Analysis
-
max time kernel
163s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 14:03
Static task
static1
Behavioral task
behavioral1
Sample
6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4.exe
Resource
win10v2004-20220812-en
General
-
Target
6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4.exe
-
Size
543KB
-
MD5
86be1fd07bcfd80a12c0bb77b8e6f45d
-
SHA1
41e7de66d97cda087f4c3ef8920095367c4f9080
-
SHA256
6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4
-
SHA512
52550fad0f487c5ab4407bdf659dcb53cb7d1d91a89a4adb8899c67d449417e08053853af1c8d0a2f6147478092f5aebcb3316844dddc71d4e94e5ba8af4e840
-
SSDEEP
1536:jrae78zjORCDGwfdCSog01313/s5g0VclU+jxeTjs7d59QRr32+P8yYiN:JahKyd2n31E5FOxeTwd0RrXUyY0
Malware Config
Extracted
redline
Nigh
80.66.87.20:80
-
auth_value
dab8506635d1dc134af4ebaedf4404eb
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1776-152-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
perfofov.exeEkechvvajumessagecompetitive_1.exeperfofov.exeperfofov.exepid process 2172 perfofov.exe 624 Ekechvvajumessagecompetitive_1.exe 1916 perfofov.exe 1776 perfofov.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
perfofov.exeEkechvvajumessagecompetitive_1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation perfofov.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Ekechvvajumessagecompetitive_1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
perfofov.exedescription pid process target process PID 2172 set thread context of 1776 2172 perfofov.exe perfofov.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeperfofov.exepowershell.exepid process 3316 powershell.exe 3316 powershell.exe 2172 perfofov.exe 2172 perfofov.exe 2436 powershell.exe 2436 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
perfofov.exepowershell.exeEkechvvajumessagecompetitive_1.exepowershell.exedescription pid process Token: SeDebugPrivilege 2172 perfofov.exe Token: SeDebugPrivilege 3316 powershell.exe Token: SeDebugPrivilege 624 Ekechvvajumessagecompetitive_1.exe Token: SeDebugPrivilege 2436 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4.exeperfofov.exeEkechvvajumessagecompetitive_1.exedescription pid process target process PID 5036 wrote to memory of 2172 5036 6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4.exe perfofov.exe PID 5036 wrote to memory of 2172 5036 6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4.exe perfofov.exe PID 5036 wrote to memory of 2172 5036 6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4.exe perfofov.exe PID 2172 wrote to memory of 3316 2172 perfofov.exe powershell.exe PID 2172 wrote to memory of 3316 2172 perfofov.exe powershell.exe PID 2172 wrote to memory of 3316 2172 perfofov.exe powershell.exe PID 2172 wrote to memory of 624 2172 perfofov.exe Ekechvvajumessagecompetitive_1.exe PID 2172 wrote to memory of 624 2172 perfofov.exe Ekechvvajumessagecompetitive_1.exe PID 2172 wrote to memory of 624 2172 perfofov.exe Ekechvvajumessagecompetitive_1.exe PID 2172 wrote to memory of 1916 2172 perfofov.exe perfofov.exe PID 2172 wrote to memory of 1916 2172 perfofov.exe perfofov.exe PID 2172 wrote to memory of 1916 2172 perfofov.exe perfofov.exe PID 2172 wrote to memory of 1776 2172 perfofov.exe perfofov.exe PID 2172 wrote to memory of 1776 2172 perfofov.exe perfofov.exe PID 2172 wrote to memory of 1776 2172 perfofov.exe perfofov.exe PID 2172 wrote to memory of 1776 2172 perfofov.exe perfofov.exe PID 2172 wrote to memory of 1776 2172 perfofov.exe perfofov.exe PID 2172 wrote to memory of 1776 2172 perfofov.exe perfofov.exe PID 2172 wrote to memory of 1776 2172 perfofov.exe perfofov.exe PID 2172 wrote to memory of 1776 2172 perfofov.exe perfofov.exe PID 624 wrote to memory of 2436 624 Ekechvvajumessagecompetitive_1.exe powershell.exe PID 624 wrote to memory of 2436 624 Ekechvvajumessagecompetitive_1.exe powershell.exe PID 624 wrote to memory of 2436 624 Ekechvvajumessagecompetitive_1.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4.exe"C:\Users\Admin\AppData\Local\Temp\6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\Ekechvvajumessagecompetitive_1.exe"C:\Users\Admin\AppData\Local\Temp\Ekechvvajumessagecompetitive_1.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exe3⤵
- Executes dropped EXE
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exe3⤵
- Executes dropped EXE
