Analysis
-
max time kernel
292s -
max time network
304s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08/11/2022, 12:19
Static task
static1
Behavioral task
behavioral1
Sample
anon1.c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
anon1.c.exe
Resource
win10v2004-20220812-en
General
-
Target
anon1.c.exe
-
Size
6.3MB
-
MD5
ec54635cd5ecaf1b3bfeaac4ad54f360
-
SHA1
78ce05e39cd35bb9f932dadf0d2dc7bb2783cb15
-
SHA256
04d31c61d53359359e896db066a150f94321c1fd788a9ef7cb6a3e08ab963761
-
SHA512
44043cdae43b0fe3e9c8a247e568925c5c8047fa425d61bfb428cb6376f9ba1d8bfa50b362657ca73a48c015f7fb1ea6b496a00d68473f6ee92eebbc17e5e236
-
SSDEEP
98304:F0fI8YvciV+yBm0XA7HCOaYh5JTrQOdauaHaSZSxT+yq1Dc0:F0oxLA7HJaW5tbauFgSx4
Malware Config
Extracted
raccoon
94c54520400750937a6f1bf6044f8667
http://194.37.80.221/
Extracted
systembc
45.15.156.48:4254
146.70.53.169:4254
Extracted
redline
Test1
45.15.156.48:8285
-
auth_value
3ec6815aabd0bab316e997c1c7898294
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/memory/1876-84-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1876-89-0x0000000000422122-mapping.dmp family_redline behavioral1/memory/1876-90-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1876-91-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
pid Process 2036 14dsT2Dg.exe 1696 c6dvZEah.exe 1404 ksUM43uw.exe 1496 14dsT2Dg.exe 972 svcupdater.exe -
Loads dropped DLL 11 IoCs
pid Process 1184 anon1.c.exe 1184 anon1.c.exe 1184 anon1.c.exe 1184 anon1.c.exe 1184 anon1.c.exe 1184 anon1.c.exe 1184 anon1.c.exe 1184 anon1.c.exe 1184 anon1.c.exe 1628 taskeng.exe 1628 taskeng.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1404 set thread context of 1876 1404 ksUM43uw.exe 35 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\wow64.job 14dsT2Dg.exe File opened for modification C:\Windows\Tasks\wow64.job 14dsT2Dg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1364 schtasks.exe -
GoLang User-Agent 4 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 10 Go-http-client/1.1 HTTP User-Agent header 11 Go-http-client/1.1 HTTP User-Agent header 12 Go-http-client/1.1 HTTP User-Agent header 7 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1184 anon1.c.exe 1876 vbc.exe 1876 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1876 vbc.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1184 wrote to memory of 2036 1184 anon1.c.exe 28 PID 1184 wrote to memory of 2036 1184 anon1.c.exe 28 PID 1184 wrote to memory of 2036 1184 anon1.c.exe 28 PID 1184 wrote to memory of 2036 1184 anon1.c.exe 28 PID 1184 wrote to memory of 1696 1184 anon1.c.exe 29 PID 1184 wrote to memory of 1696 1184 anon1.c.exe 29 PID 1184 wrote to memory of 1696 1184 anon1.c.exe 29 PID 1184 wrote to memory of 1696 1184 anon1.c.exe 29 PID 1696 wrote to memory of 1796 1696 c6dvZEah.exe 30 PID 1696 wrote to memory of 1796 1696 c6dvZEah.exe 30 PID 1696 wrote to memory of 1796 1696 c6dvZEah.exe 30 PID 1184 wrote to memory of 1404 1184 anon1.c.exe 32 PID 1184 wrote to memory of 1404 1184 anon1.c.exe 32 PID 1184 wrote to memory of 1404 1184 anon1.c.exe 32 PID 1184 wrote to memory of 1404 1184 anon1.c.exe 32 PID 1796 wrote to memory of 1364 1796 cmd.exe 33 PID 1796 wrote to memory of 1364 1796 cmd.exe 33 PID 1796 wrote to memory of 1364 1796 cmd.exe 33 PID 1404 wrote to memory of 1876 1404 ksUM43uw.exe 35 PID 1404 wrote to memory of 1876 1404 ksUM43uw.exe 35 PID 1404 wrote to memory of 1876 1404 ksUM43uw.exe 35 PID 1404 wrote to memory of 1876 1404 ksUM43uw.exe 35 PID 1404 wrote to memory of 1876 1404 ksUM43uw.exe 35 PID 1404 wrote to memory of 1876 1404 ksUM43uw.exe 35 PID 976 wrote to memory of 1496 976 taskeng.exe 37 PID 976 wrote to memory of 1496 976 taskeng.exe 37 PID 976 wrote to memory of 1496 976 taskeng.exe 37 PID 976 wrote to memory of 1496 976 taskeng.exe 37 PID 1628 wrote to memory of 972 1628 taskeng.exe 39 PID 1628 wrote to memory of 972 1628 taskeng.exe 39 PID 1628 wrote to memory of 972 1628 taskeng.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\anon1.c.exe"C:\Users\Admin\AppData\Local\Temp\anon1.c.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe"C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2036
-
-
C:\Users\Admin\AppData\Roaming\c6dvZEah.exe"C:\Users\Admin\AppData\Roaming\c6dvZEah.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\system32\cmd.execmd.exe /C schtasks /create /tn tfmMOxFVCU /tr C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f3⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\system32\schtasks.exeschtasks /create /tn tfmMOxFVCU /tr C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f4⤵
