Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:35
Static task
static1
Behavioral task
behavioral1
Sample
9b0e09d7ff6b42667e744dd7ee8623a6.exe
Resource
win7-20220901-en
General
-
Target
9b0e09d7ff6b42667e744dd7ee8623a6.exe
-
Size
660KB
-
MD5
9b0e09d7ff6b42667e744dd7ee8623a6
-
SHA1
b7d6cc0c3d04c6ac6e757dadadd59fcffd69fd89
-
SHA256
05aed5bb6d590c1b0781804889957f73a85aa49c248f0e1c453ffc2777f4d5fb
-
SHA512
6742fd1c3e1c91ed0361be377f5df52658abde63d9c70f47716c82337673c3993445c94e2cd5325f07257ca975e694bb96cf7e3c2e5b8c438e35b803a74104a2
-
SSDEEP
6144:e7BzKQRNBVp8iZ0WEpAorPDWpeawdAhrlZlboHdw+eGPNcrW9EE:iBzbXp/0WExrrWpcihrzlboamisEE
Malware Config
Extracted
redline
top2
chardhesha.xyz:81
jalocliche.xyz:81
-
auth_value
706cbcaf3ac7dba064257646e57776cd
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Windows\Temp\top2.exe family_redline C:\Windows\Temp\top2.exe family_redline behavioral2/memory/1000-136-0x0000000000EC0000-0x0000000000EE8000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
top2.exepid process 1000 top2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9b0e09d7ff6b42667e744dd7ee8623a6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 9b0e09d7ff6b42667e744dd7ee8623a6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
top2.exepid process 1000 top2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9b0e09d7ff6b42667e744dd7ee8623a6.exetop2.exedescription pid process Token: SeDebugPrivilege 4768 9b0e09d7ff6b42667e744dd7ee8623a6.exe Token: SeDebugPrivilege 1000 top2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9b0e09d7ff6b42667e744dd7ee8623a6.exedescription pid process target process PID 4768 wrote to memory of 1000 4768 9b0e09d7ff6b42667e744dd7ee8623a6.exe top2.exe PID 4768 wrote to memory of 1000 4768 9b0e09d7ff6b42667e744dd7ee8623a6.exe top2.exe PID 4768 wrote to memory of 1000 4768 9b0e09d7ff6b42667e744dd7ee8623a6.exe top2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b0e09d7ff6b42667e744dd7ee8623a6.exe"C:\Users\Admin\AppData\Local\Temp\9b0e09d7ff6b42667e744dd7ee8623a6.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\Temp\top2.exe"C:\Windows\Temp\top2.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD5acf056d8de0cda2acdd12e036f3eec99
SHA17333b641c92b5c6ff5f5af32c1954e3c7566877d
SHA2562027dedfec9e09c58388ab769027118602b6f7b28cda697a18280483babc2705
SHA51224fec5b1d995a7b5d7209daab96e5b112d76e6d9e176060f87f21581923966743c239e89bbb6c690f3b076f4a4a689fca380d0d3313628679139ef0f6ffac1af
-
Filesize
137KB
MD5acf056d8de0cda2acdd12e036f3eec99
SHA17333b641c92b5c6ff5f5af32c1954e3c7566877d
SHA2562027dedfec9e09c58388ab769027118602b6f7b28cda697a18280483babc2705
SHA51224fec5b1d995a7b5d7209daab96e5b112d76e6d9e176060f87f21581923966743c239e89bbb6c690f3b076f4a4a689fca380d0d3313628679139ef0f6ffac1af