Analysis
-
max time kernel
159s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 09:15
Static task
static1
Behavioral task
behavioral1
Sample
ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f.exe
Resource
win10v2004-20220812-en
General
-
Target
ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f.exe
-
Size
247KB
-
MD5
24b4c7a0509d3f9a464ce3527db60c89
-
SHA1
cf6de67ae26755b5d5f734f722a2e245e4e144a7
-
SHA256
ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f
-
SHA512
d4cdcbb6f3b0d1213cacd0828dcbc48be17c5d71965717b80c36c36ce0201e50811a228c0c79eac7ea1b55eeee77ff32d1c44786023f2722dd555637a83b5634
-
SSDEEP
6144:i2s0+LRZuyb7hLKwDfEHIoNXk34z6YpXWu:i2n+Huyb1WwDfNoEYh
Malware Config
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
Extracted
redline
ritchshit
94.103.183.33:80
-
auth_value
98c1a18edcc6e04afa19a0ee3b16a6e2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/212-154-0x00000000005D0000-0x00000000005F8000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
rovwer.exe236.exeokok.exeokok.exerovwer.exerovwer.exepid process 2700 rovwer.exe 4700 236.exe 3336 okok.exe 1848 okok.exe 1100 rovwer.exe 4760 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation rovwer.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rovwer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\236.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000221001\\236.exe" rovwer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\okok.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000223001\\okok.exe" rovwer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
236.exeokok.exedescription pid process target process PID 4700 set thread context of 212 4700 236.exe vbc.exe PID 3336 set thread context of 1848 3336 okok.exe okok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3468 3788 WerFault.exe ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f.exe 4784 4700 WerFault.exe 236.exe 668 1100 WerFault.exe rovwer.exe 4208 4760 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 212 vbc.exe 212 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
okok.exevbc.exedescription pid process Token: SeDebugPrivilege 3336 okok.exe Token: SeDebugPrivilege 212 vbc.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f.exerovwer.execmd.exe236.exeokok.exedescription pid process target process PID 3788 wrote to memory of 2700 3788 ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f.exe rovwer.exe PID 3788 wrote to memory of 2700 3788 ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f.exe rovwer.exe PID 3788 wrote to memory of 2700 3788 ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f.exe rovwer.exe PID 2700 wrote to memory of 4864 2700 rovwer.exe schtasks.exe PID 2700 wrote to memory of 4864 2700 rovwer.exe schtasks.exe PID 2700 wrote to memory of 4864 2700 rovwer.exe schtasks.exe PID 2700 wrote to memory of 1204 2700 rovwer.exe cmd.exe PID 2700 wrote to memory of 1204 2700 rovwer.exe cmd.exe PID 2700 wrote to memory of 1204 2700 rovwer.exe cmd.exe PID 1204 wrote to memory of 4232 1204 cmd.exe cmd.exe PID 1204 wrote to memory of 4232 1204 cmd.exe cmd.exe PID 1204 wrote to memory of 4232 1204 cmd.exe cmd.exe PID 1204 wrote to memory of 4332 1204 cmd.exe cacls.exe PID 1204 wrote to memory of 4332 1204 cmd.exe cacls.exe PID 1204 wrote to memory of 4332 1204 cmd.exe cacls.exe PID 1204 wrote to memory of 4564 1204 cmd.exe cacls.exe PID 1204 wrote to memory of 4564 1204 cmd.exe cacls.exe PID 1204 wrote to memory of 4564 1204 cmd.exe cacls.exe PID 1204 wrote to memory of 4548 1204 cmd.exe cmd.exe PID 1204 wrote to memory of 4548 1204 cmd.exe cmd.exe PID 1204 wrote to memory of 4548 1204 cmd.exe cmd.exe PID 1204 wrote to memory of 2012 1204 cmd.exe cacls.exe PID 1204 wrote to memory of 2012 1204 cmd.exe cacls.exe PID 1204 wrote to memory of 2012 1204 cmd.exe cacls.exe PID 1204 wrote to memory of 1328 1204 cmd.exe cacls.exe PID 1204 wrote to memory of 1328 1204 cmd.exe cacls.exe PID 1204 wrote