Analysis
-
max time kernel
151s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 18:34
Static task
static1
Behavioral task
behavioral1
Sample
driver.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
driver.exe
Resource
win10v2004-20221111-en
General
-
Target
driver.exe
-
Size
2.5MB
-
MD5
3a3fa6e19b606f700fa5a0d238de8915
-
SHA1
6211694e6cd50584f368b87f7c69bf2eda502c90
-
SHA256
1fc42b8450c8ffb2c4189e3064cd08edf0ff3259e9ccbb635dde6ae0782eae1a
-
SHA512
83c2c913f5147341c5334b05b207715e648b9778f1cd1a7af6888f714e7fe04585ba21cd9440a7a3e8c280c99acc8f8a397a400897ebae0fb0ecb60320eaf48b
-
SSDEEP
24576:KxTo3fi6zSaHcsFV03AQgs5ehYWTnxoQ/D2+mpS/5sqR91ldaHQqenA4jBmkg1gU:IT22ZePnxogDP/5fF7aHGg0j0
Malware Config
Extracted
redline
45.15.157.131:36457
-
auth_value
c3342eec6a24dd88f1e2d37af96605d8
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3924-133-0x00000000005A0000-0x00000000005C8000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
driver.exedescription pid process target process PID 1488 set thread context of 3924 1488 driver.exe vbc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4246620582-653642754-1174164128-1000\{5CD6F557-303D-4E48-BCC8-3E5C9E043786} svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 204 OpenWith.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
driver.exedescription pid process target process PID 1488 wrote to memory of 3924 1488 driver.exe vbc.exe PID 1488 wrote to memory of 3924 1488 driver.exe vbc.exe PID 1488 wrote to memory of 3924 1488 driver.exe vbc.exe PID 1488 wrote to memory of 3924 1488 driver.exe vbc.exe PID 1488 wrote to memory of 3924 1488 driver.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\driver.exe"C:\Users\Admin\AppData\Local\Temp\driver.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3924-132-0x0000000000000000-mapping.dmp
-
memory/3924-133-0x00000000005A0000-0x00000000005C8000-memory.dmpFilesize
160KB
-
memory/3924-138-0x0000000005690000-0x0000000005CA8000-memory.dmpFilesize
6.1MB
-
memory/3924-139-0x0000000005180000-0x000000000528A000-memory.dmpFilesize
1.0MB
-
memory/3924-140-0x0000000000F20000-0x0000000000F32000-memory.dmpFilesize
72KB
-
memory/3924-141-0x0000000005070000-0x00000000050AC000-memory.dmpFilesize
240KB