- Creates scheduled task(s)
PID:1364
-
-
-
-
C:\Users\Admin\AppData\Roaming\ksUM43uw.exe"C:\Users\Admin\AppData\Roaming\ksUM43uw.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A3B4FD51-C93F-4A01-8B93-861222ECF246} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Roaming\14dsT2Dg.exeC:\Users\Admin\AppData\Roaming\14dsT2Dg.exe start2⤵
- Executes dropped EXE
PID:1496
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {11097B21-E440-4B64-8A1B-12C9B30BF8B1} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exeC:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe2⤵
- Executes dropped EXE
PID:972
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
322KB
MD58850b7c96abf365df3fd542cb17755c5
SHA190e77265727ab091e9ee48e82df170b8929998b4
SHA256cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5
SHA512d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933
-
Filesize
322KB
MD58850b7c96abf365df3fd542cb17755c5
SHA190e77265727ab091e9ee48e82df170b8929998b4
SHA256cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5
SHA512d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933
-
Filesize
322KB
MD58850b7c96abf365df3fd542cb17755c5
SHA190e77265727ab091e9ee48e82df170b8929998b4
SHA256cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5
SHA512d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933
-
Filesize
4.8MB
MD527d2a70c1f2a5a6cdb5b5e87e976014d
SHA19b68a92a1e305f44ad040cc7ab5f4eb63ea58907
SHA256d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a
SHA512c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5
-
Filesize
4.8MB
MD527d2a70c1f2a5a6cdb5b5e87e976014d
SHA19b68a92a1e305f44ad040cc7ab5f4eb63ea58907
SHA256d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a
SHA512c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5
-
Filesize
2.4MB
MD525b80f714520a949e5ae6b95b0585ce8
SHA19265fb3f52d272fe4a034f45b5e9b49eefd28e09
SHA256b6fb44538c3a5ac766e0b3c2a51ca7e99f295adb761ff99a3ce11a45151277ba
SHA5120b1281cc3224f8bb10e3ea9306e96ef7dee1e17b2dd0e55b21602c5410a5bb98b17a309f9318d4b250f6db2897c6552fe0027969266c884447e2ba14cb80ff98
-
Filesize
4.8MB
MD527d2a70c1f2a5a6cdb5b5e87e976014d
SHA19b68a92a1e305f44ad040cc7ab5f4eb63ea58907
SHA256d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a
SHA512c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5
-
Filesize
4.8MB
MD527d2a70c1f2a5a6cdb5b5e87e976014d
SHA19b68a92a1e305f44ad040cc7ab5f4eb63ea58907
SHA256d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a
SHA512c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
Filesize
322KB
MD58850b7c96abf365df3fd542cb17755c5
SHA190e77265727ab091e9ee48e82df170b8929998b4
SHA256cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5
SHA512d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933
-
Filesize
322KB
MD58850b7c96abf365df3fd542cb17755c5
SHA190e77265727ab091e9ee48e82df170b8929998b4
SHA256cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5
SHA512d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933
-
Filesize
4.8MB
MD527d2a70c1f2a5a6cdb5b5e87e976014d
SHA19b68a92a1e305f44ad040cc7ab5f4eb63ea58907
SHA256d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a
SHA512c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5
-
Filesize
4.8MB
MD527d2a70c1f2a5a6cdb5b5e87e976014d
SHA19b68a92a1e305f44ad040cc7ab5f4eb63ea58907
SHA256d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a
SHA512c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5
-
Filesize
2.4MB
MD525b80f714520a949e5ae6b95b0585ce8
SHA19265fb3f52d272fe4a034f45b5e9b49eefd28e09
SHA256b6fb44538c3a5ac766e0b3c2a51ca7e99f295adb761ff99a3ce11a45151277ba
SHA5120b1281cc3224f8bb10e3ea9306e96ef7dee1e17b2dd0e55b21602c5410a5bb98b17a309f9318d4b250f6db2897c6552fe0027969266c884447e2ba14cb80ff98
-
Filesize
2.4MB
MD525b80f714520a949e5ae6b95b0585ce8
SHA19265fb3f52d272fe4a034f45b5e9b49eefd28e09
SHA256b6fb44538c3a5ac766e0b3c2a51ca7e99f295adb761ff99a3ce11a45151277ba
SHA5120b1281cc3224f8bb10e3ea9306e96ef7dee1e17b2dd0e55b21602c5410a5bb98b17a309f9318d4b250f6db2897c6552fe0027969266c884447e2ba14cb80ff98
-
Filesize
4.8MB
MD527d2a70c1f2a5a6cdb5b5e87e976014d
SHA19b68a92a1e305f44ad040cc7ab5f4eb63ea58907
SHA256d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a
SHA512c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5
-
Filesize
4.8MB
MD527d2a70c1f2a5a6cdb5b5e87e976014d
SHA19b68a92a1e305f44ad040cc7ab5f4eb63ea58907
SHA256d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a
SHA512c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5