Overview

overview

10

Static

static

winprofile

windows7-x64

1

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    260s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17-11-2022 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    872a5dee4be75a8677bf2d905227e43e706e3f87a008de30c16d5cd256730fad.exe

  • Size

    1.3MB

  • MD5

    e924f93d838f03edd47759695b5ced49

  • SHA1

    56fc3cdf00381bcf71fce9e3b7eecf07f53026b3

  • SHA256

    872a5dee4be75a8677bf2d905227e43e706e3f87a008de30c16d5cd256730fad

  • SHA512

    685733352962065d13a0cf22233b3c162899eff70947569e18796925182c579e07c608defffa967b9b9e917d1526f91c5ab0c82170bbac37f0f0cbc31b73da18

  • SSDEEP

    24576:lI9iDSZlHH3nDfaxT2sRhFjWP1kpWbF998XWVZDJ:lIcElXDAT2GhwjsWVBJ

Score
10/10
redline333333discoveryinfostealerspywarestealerupx

Malware Config

Extracted

Family

redline

Botnet

333333

C2

79.137.194.32:5050

Attributes
  • auth_value

    0e0de8ec7f9ca54eeaacd4905c5421c1

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • c:\windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2872
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4684
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\svchost.exe" & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3336
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 6
            4⤵
            • Delays execution with timeout.exe
            PID:2020
    • C:\Users\Admin\AppData\Local\Temp\872a5dee4be75a8677bf2d905227e43e706e3f87a008de30c16d5cd256730fad.exe
      "C:\Users\Admin\AppData\Local\Temp\872a5dee4be75a8677bf2d905227e43e706e3f87a008de30c16d5cd256730fad.exe"
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4324
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4552
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3928
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:3876
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4956
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4704
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4668
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:5008
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:360

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      1.1MB

      MD5

      c1da1c2ca9cfee6a91b5d0b9b071ce9f

      SHA1

      8460a1580866864b3b1065544cf095f6be850a12

      SHA256

      14c1f77597304f40558b21e961fe839f296d1c72f2c5c6fe327e35b144523a18

      SHA512

      9dddcf8e3b918bc9b22245ee1de52b7e5c48684d7bc5946c9e25215b21d7be25442b2fda0c9284cc3a3d56e8cc39a1d9a037b5b20b09679300e7ba4e75ad99bb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      1.1MB

      MD5

      c1da1c2ca9cfee6a91b5d0b9b071ce9f

      SHA1

      8460a1580866864b3b1065544cf095f6be850a12

      SHA256

      14c1f77597304f40558b21e961fe839f296d1c72f2c5c6fe327e35b144523a18

      SHA512

      9dddcf8e3b918bc9b22245ee1de52b7e5c48684d7bc5946c9e25215b21d7be25442b2fda0c9284cc3a3d56e8cc39a1d9a037b5b20b09679300e7ba4e75ad99bb

      Download Submit
    • \ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit
    • \ProgramData\nss3.dll
      Filesize

      2.0MB

      MD5

      1cc453cdf74f31e4d913ff9c10acdde2

      SHA1

      6e85eae544d6e965f15fa5c39700fa7202f3aafe

      SHA256

      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

      SHA512

      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      Download Submit
    • \Users\Admin\AppData\Local\Temp\advapi32.dll
      Filesize

      428KB

      MD5

      b15d63cc5b9b4f5f32585886b0e60629

      SHA1

      68192b9f211e60e12196f8f7e016cfce4d735af3

      SHA256

      569d3524ee3967409e3712255d6c86ff3455cb80bc1f5c30b12faa8515612193

      SHA512

      99207e98f1f791305951af0a32b7f85ef2262a33960f9f64dd1b04fbe19fe66f0a883d25079318ddb25df32370bfb68bc94682a8fb07e2f21477e2f48bb59439

      Download Submit
    • memory/2020-459-0x0000000000000000-mapping.dmp
      Download
    • memory/3336-445-0x0000000000000000-mapping.dmp
      Download
    • memory/4324-168-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-148-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-127-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-128-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-130-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-129-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-131-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-132-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-134-0x0000000002530000-0x0000000002A97000-memory.dmp
      Filesize

      5.4MB

      Download
    • memory/4324-136-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-137-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-138-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-139-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-140-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-141-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-173-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-142-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-144-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-145-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-146-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-147-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-172-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-149-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-150-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-152-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-151-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-154-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-155-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-153-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-156-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-157-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-171-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-159-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-160-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-161-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-162-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-163-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-164-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-165-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-166-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-167-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-118-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-169-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-170-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-158-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-126-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-143-0x0000000000AE0000-0x0000000000BFE000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/4324-174-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-175-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-176-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-177-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-178-0x000000000DCC0000-0x000000000DE4A000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/4324-179-0x000000000DCC0000-0x000000000DE4A000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/4324-119-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-120-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-121-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-122-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-123-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-186-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-124-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-253-0x0000000002530000-0x0000000002A97000-memory.dmp
      Filesize

      5.4MB

      Download
    • memory/4324-125-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4324-260-0x0000000000AE0000-0x0000000000BFE000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/4552-441-0x0000000007710000-0x0000000007786000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4552-182-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/4552-256-0x0000000005700000-0x0000000005712000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4552-264-0x00000000058E0000-0x000000000592B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4552-393-0x00000000070B0000-0x0000000007272000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4552-252-0x0000000005C40000-0x0000000006246000-memory.dmp
      Filesize

      6.0MB

      Download
    • memory/4552-185-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4552-367-0x0000000006610000-0x00000000066A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4552-368-0x0000000006BB0000-0x00000000070AE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4552-183-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4552-443-0x0000000006B20000-0x0000000006B70000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4552-394-0x00000000077B0000-0x0000000007CDC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4552-359-0x0000000005AA0000-0x0000000005B06000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4552-180-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/4552-254-0x00000000057D0000-0x00000000058DA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4552-259-0x0000000005760000-0x000000000579E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/4552-184-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4684-289-0x0000000000400000-0x0000000000566000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/4684-357-0x00000000100C0000-0x0000000010410000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4684-435-0x0000000002600000-0x0000000002C10000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4684-436-0x0000000000400000-0x0000000000566000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/4684-268-0x0000000000000000-mapping.dmp
      Download
    • memory/4684-336-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4684-334-0x0000000002F50000-0x0000000003083000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4684-447-0x0000000000400000-0x0000000000566000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/4684-449-0x0000000002F50000-0x0000000003081000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4684-451-0x00000000776D0000-0x000000007785E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4684-453-0x00000000100C0000-0x0000000010410000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4684-288-0x0000000002600000-0x0000000002C10000-memory.dmp
      Filesize

      6.1MB

      Download