Analysis
-
max time kernel
125s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
25-11-2022 11:35
Static task
static1
Behavioral task
behavioral1
Sample
5ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288.exe
Resource
win10-20220901-en
General
-
Target
5ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288.exe
-
Size
233KB
-
MD5
4149b7ced64c1cb7517446aab862ceed
-
SHA1
aacbf47e0f15775f3c35b4c0cd39861534bb4559
-
SHA256
5ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288
-
SHA512
cae9f023f97ee98d50fcd4d1a04f7c913c9e37bf85f1ee57f847dfcc3e11fce1c67dd74d571e0f9786150b55bc9ddecdbdba23efee50885815e142fa4f654170
-
SSDEEP
6144:G5FBs/1/P03oPswvDwJwohllMN+bW3VCf:GzB+9P0YPsw7wxhjXbWlCf
Malware Config
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
Extracted
redline
ritchshit
94.103.183.33:80
-
auth_value
98c1a18edcc6e04afa19a0ee3b16a6e2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/468-339-0x00000000005A218A-mapping.dmp family_redline behavioral1/memory/468-375-0x0000000000580000-0x00000000005A8000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 2044 rovwer.exe 4052 236.exe 2336 rovwer.exe 3960 rovwer.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\236.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000221001\\236.exe" rovwer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4052 set thread context of 468 4052 236.exe 79 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4448 4052 WerFault.exe 75 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4984 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 468 vbc.exe 468 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 468 vbc.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 3512 wrote to memory of 2044 3512 5ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288.exe 66 PID 3512 wrote to memory of 2044 3512 5ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288.exe 66 PID 3512 wrote to memory of 2044 3512 5ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288.exe 66 PID 2044 wrote to memory of 4984 2044 rovwer.exe 67 PID 2044 wrote to memory of 4984 2044 rovwer.exe 67 PID 2044 wrote to memory of 4984 2044 rovwer.exe 67 PID 2044 wrote to memory of 4544 2044 rovwer.exe 68 PID 2044 wrote to memory of 4544 2044 rovwer.exe 68 PID 2044 wrote to memory of 4544 2044 rovwer.exe 68 PID 4544 wrote to memory of 4580 4544 cmd.exe 71 PID 4544 wrote to memory of 4580 4544 cmd.exe 71 PID 4544 wrote to memory of 4580 4544 cmd.exe 71 PID 4544 wrote to memory of 4492 4544 cmd.exe 72 PID 4544 wrote to memory of 4492 4544 cmd.exe 72 PID 4544 wrote to memory of 4492 4544 cmd.exe 72 PID 4544 wrote to memory of 4632 4544 cmd.exe 73 PID 4544 wrote to memory of 4632 4544 cmd.exe 73 PID 4544 wrote to memory of 4632 4544 cmd.exe 73 PID 4544 wrote to memory of 4224 4544 cmd.exe 74 PID 4544 wrote to memory of 4224 4544 cmd.exe 74 PID 4544 wrote to memory of 4224 4544 cmd.exe 74 PID 4544 wrote to memory of 2856 4544 cmd.exe 76 PID 4544 wrote to memory of 2856 4544 cmd.exe 76 PID 4544 wrote to memory of 2856 4544 cmd.exe 76 PID 2044 wrote to memory of 4052 2044 rovwer.exe 75 PID 2044 wrote to memory of 4052 2044 rovwer.exe 75 PID 2044 wrote to memory of 4052 2044 rovwer.exe 75 PID 4544 wrote to memory of 4680 4544 cmd.exe 78 PID 4544 wrote to memory of 4680 4544 cmd.exe 78 PID 4544 wrote to memory of 4680 4544 cmd.exe 78 PID 4052 wrote to memory of 468 4052 236.exe 79 PID 4052 wrote to memory of 468 4052 236.exe 79 PID 4052 wrote to memory of 468 4052 236.exe 79 PID 4052 wrote to memory of 468 4052 236.exe 79 PID 4052 wrote to memory of 468 4052 236.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288.exe"C:\Users\Admin\AppData\Local\Temp\5ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
PID:4984
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4580
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵PID:4492
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵PID:4632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4224
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵PID:2856
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵PID:4680
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000221001\236.exe"C:\Users\Admin\AppData\Local\Temp\1000221001\236.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 2364⤵
- Program crash
PID:4448
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
PID:2336
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
PID:3960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
929KB
MD5f159a709fd4cd800d0a1f766089c4318
SHA1e2335ecebfc16d030d36183a5a1f1f61853dfea8
SHA256f4dc5eedf8dd119d3b84eae34493e0b09e3bf2ff15d45e5f67266cf146f06d74
SHA5124abb21862da9d34edb8a1827d5c19f050c6a7bb45a10fa81baa169703c2a914c6123313199292bc684ab098c7cab279680233fbc3446a100874ad68774adc354
-
Filesize
929KB
MD5f159a709fd4cd800d0a1f766089c4318
SHA1e2335ecebfc16d030d36183a5a1f1f61853dfea8
SHA256f4dc5eedf8dd119d3b84eae34493e0b09e3bf2ff15d45e5f67266cf146f06d74
SHA5124abb21862da9d34edb8a1827d5c19f050c6a7bb45a10fa81baa169703c2a914c6123313199292bc684ab098c7cab279680233fbc3446a100874ad68774adc354
-
Filesize
233KB
MD54149b7ced64c1cb7517446aab862ceed
SHA1aacbf47e0f15775f3c35b4c0cd39861534bb4559
SHA2565ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288
SHA512cae9f023f97ee98d50fcd4d1a04f7c913c9e37bf85f1ee57f847dfcc3e11fce1c67dd74d571e0f9786150b55bc9ddecdbdba23efee50885815e142fa4f654170
-
Filesize
233KB
MD54149b7ced64c1cb7517446aab862ceed
SHA1aacbf47e0f15775f3c35b4c0cd39861534bb4559
SHA2565ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288
SHA512cae9f023f97ee98d50fcd4d1a04f7c913c9e37bf85f1ee57f847dfcc3e11fce1c67dd74d571e0f9786150b55bc9ddecdbdba23efee50885815e142fa4f654170
-
Filesize
233KB
MD54149b7ced64c1cb7517446aab862ceed
SHA1aacbf47e0f15775f3c35b4c0cd39861534bb4559
SHA2565ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288
SHA512cae9f023f97ee98d50fcd4d1a04f7c913c9e37bf85f1ee57f847dfcc3e11fce1c67dd74d571e0f9786150b55bc9ddecdbdba23efee50885815e142fa4f654170
-
Filesize
233KB
MD54149b7ced64c1cb7517446aab862ceed
SHA1aacbf47e0f15775f3c35b4c0cd39861534bb4559
SHA2565ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288
SHA512cae9f023f97ee98d50fcd4d1a04f7c913c9e37bf85f1ee57f847dfcc3e11fce1c67dd74d571e0f9786150b55bc9ddecdbdba23efee50885815e142fa4f654170