d4fea4290e46
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exeFilesize
157KB
MD553f9c2f2f1a755fc04130fd5e9fcaff4
SHA13f517b5b64080dee853fc875921ba7c17cdc9169
SHA256e37fb761922a83426384d20cf959ea563df4575e6b9d4387f06129a47e7f848e
SHA51277c1247168dd1dc905ccddac4c9a7c1c85460094003a35d3ac4ed429c4283ae1b085fad3d7f30d0470a565ddedb3b514d28518aaac7e045d2c73d4fea4290e46
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\License Keys.exeFilesize
87KB
MD5b232244c876830a67eda4150dab8cfc3
SHA164d6864fe6eaf1b6cc8bc18fce4d593e0e3f84e1
SHA2565a519ed6d937ad596037b56b47b2a4b8df32075bf4cde3ab69686e66282502e5
SHA512a120d56af42864e983098e6cd76fd7dbdd16fd54ae1f2a267f3258ac829b36f14660c6888da941b22aba971174d86df787d0523f8a61d391e921140238a492a8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\License Keys.exeFilesize
87KB
MD5b232244c876830a67eda4150dab8cfc3
SHA164d6864fe6eaf1b6cc8bc18fce4d593e0e3f84e1
SHA2565a519ed6d937ad596037b56b47b2a4b8df32075bf4cde3ab69686e66282502e5
SHA512a120d56af42864e983098e6cd76fd7dbdd16fd54ae1f2a267f3258ac829b36f14660c6888da941b22aba971174d86df787d0523f8a61d391e921140238a492a8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\License Keys.exeFilesize
87KB
MD5b232244c876830a67eda4150dab8cfc3
SHA164d6864fe6eaf1b6cc8bc18fce4d593e0e3f84e1
SHA2565a519ed6d937ad596037b56b47b2a4b8df32075bf4cde3ab69686e66282502e5
SHA512a120d56af42864e983098e6cd76fd7dbdd16fd54ae1f2a267f3258ac829b36f14660c6888da941b22aba971174d86df787d0523f8a61d391e921140238a492a8
-
C:\Users\Admin\AppData\Local\Temp\db.datFilesize
557KB
MD548abebba7675785b5973b17b0765b88d
SHA1780fe8bbdfa6de3bc6215bea213153e4a9b9874b
SHA25618dfc5eb22ec12374b59d1fee26a8e67a89403e828891f2c6eff295160b12a6b
SHA512b5b4e7ab4ea7a30039c566643b3a616f06cf055ac621aab081d4a6ef70b88ac64851e4c17b6206665e913227a4c09003c7fd8529dfdd8939fd501ae11d340a82
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD5e2082e7d7eeb4a3d599472a33cbaca24
SHA1add8cf241e8fa6ec1e18317a7f3972e900dd9ab7
SHA2569e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1
SHA512ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD5e2082e7d7eeb4a3d599472a33cbaca24
SHA1add8cf241e8fa6ec1e18317a7f3972e900dd9ab7
SHA2569e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1
SHA512ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07
-
C:\Users\Admin\AppData\Local\Temp\e8a1c59c-2698-4d09-9b67-9181b8a904a2\AgileDotNetRT.dllFilesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
867KB
MD55de8804088e05b51850a98486fd018ac
SHA1e98aa55fa5b9cd1292394a1f357e62e68eeb13c6
SHA256477a06dbbff57c765255c72f2ff7d72129269d9c66483e75abe3dbdab2432104
SHA512218d2d6435daafaa71ce63d0a4bc6643b7e48e8dec6a05a8e82fed6587f9ff075ce7fc808f861534221e2760bd4e6836ad12daa772cb5c8167db85b94f1a991e
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
867KB
MD55de8804088e05b51850a98486fd018ac
SHA1e98aa55fa5b9cd1292394a1f357e62e68eeb13c6
SHA256477a06dbbff57c765255c72f2ff7d72129269d9c66483e75abe3dbdab2432104
