Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    813KB

  • MD5

    7e24338014cbbcd2876198f9a88abf4e

  • SHA1

    1060924310d7bb365e86f9aa5a8d65a27a8f2344

  • SHA256

    03c5fe80c0077a6c33fdbac342b7895b61c66377b7419e473bdabee3bed1a92c

  • SHA512

    6b90bdaea9ac5c45eddb57896f2ab77b1fda04724a55c61d15ebb3b80b10da3f56ad82cd1b83a7d5f02047b688cc8267f9ab3b0a9046ef5f8ef46773a25b91df

  • SSDEEP

    24576:Y7dDdEPfNN6hzGwS4KNHNKGdANLr0VshYbqkfc4:MgP0k4KRYGWr8syqkfc

Score
10/10
redlineappinfostealer

Malware Config

Extracted

Family

redline

Botnet

APP

C2

37.139.128.51:53092

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fmwcWZdNzyphB.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4612
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fmwcWZdNzyphB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA354.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1860
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpA354.tmp
    Filesize

    1KB

    MD5

    28cb4d5768e5979af17a90553d517946

    SHA1

    c5771f92ec8c85aecfda4dfeb0456ff1602914c4

    SHA256

    575593026e3ee4ae91bcad5af1da0d2d06fe1f95e623dfcd8a9a95da3279cce4

    SHA512

    71ff9f5709785dc9f5568168449a057cfa085ca1e7d1901a3da8d99e70cfa8ed2022e97de474ca82884ff7558f35ba0f0af7a9d46f5e73836b033d68902ce4e6

    Download Submit
  • memory/316-146-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/316-148-0x00000000059F0000-0x0000000006008000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/316-149-0x00000000052C0000-0x00000000052D2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/316-152-0x00000000055E0000-0x00000000056EA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/316-144-0x0000000000000000-mapping.dmp
    Download
  • memory/316-150-0x0000000005320000-0x000000000535C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1860-138-0x0000000000000000-mapping.dmp
    Download
  • memory/4496-132-0x0000000000610000-0x00000000006E2000-memory.dmp
    Filesize

    840KB

    Download
  • memory/4496-136-0x0000000007C50000-0x0000000007CEC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4496-135-0x0000000005080000-0x000000000508A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4496-134-0x00000000050A0000-0x0000000005132000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4496-133-0x0000000005650000-0x0000000005BF4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4612-139-0x0000000004500000-0x0000000004536000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4612-155-0x0000000006120000-0x000000000613E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4612-143-0x00000000053F0000-0x0000000005456000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4612-142-0x0000000004B20000-0x0000000004B42000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4612-141-0x0000000004C10000-0x0000000005238000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4612-151-0x0000000005B60000-0x0000000005B7E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4612-137-0x0000000000000000-mapping.dmp
    Download
  • memory/4612-153-0x0000000006D70000-0x0000000006DA2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4612-154-0x0000000075150000-0x000000007519C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4612-145-0x0000000005460000-0x00000000054C6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4612-156-0x00000000074E0000-0x0000000007B5A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4612-157-0x0000000006E80000-0x0000000006E9A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4612-158-0x0000000006EE0000-0x0000000006EEA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4612-159-0x00000000070F0000-0x0000000007186000-memory.dmp
    Filesize

    600KB

    Download
  • memory/4612-160-0x00000000070A0000-0x00000000070AE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4612-161-0x00000000071B0000-0x00000000071CA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4612-162-0x0000000007190000-0x0000000007198000-memory.dmp
    Filesize

    32KB

    Download