Analysis
-
max time kernel
256s -
max time network
179s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
27-11-2022 22:15
General
-
Target
03d3c0ec58caf5fa228384daa9d99f0bc0d44b3c02ee911a4572f8e4f5fa728b.exe
-
Size
177KB
-
MD5
117b064fb02e75f65ab71315e46e5618
-
SHA1
8bdc3f169d4d97401c300ff30fbc4c124e709af6
-
SHA256
03d3c0ec58caf5fa228384daa9d99f0bc0d44b3c02ee911a4572f8e4f5fa728b
-
SHA512
9f480e798f24b69a385001f298196ddd7a00fbbc5887c6c862e8c28776df29c509035c0cf237fe7c5fd831c73f4648040db15c0817ff4864481cba4afe414993
-
SSDEEP
3072:sr85CTK/Pi74wINPcWF1HERPhhESSUlGYO/ZMTFZl+KIGTqe:k9u/TEmEphhwYMZMBZlhI/e
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
1.0
C2
149.28.133.54:4921
Attributes
-
auth_value
84aa9e53350b3b2df39f0f1f4f6465a1
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 55 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\03d3c0ec58caf5fa228384daa9d99f0bc0d44b3c02ee911a4572f8e4f5fa728b.exe"C:\Users\Admin\AppData\Local\Temp\03d3c0ec58caf5fa228384daa9d99f0bc0d44b3c02ee911a4572f8e4f5fa728b.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\03d3c0ec58caf5fa228384daa9d99f0bc0d44b3c02ee911a4572f8e4f5fa728b.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\03d3c0ec58caf5fa228384daa9d99f0bc0d44b3c02ee911a4572f8e4f5fa728b.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\03d3c0ec58caf5fa228384daa9d99f0bc0d44b3c02ee911a4572f8e4f5fa728b.exeFilesize
137KB
MD5696a8aaca3415b00cc9f9094e82628eb
SHA1ba2bd477eb4a53f8e58e36511be1c661eb6ae417
SHA256b135f50a85f48449b8d4e91ab344e08e7cc0151a1897898a1f3956b391e19771
SHA512691d78013aa04d252dd0bb2c19673967ba36b36e73f08f0738a693c824ca23aa5548fe0e2eb00f07eca5e4057586c80e4ce9e2f70423d8be013b22ef30d376f1
-
C:\Users\Admin\AppData\Local\Temp\3582-490\03d3c0ec58caf5fa228384daa9d99f0bc0d44b3c02ee911a4572f8e4f5fa728b.exeFilesize
137KB
MD5696a8aaca3415b00cc9f9094e82628eb
SHA1ba2bd477eb4a53f8e58e36511be1c661eb6ae417
SHA256b135f50a85f48449b8d4e91ab344e08e7cc0151a1897898a1f3956b391e19771
SHA512691d78013aa04d252dd0bb2c19673967ba36b36e73f08f0738a693c824ca23aa5548fe0e2eb00f07eca5e4057586c80e4ce9e2f70423d8be013b22ef30d376f1
-
memory/2176-120-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-121-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-122-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-123-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-124-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-125-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-126-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-127-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-128-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-129-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-130-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-131-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-132-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-133-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-134-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-135-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-136-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-137-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-138-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-139-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-140-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-141-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-142-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-143-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-144-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-145-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-146-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-147-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-148-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-149-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-150-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-151-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-152-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-153-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-154-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-155-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-156-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-157-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-158-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-159-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-160-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/2176-161-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-162-0x0000000000000000-mapping.dmp
-
memory/4456-164-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-165-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-167-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-166-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-168-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-169-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-170-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-171-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-173-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-174-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-175-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-176-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-177-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-178-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-179-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-180-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-181-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-182-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-183-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-184-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-185-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-186-0x0000000077710000-0x000000007789E000-memory.dmpFilesize
1.6MB
-
memory/4456-198-0x00000000006F0000-0x0000000000718000-memory.dmpFilesize
160KB
-
memory/4456-219-0x0000000005510000-0x0000000005B16000-memory.dmpFilesize
6.0MB
-
memory/4456-220-0x0000000005010000-0x000000000511A000-memory.dmpFilesize
1.0MB
-
memory/4456-222-0x0000000004F30000-0x0000000004F42000-memory.dmpFilesize
72KB
-
memory/4456-224-0x0000000004FB0000-0x0000000004FEE000-memory.dmpFilesize
248KB
-
memory/4456-228-0x0000000004F50000-0x0000000004F9B000-memory.dmpFilesize
300KB
-
memory/4456-233-0x0000000005B90000-0x0000000005BF6000-memory.dmpFilesize
408KB
-
memory/4456-241-0x0000000006300000-0x00000000067FE000-memory.dmpFilesize
5.0MB
-
memory/4456-242-0x0000000005EA0000-0x0000000005F32000-memory.dmpFilesize
584KB
-
memory/4456-244-0x00000000060C0000-0x0000000006136000-memory.dmpFilesize
472KB
-
memory/4456-245-0x0000000006140000-0x0000000006190000-memory.dmpFilesize
320KB
-
memory/4456-249-0x0000000007580000-0x0000000007742000-memory.dmpFilesize
1.8MB
-
memory/4456-250-0x0000000007C80000-0x00000000081AC000-memory.dmpFilesize
5.2MB