to memory of 1328 1204 cmd.exe cacls.exe PID 2700 wrote to memory of 4700 2700 rovwer.exe 236.exe PID 2700 wrote to memory of 4700 2700 rovwer.exe 236.exe PID 2700 wrote to memory of 4700 2700 rovwer.exe 236.exe PID 4700 wrote to memory of 212 4700 236.exe vbc.exe PID 4700 wrote to memory of 212 4700 236.exe vbc.exe PID 4700 wrote to memory of 212 4700 236.exe vbc.exe PID 4700 wrote to memory of 212 4700 236.exe vbc.exe PID 4700 wrote to memory of 212 4700 236.exe vbc.exe PID 2700 wrote to memory of 3336 2700 rovwer.exe okok.exe PID 2700 wrote to memory of 3336 2700 rovwer.exe okok.exe PID 2700 wrote to memory of 3336 2700 rovwer.exe okok.exe PID 3336 wrote to memory of 1848 3336 okok.exe okok.exe PID 3336 wrote to memory of 1848 3336 okok.exe okok.exe PID 3336 wrote to memory of 1848 3336 okok.exe okok.exe PID 3336 wrote to memory of 1848 3336 okok.exe okok.exe PID 3336 wrote to memory of 1848 3336 okok.exe okok.exe PID 3336 wrote to memory of 1848 3336 okok.exe okok.exe PID 3336 wrote to memory of 1848 3336 okok.exe okok.exe PID 3336 wrote to memory of 1848 3336 okok.exe okok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f.exe"C:\Users\Admin\AppData\Local\Temp\ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000221001\236.exe"C:\Users\Admin\AppData\Local\Temp\1000221001\236.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 2564⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exe"C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exe"C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 12842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3788 -ip 37881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4700 -ip 47001⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1100 -ip 11001⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4760 -ip 47601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000221001\236.exeFilesize
929KB
MD5f159a709fd4cd800d0a1f766089c4318
SHA1e2335ecebfc16d030d36183a5a1f1f61853dfea8
SHA256f4dc5eedf8dd119d3b84eae34493e0b09e3bf2ff15d45e5f67266cf146f06d74
SHA5124abb21862da9d34edb8a1827d5c19f050c6a7bb45a10fa81baa169703c2a914c6123313199292bc684ab098c7cab279680233fbc3446a100874ad68774adc354
-
C:\Users\Admin\AppData\Local\Temp\1000221001\236.exeFilesize
929KB
MD5f159a709fd4cd800d0a1f766089c4318
SHA1e2335ecebfc16d030d36183a5a1f1f61853dfea8
SHA256f4dc5eedf8dd119d3b84eae34493e0b09e3bf2ff15d45e5f67266cf146f06d74
SHA5124abb21862da9d34edb8a1827d5c19f050c6a7bb45a10fa81baa169703c2a914c6123313199292bc684ab098c7cab279680233fbc3446a100874ad68774adc354
-
C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exeFilesize
594KB
MD5811f64ea53b76f4e63f3baa9cbf449af
SHA1bdbb1cb65db56922bdab468e47a4b4ecfad9bc13
SHA256199a20b72c4eb70450a036e25f8abc1eae9b0ba5ab269651d25480b909ac6168
SHA5123f0f7ba95068b56bb604e564c01ea6bb3b0dcd6a10d437301467a56b823a7e7c040ed16ed989bd444239fee2265248f264a86d1a1a7c9f610666679c3f99caa1
-
C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exeFilesize
594KB
MD5811f64ea53b76f4e63f3baa9cbf449af
SHA1bdbb1cb65db56922bdab468e47a4b4ecfad9bc13
SHA256199a20b72c4eb70450a036e25f8abc1eae9b0ba5ab269651d25480b909ac6168
SHA5123f0f7ba95068b56bb604e564c01ea6bb3b0dcd6a10d437301467a56b823a7e7c040ed16ed989bd444239fee2265248f264a86d1a1a7c9f610666679c3f99caa1
-
C:\Users\Admin\AppData\Local\Temp\1000223001\okok.exeFilesize
594KB
MD5811f64ea53b76f4e63f3baa9cbf449af
SHA1bdbb1cb65db56922bdab468e47a4b4ecfad9bc13
SHA256199a20b72c4eb70450a036e25f8abc1eae9b0ba5ab269651d25480b909ac6168
SHA5123f0f7ba95068b56bb604e564c01ea6bb3b0dcd6a10d437301467a56b823a7e7c040ed16ed989bd444239fee2265248f264a86d1a1a7c9f610666679c3f99caa1
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
247KB
MD524b4c7a0509d3f9a464ce3527db60c89
SHA1cf6de67ae26755b5d5f734f722a2e245e4e144a7
SHA256ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f
SHA512d4cdcbb6f3b0d1213cacd0828dcbc48be17c5d71965717b80c36c36ce0201e50811a228c0c79eac7ea1b55eeee77ff32d1c44786023f2722dd555637a83b5634
