Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2022 05:46
Static task
static1
Behavioral task
behavioral1
Sample
2423.sfx.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2423.sfx.exe
Resource
win10v2004-20220812-en
General
-
Target
2423.sfx.exe
-
Size
368KB
-
MD5
a8b5a827e530c0eccd598e882c45ee16
-
SHA1
56b7d4c0b5022a504696ca5ac17218e88d7869e3
-
SHA256
bc5104f33b5a19b048ddb58e9bae390514d78631341acd9e098ffdb7114dbeef
-
SHA512
091100a2200e910fad098246cfbb151672074a3b5b32b4facf759e7541cc19b13411cf619730e6befc4aa2b13255de33c48ed23f1adabcd1a167e3a52a2cb5fe
-
SSDEEP
6144:2TouKrWBEu3/Z2lpGDHU3ykJotX+t41/pJ1FBPoWPJ8:2ToPWBv/cpGrU3yVtX+t4Vp/FBgeC
Malware Config
Extracted
redline
5
95.217.102.105:23728
-
auth_value
296895f62ea120f06c6fcec4dcc5ed5b
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\2423.exe family_redline C:\Users\Admin\AppData\Local\Temp\2423.exe family_redline behavioral2/memory/988-135-0x0000000000290000-0x00000000002B8000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
2423.exepid process 988 2423.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2423.sfx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 2423.sfx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2423.sfx.exedescription pid process target process PID 3040 wrote to memory of 988 3040 2423.sfx.exe 2423.exe PID 3040 wrote to memory of 988 3040 2423.sfx.exe 2423.exe PID 3040 wrote to memory of 988 3040 2423.sfx.exe 2423.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2423.sfx.exe"C:\Users\Admin\AppData\Local\Temp\2423.sfx.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2423.exe"C:\Users\Admin\AppData\Local\Temp\2423.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2423.exeFilesize
137KB
MD5adc399546530652e758999013f00367b
SHA160a843608baf23cc7789c68fc426f20b6dc29b41
SHA25654d46f61cafb33d18862e4045a20d3dd802db35445be84c255bb62a50f5fcb65
SHA5124dcc9a01e98aac84d44d3aa604809438903f2a4d004e01f07ce54a2ac01c55091015567019648c825140a33b4653b38ba9bf13ef1a9ef314c33cb0f18e1c5ad6
-
C:\Users\Admin\AppData\Local\Temp\2423.exeFilesize
137KB
MD5adc399546530652e758999013f00367b
SHA160a843608baf23cc7789c68fc426f20b6dc29b41
SHA25654d46f61cafb33d18862e4045a20d3dd802db35445be84c255bb62a50f5fcb65
SHA5124dcc9a01e98aac84d44d3aa604809438903f2a4d004e01f07ce54a2ac01c55091015567019648c825140a33b4653b38ba9bf13ef1a9ef314c33cb0f18e1c5ad6
-
memory/988-132-0x0000000000000000-mapping.dmp
-
memory/988-135-0x0000000000290000-0x00000000002B8000-memory.dmpFilesize
160KB
-
memory/988-136-0x0000000005190000-0x00000000057A8000-memory.dmpFilesize
6.1MB
-
memory/988-137-0x0000000004D10000-0x0000000004E1A000-memory.dmpFilesize
1.0MB
-
memory/988-138-0x0000000004C40000-0x0000000004C52000-memory.dmpFilesize
72KB
-
memory/988-139-0x0000000004CA0000-0x0000000004CDC000-memory.dmpFilesize
240KB