Analysis
-
max time kernel
32s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 19:02
Static task
static1
Behavioral task
behavioral1
Sample
92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exe
Resource
win7-20221111-en
General
-
Target
92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exe
-
Size
385KB
-
MD5
55b1fd7484074158f9e9e8f657ec5a94
-
SHA1
6988125039cbf77b4ff06fa75fa56975004d3333
-
SHA256
92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22
-
SHA512
a7b292cc74578308b4c3d129809119a96c6522185e05ddaefb294ae6636894a145383140d23b1d3217f300ee63646d6f185fdb02dcbd9ab0ee5d840aa49b4de9
-
SSDEEP
12288:3fW6EQ0byZvdEnOuX9opfM99K0S+pOxOTEh25D:3fCbyZvdEnFX9op2KQKdhA
Malware Config
Extracted
redline
top1
chardhesha.xyz:81
jalocliche.xyz:81
-
auth_value
fa2afa98a6579319e36e31ee0552bd57
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1792-56-0x0000000000380000-0x00000000003AA000-memory.dmp family_redline \Windows\Temp\top1.exe family_redline C:\Windows\Temp\top1.exe family_redline behavioral1/memory/1620-61-0x0000000000110000-0x0000000000138000-memory.dmp family_redline C:\Windows\Temp\top1.exe family_redline -
Executes dropped EXE 1 IoCs
Processes:
top1.exepid process 1620 top1.exe -
Loads dropped DLL 1 IoCs
Processes:
92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exepid process 1792 92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
top1.exepid process 1620 top1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exetop1.exedescription pid process Token: SeDebugPrivilege 1792 92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exe Token: SeDebugPrivilege 1620 top1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exedescription pid process target process PID 1792 wrote to memory of 1620 1792 92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exe top1.exe PID 1792 wrote to memory of 1620 1792 92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exe top1.exe PID 1792 wrote to memory of 1620 1792 92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exe top1.exe PID 1792 wrote to memory of 1620 1792 92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exe top1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exe"C:\Users\Admin\AppData\Local\Temp\92d305d4c7faa7d3d004a7c535d289235b187c4f72a97e76736f6fcd3fdbac22.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\top1.exe"C:\Windows\Temp\top1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\top1.exeFilesize
137KB
MD5a135b9085fa8ef921eec14057b03125f
SHA14bf5ad5601da96ad4304f3d02b169868c972415d
SHA25624aebc01eb25512c266cc73a1bf90a40b92e5924ddb94ba6db3be9aa89539ea3
SHA512c7d4f74bedb81125a5ba42dad7be1dfa8220f1f5da96d61cc3e6b87fa9dd18217b9c6683ab6f16e0197084eead7db50df401d06a7ef4434038512d7d391effab
-
C:\Windows\Temp\top1.exeFilesize
137KB
MD5a135b9085fa8ef921eec14057b03125f
SHA14bf5ad5601da96ad4304f3d02b169868c972415d
SHA25624aebc01eb25512c266cc73a1bf90a40b92e5924ddb94ba6db3be9aa89539ea3
SHA512c7d4f74bedb81125a5ba42dad7be1dfa8220f1f5da96d61cc3e6b87fa9dd18217b9c6683ab6f16e0197084eead7db50df401d06a7ef4434038512d7d391effab
-
\Windows\Temp\top1.exeFilesize
137KB
MD5a135b9085fa8ef921eec14057b03125f
SHA14bf5ad5601da96ad4304f3d02b169868c972415d
SHA25624aebc01eb25512c266cc73a1bf90a40b92e5924ddb94ba6db3be9aa89539ea3
SHA512c7d4f74bedb81125a5ba42dad7be1dfa8220f1f5da96d61cc3e6b87fa9dd18217b9c6683ab6f16e0197084eead7db50df401d06a7ef4434038512d7d391effab
-
memory/1620-58-0x0000000000000000-mapping.dmp
-
memory/1620-61-0x0000000000110000-0x0000000000138000-memory.dmpFilesize
160KB
-
memory/1792-54-0x0000000001010000-0x0000000001076000-memory.dmpFilesize
408KB
-
memory/1792-55-0x0000000076391000-0x0000000076393000-memory.dmpFilesize
8KB
-
memory/1792-56-0x0000000000380000-0x00000000003AA000-memory.dmpFilesize
168KB