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
247KB
MD524b4c7a0509d3f9a464ce3527db60c89
SHA1cf6de67ae26755b5d5f734f722a2e245e4e144a7
SHA256ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f
SHA512d4cdcbb6f3b0d1213cacd0828dcbc48be17c5d71965717b80c36c36ce0201e50811a228c0c79eac7ea1b55eeee77ff32d1c44786023f2722dd555637a83b5634
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
247KB
MD524b4c7a0509d3f9a464ce3527db60c89
SHA1cf6de67ae26755b5d5f734f722a2e245e4e144a7
SHA256ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f
SHA512d4cdcbb6f3b0d1213cacd0828dcbc48be17c5d71965717b80c36c36ce0201e50811a228c0c79eac7ea1b55eeee77ff32d1c44786023f2722dd555637a83b5634
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
247KB
MD524b4c7a0509d3f9a464ce3527db60c89
SHA1cf6de67ae26755b5d5f734f722a2e245e4e144a7
SHA256ec84cc9018c5c31eb791e6bf91eaa84c88b7d57b80fa637ceccd062aa419e46f
SHA512d4cdcbb6f3b0d1213cacd0828dcbc48be17c5d71965717b80c36c36ce0201e50811a228c0c79eac7ea1b55eeee77ff32d1c44786023f2722dd555637a83b5634
-
memory/212-183-0x0000000006600000-0x0000000006650000-memory.dmpFilesize
320KB
-
memory/212-180-0x00000000064E0000-0x0000000006572000-memory.dmpFilesize
584KB
-
memory/212-154-0x00000000005D0000-0x00000000005F8000-memory.dmpFilesize
160KB
-
memory/212-153-0x0000000000000000-mapping.dmp
-
memory/212-160-0x0000000005120000-0x000000000522A000-memory.dmpFilesize
1.0MB
-
memory/212-177-0x0000000006270000-0x00000000062D6000-memory.dmpFilesize
408KB
-
memory/212-182-0x0000000006580000-0x00000000065F6000-memory.dmpFilesize
472KB
-
memory/212-159-0x00000000055A0000-0x0000000005BB8000-memory.dmpFilesize
6.1MB
-
memory/212-161-0x0000000005050000-0x0000000005062000-memory.dmpFilesize
72KB
-
memory/212-162-0x00000000050B0000-0x00000000050EC000-memory.dmpFilesize
240KB
-
memory/212-184-0x0000000006F40000-0x0000000007102000-memory.dmpFilesize
1.8MB
-
memory/212-185-0x0000000007640000-0x0000000007B6C000-memory.dmpFilesize
5.2MB
-
memory/1100-181-0x0000000000400000-0x0000000000A2C000-memory.dmpFilesize
6.2MB
-
memory/1100-179-0x0000000000BB0000-0x0000000000BCF000-memory.dmpFilesize
124KB
-
memory/1204-139-0x0000000000000000-mapping.dmp
-
memory/1328-145-0x0000000000000000-mapping.dmp
-
memory/1848-172-0x0000000000590000-0x00000000005A2000-memory.dmpFilesize
72KB
-
memory/1848-170-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1848-169-0x0000000000000000-mapping.dmp
-
memory/2012-144-0x0000000000000000-mapping.dmp
-
memory/2700-147-0x0000000000400000-0x0000000000A2C000-memory.dmpFilesize
6.2MB
-
memory/2700-135-0x0000000000000000-mapping.dmp
-
memory/2700-146-0x0000000000C6C000-0x0000000000C8B000-memory.dmpFilesize
124KB
-
memory/2700-176-0x0000000000400000-0x0000000000A2C000-memory.dmpFilesize
6.2MB
-
memory/2700-175-0x0000000000C6C000-0x0000000000C8B000-memory.dmpFilesize
124KB
-
memory/3336-168-0x0000000004B40000-0x0000000004BDC000-memory.dmpFilesize
624KB
-
memory/3336-166-0x00000000001E0000-0x000000000027E000-memory.dmpFilesize
632KB
-
memory/3336-163-0x0000000000000000-mapping.dmp
-
memory/3336-167-0x0000000005050000-0x00000000055F4000-memory.dmpFilesize
5.6MB
-
memory/3788-134-0x0000000000400000-0x0000000000A2C000-memory.dmpFilesize
6.2MB
-
memory/3788-148-0x0000000000D2D000-0x0000000000D4C000-memory.dmpFilesize
124KB
-
memory/3788-149-0x0000000000400000-0x0000000000A2C000-memory.dmpFilesize
6.2MB
-
memory/3788-133-0x0000000000CC0000-0x0000000000CFE000-memory.dmpFilesize
248KB
-
memory/3788-132-0x0000000000D2D000-0x0000000000D4C000-memory.dmpFilesize
124KB
-
memory/4232-140-0x0000000000000000-mapping.dmp
-
memory/4332-141-0x0000000000000000-mapping.dmp
-
memory/4548-143-0x0000000000000000-mapping.dmp
-
memory/4564-142-0x0000000000000000-mapping.dmp
-
memory/4700-150-0x0000000000000000-mapping.dmp
-
memory/4760-187-0x0000000000D90000-0x0000000000DAF000-memory.dmpFilesize
124KB
-
memory/4760-188-0x0000000000400000-0x0000000000A2C000-memory.dmpFilesize
6.2MB
-
memory/4864-138-0x0000000000000000-mapping.dmp