PID:1776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\perfofov.exe.logFilesize
1KB
MD5e87e48b105757e1c7563d1c719059733
SHA128a3f2b2e0672da2b531f4757d2b20b53032dafc
SHA2560aaf22dc84cc3fcfe53de7ccfed8e662247dfb7f1a9967032c88790d0c663461
SHA512bf19c5743143aee914a453c41189c722c9b90a5b8bf299cecf3e1f97656d32cd209ecb74da8aebc89bb41c27d189f73aaaabbc64fe383410c95dc76ad4218968
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5e6dc827168236df838c921ab4654c535
SHA1d1323ca11c0ce518cabefe190040b073cd48136f
SHA25616835ff579b7f077a987b541075ac5807fceec5758cb7fc2aac39cfd20006fd9
SHA512ed75e511624e035238c6b27d89ad97aaca600c19575d514a46e9548d78dd08794b1818df83deb7f9610980cf8241473c1403bcc478e89adf8c96c489623b2ed7
-
C:\Users\Admin\AppData\Local\Temp\Ekechvvajumessagecompetitive_1.exeFilesize
12KB
MD58204d86f385e7648f7f3e4858aedb950
SHA182f837ad3dcde3f91d9ab7c3d6932b9dd0e3b1b2
SHA256ca2ba3661add947970864563544c38b2a1248ed28e29cfd52a78fec54ca7e5ef
SHA5124852fb6e36c8f603745d11675e2990d27f92840d0d854548829940112d284e823ba924c56b7d85008ef90c6b3e90ebe981622b8f8f1754abc91ce535658f6bdd
-
C:\Users\Admin\AppData\Local\Temp\Ekechvvajumessagecompetitive_1.exeFilesize
12KB
MD58204d86f385e7648f7f3e4858aedb950
SHA182f837ad3dcde3f91d9ab7c3d6932b9dd0e3b1b2
SHA256ca2ba3661add947970864563544c38b2a1248ed28e29cfd52a78fec54ca7e5ef
SHA5124852fb6e36c8f603745d11675e2990d27f92840d0d854548829940112d284e823ba924c56b7d85008ef90c6b3e90ebe981622b8f8f1754abc91ce535658f6bdd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exeFilesize
333.8MB
MD56b8a6884f6a5d48e27b7606839ab2043
SHA1a736eb7309ef918e7f6eed05cf6f1e460756c8bc
SHA2563c54e4d2985f2ae91573359ac969ffa32a5cf989b6b6648d279cc96e97ae1087
SHA5124108d1e23833b72816afd7aec6e526c585a08f6e32dfa7904d126476091feafefffbc0406f32ba7d28f07ce10b8a237fc2ae13490f024cdd4d3798a1a5e5a309
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exeFilesize
333.8MB
MD56b8a6884f6a5d48e27b7606839ab2043
SHA1a736eb7309ef918e7f6eed05cf6f1e460756c8bc
SHA2563c54e4d2985f2ae91573359ac969ffa32a5cf989b6b6648d279cc96e97ae1087
SHA5124108d1e23833b72816afd7aec6e526c585a08f6e32dfa7904d126476091feafefffbc0406f32ba7d28f07ce10b8a237fc2ae13490f024cdd4d3798a1a5e5a309
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exeFilesize
245.6MB
MD582581313505aac15cfd9ce9c0bd8aa59
SHA117e5f2b20d14055a10c3be7154283ebe3ded8cde
SHA256cd137eaf11d0dd72e62beafcb240d1d43eccf759e66ab3b2f713b7557472788f
SHA5122c9043ac57eabc0f17160de5bcc455589a6d3ec627e9733bd9571d98daec626948d8efd4924ce87747bc8ead5253d3d6fabfd566b184bd790c1f4801b32be644
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\perfofov.exeFilesize
245.7MB
MD58f459bcd2cbe3a945dbf3b5bd6e00744
SHA134885a70a5774b22384b395c9a5065818d62c9fc
SHA2566895a2775b1432b6bf6dfc779f62c8bcf2680ac3b09a929c7dc3d2e2a6069919
SHA512cd2d12aa34ae26aadf16a34800a45cbe3e4c8083307cf71c4b682ddbf9239664aef99c7f8b49f3bc3ffd0fe570e297b1170299c9824ebedd9dc96ef30352df1f
-
memory/624-145-0x0000000000000000-mapping.dmp
-
memory/624-149-0x0000000000D20000-0x0000000000D28000-memory.dmpFilesize
32KB
-
memory/1776-151-0x0000000000000000-mapping.dmp
-
memory/1776-162-0x0000000003040000-0x000000000307C000-memory.dmpFilesize
240KB
-
memory/1776-161-0x0000000002EA0000-0x0000000002EB2000-memory.dmpFilesize
72KB
-
memory/1776-160-0x0000000005540000-0x000000000564A000-memory.dmpFilesize
1.0MB
-
memory/1776-158-0x0000000005A50000-0x0000000006068000-memory.dmpFilesize
6.1MB
-
memory/1776-152-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1916-148-0x0000000000000000-mapping.dmp
-
memory/2172-135-0x0000000000480000-0x0000000000488000-memory.dmpFilesize
32KB
-
memory/2172-136-0x0000000005A40000-0x0000000005A62000-memory.dmpFilesize
136KB
-
memory/2172-132-0x0000000000000000-mapping.dmp
-
memory/2436-155-0x0000000000000000-mapping.dmp
-
memory/3316-139-0x0000000005A40000-0x0000000006068000-memory.dmpFilesize
6.2MB
-
memory/3316-138-0x0000000003180000-0x00000000031B6000-memory.dmpFilesize
216KB
-
memory/3316-137-0x0000000000000000-mapping.dmp
-
memory/3316-142-0x00000000067E0000-0x00000000067FE000-memory.dmpFilesize
120KB
-
memory/3316-140-0x00000000059A0000-0x0000000005A06000-memory.dmpFilesize
408KB
-
memory/3316-141-0x0000000006120000-0x0000000006186000-memory.dmpFilesize
408KB
-
memory/3316-143-0x0000000007E00000-0x000000000847A000-memory.dmpFilesize
6.5MB
-
memory/3316-144-0x0000000006CF0000-0x0000000006D0A000-memory.dmpFilesize
104KB