SHA512218d2d6435daafaa71ce63d0a4bc6643b7e48e8dec6a05a8e82fed6587f9ff075ce7fc808f861534221e2760bd4e6836ad12daa772cb5c8167db85b94f1a991e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\setup2.exeFilesize
470KB
MD51757ed9d1c76e0000230c759c4f50dcf
SHA10ebfb7bccf24d5f26ec0f3a14029bf707ef6a15b
SHA256574a54bc3a0667b656cd0a41974cf676a9939d1e2c5a3e3984e4dcd3ba49a744
SHA512a619e76998e9e60e4ab320ccbc717b47a288e14d201dbb51db1506482762551dd6469453aabe66bb95a2757f6752a4ca76f00b0bef2d4b9cbc8d9bf6963703e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\setup2.exeFilesize
470KB
MD51757ed9d1c76e0000230c759c4f50dcf
SHA10ebfb7bccf24d5f26ec0f3a14029bf707ef6a15b
SHA256574a54bc3a0667b656cd0a41974cf676a9939d1e2c5a3e3984e4dcd3ba49a744
SHA512a619e76998e9e60e4ab320ccbc717b47a288e14d201dbb51db1506482762551dd6469453aabe66bb95a2757f6752a4ca76f00b0bef2d4b9cbc8d9bf6963703e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\setup2.exeFilesize
470KB
MD51757ed9d1c76e0000230c759c4f50dcf
SHA10ebfb7bccf24d5f26ec0f3a14029bf707ef6a15b
SHA256574a54bc3a0667b656cd0a41974cf676a9939d1e2c5a3e3984e4dcd3ba49a744
SHA512a619e76998e9e60e4ab320ccbc717b47a288e14d201dbb51db1506482762551dd6469453aabe66bb95a2757f6752a4ca76f00b0bef2d4b9cbc8d9bf6963703e1
-
memory/1572-132-0x0000000000000000-mapping.dmp
-
memory/2136-169-0x0000000000A40000-0x0000000000B1E000-memory.dmpFilesize
888KB
-
memory/2136-166-0x0000000000000000-mapping.dmp
-
memory/2136-171-0x0000000073A40000-0x0000000073AC9000-memory.dmpFilesize
548KB
-
memory/3412-162-0x00007FFC9F1B0000-0x00007FFC9FC71000-memory.dmpFilesize
10.8MB
-
memory/3412-137-0x0000000000000000-mapping.dmp
-
memory/3412-140-0x00000000001B0000-0x00000000001DE000-memory.dmpFilesize
184KB
-
memory/3412-141-0x00007FFC9F1B0000-0x00007FFC9FC71000-memory.dmpFilesize
10.8MB
-
memory/4140-143-0x0000000000000000-mapping.dmp
-
memory/4196-150-0x0000000007D80000-0x0000000008324000-memory.dmpFilesize
5.6MB
-
memory/4196-146-0x0000000000000000-mapping.dmp
-
memory/4196-153-0x0000000005450000-0x000000000546E000-memory.dmpFilesize
120KB
-
memory/4196-152-0x00000000054B0000-0x0000000005526000-memory.dmpFilesize
472KB
-
memory/4196-151-0x0000000007870000-0x0000000007902000-memory.dmpFilesize
584KB
-
memory/4196-149-0x00000000007E0000-0x000000000085C000-memory.dmpFilesize
496KB
-
memory/4764-135-0x0000000000000000-mapping.dmp
-
memory/5004-160-0x0000000005130000-0x0000000005142000-memory.dmpFilesize
72KB
-
memory/5004-164-0x0000000007200000-0x00000000073C2000-memory.dmpFilesize
1.8MB
-
memory/5004-165-0x0000000007900000-0x0000000007E2C000-memory.dmpFilesize
5.2MB
-
memory/5004-163-0x0000000006710000-0x0000000006776000-memory.dmpFilesize
408KB
-
memory/5004-161-0x0000000005190000-0x00000000051CC000-memory.dmpFilesize
240KB
-
memory/5004-155-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/5004-154-0x0000000000000000-mapping.dmp
-
memory/5004-159-0x0000000005200000-0x000000000530A000-memory.dmpFilesize
1.0MB
-
memory/5004-158-0x0000000005700000-0x0000000005D18000-memory.dmpFilesize
6.1MB