Analysis
-
max time kernel
65s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 15:10
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
813KB
-
MD5
7e24338014cbbcd2876198f9a88abf4e
-
SHA1
1060924310d7bb365e86f9aa5a8d65a27a8f2344
-
SHA256
03c5fe80c0077a6c33fdbac342b7895b61c66377b7419e473bdabee3bed1a92c
-
SHA512
6b90bdaea9ac5c45eddb57896f2ab77b1fda04724a55c61d15ebb3b80b10da3f56ad82cd1b83a7d5f02047b688cc8267f9ab3b0a9046ef5f8ef46773a25b91df
-
SSDEEP
24576:Y7dDdEPfNN6hzGwS4KNHNKGdANLr0VshYbqkfc4:MgP0k4KRYGWr8syqkfc
Malware Config
Extracted
redline
APP
37.139.128.51:53092
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1188-67-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1188-68-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1188-69-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1188-70-0x000000000041932E-mapping.dmp family_redline behavioral1/memory/1188-74-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1188-72-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1444 set thread context of 1188 1444 file.exe file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
file.exepowershell.exefile.exepid process 1444 file.exe 1444 file.exe 1940 powershell.exe 1188 file.exe 1188 file.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
file.exepowershell.exefile.exedescription pid process Token: SeDebugPrivilege 1444 file.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1188 file.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
file.exedescription pid process target process PID 1444 wrote to memory of 1940 1444 file.exe powershell.exe PID 1444 wrote to memory of 1940 1444 file.exe powershell.exe PID 1444 wrote to memory of 1940 1444 file.exe powershell.exe PID 1444 wrote to memory of 1940 1444 file.exe powershell.exe PID 1444 wrote to memory of 1920 1444 file.exe schtasks.exe PID 1444 wrote to memory of 1920 1444 file.exe schtasks.exe PID 1444 wrote to memory of 1920 1444 file.exe schtasks.exe PID 1444 wrote to memory of 1920 1444 file.exe schtasks.exe PID 1444 wrote to memory of 1188 1444 file.exe file.exe PID 1444 wrote to memory of 1188 1444 file.exe file.exe PID 1444 wrote to memory of 1188 1444 file.exe file.exe PID 1444 wrote to memory of 1188 1444 file.exe file.exe PID 1444 wrote to memory of 1188 1444 file.exe file.exe PID 1444 wrote to memory of 1188 1444 file.exe file.exe PID 1444 wrote to memory of 1188 1444 file.exe file.exe PID 1444 wrote to memory of 1188 1444 file.exe file.exe PID 1444 wrote to memory of 1188 1444 file.exe file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fmwcWZdNzyphB.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fmwcWZdNzyphB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA14F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA14F.tmpFilesize
1KB
MD5eb259074b5d3f46ddcd71519f505afc1
SHA1526584670c3d9ff9261e2dab832d61f7c85314b8
SHA256093e9d92e811fc18db6202a461a57a39cb9e8f80a7062ba3408fe888aa78ed78
SHA512ddab1516c633b97362da8abede0028fff98775999b28bd3f61deedbe891e54b1fb0b4bd1532889bc8060539785dc3a174826647ed3fa92ea5b6f7dc47a930255
-
memory/1188-64-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1188-72-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1188-74-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1188-70-0x000000000041932E-mapping.dmp
-
memory/1188-69-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1188-68-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1188-67-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1188-65-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1444-58-0x00000000054A0000-0x0000000005520000-memory.dmpFilesize
512KB
-
memory/1444-63-0x0000000004420000-0x0000000004466000-memory.dmpFilesize
280KB
-
memory/1444-54-0x00000000001D0000-0x00000000002A2000-memory.dmpFilesize
840KB
-
memory/1444-57-0x0000000000340000-0x000000000034E000-memory.dmpFilesize
56KB
-
memory/1444-56-0x00000000002E0000-0x00000000002F6000-memory.dmpFilesize
88KB
-
memory/1444-55-0x0000000075D71000-0x0000000075D73000-memory.dmpFilesize
8KB
-
memory/1920-60-0x0000000000000000-mapping.dmp
-
memory/1940-59-0x0000000000000000-mapping.dmp
-
memory/1940-76-0x000000006EB40000-0x000000006F0EB000-memory.dmpFilesize
5.7MB
-
memory/1940-77-0x000000006EB40000-0x000000006F0EB000-memory.dmpFilesize
5.7MB