Analysis
-
max time kernel
45s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 06:16
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
47KB
-
MD5
6d717fe6e6123691c7d9ffee92625c2f
-
SHA1
ac8e4b99c2398a48884805255f2fa90daf0dff3c
-
SHA256
39ae1a73d9326d866c0ea79742243790ed3aeeceac161f1a23f7b0c7b84b4570
-
SHA512
2b1d1ef8cc59b9916ccea5712609117d99576d59d3376bfe187eca473f988c0c76bc16dfff75d0e936af769963e13135f2f5f45ae7d4b62c619ffb88d20afdf8
-
SSDEEP
768:R/IO5VILWCyh+DiWtelDSN+iV08YbygejovEgK/J/ZVc6KN:R/PNWtKDs4zb1BnkJ/ZVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
193.233.48.17:8848
dfas9asdf8as8z
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
redline
test
193.233.48.17:9832
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\build.exe family_redline C:\Users\Admin\AppData\Local\Temp\build.exe family_redline behavioral1/memory/964-68-0x00000000013B0000-0x00000000013CE000-memory.dmp family_redline -
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-54-0x0000000001330000-0x0000000001342000-memory.dmp asyncrat behavioral1/memory/2032-55-0x0000000000580000-0x000000000058C000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
build.exepid process 964 build.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exetmp.exebuild.exepid process 1144 powershell.exe 1144 powershell.exe 1144 powershell.exe 2032 tmp.exe 964 build.exe 964 build.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tmp.exepowershell.exebuild.exedescription pid process Token: SeDebugPrivilege 2032 tmp.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 964 build.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
tmp.execmd.exepowershell.exedescription pid process target process PID 2032 wrote to memory of 1452 2032 tmp.exe cmd.exe PID 2032 wrote to memory of 1452 2032 tmp.exe cmd.exe PID 2032 wrote to memory of 1452 2032 tmp.exe cmd.exe PID 1452 wrote to memory of 1144 1452 cmd.exe powershell.exe PID 1452 wrote to memory of 1144 1452 cmd.exe powershell.exe PID 1452 wrote to memory of 1144 1452 cmd.exe powershell.exe PID 1144 wrote to memory of 964 1144 powershell.exe build.exe PID 1144 wrote to memory of 964 1144 powershell.exe build.exe PID 1144 wrote to memory of 964 1144 powershell.exe build.exe PID 1144 wrote to memory of 964 1144 powershell.exe build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\build.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\build.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
95KB
MD537ccecb56eb0d2db0a5159b5bbc3ec5b
SHA17ba3a1ef06bbd6b1444337ff58736aeeec6d4164
SHA2568dfbcef9c1dfe6a9bbc7d3a97ba8ac8928e6b4abc83bbd49e67a33c061a119cc
SHA5128f93b9dce515b51cfb61fbc21881a83d8623a30849195299759edc9c8c2f3898562d5f461bc15b22c1abc7a9b3ab430a9bfdd7d610cf24d842ce28d672c77354
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
95KB
MD537ccecb56eb0d2db0a5159b5bbc3ec5b
SHA17ba3a1ef06bbd6b1444337ff58736aeeec6d4164
SHA2568dfbcef9c1dfe6a9bbc7d3a97ba8ac8928e6b4abc83bbd49e67a33c061a119cc
SHA5128f93b9dce515b51cfb61fbc21881a83d8623a30849195299759edc9c8c2f3898562d5f461bc15b22c1abc7a9b3ab430a9bfdd7d610cf24d842ce28d672c77354
-
memory/964-69-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/964-68-0x00000000013B0000-0x00000000013CE000-memory.dmpFilesize
120KB
-
memory/964-64-0x0000000000000000-mapping.dmp
-
memory/1144-62-0x000000001B820000-0x000000001BB1F000-memory.dmpFilesize
3.0MB
-
memory/1144-60-0x000007FEEB4A0000-0x000007FEEBFFD000-memory.dmpFilesize
11.4MB
-
memory/1144-61-0x0000000002924000-0x0000000002927000-memory.dmpFilesize
12KB
-
memory/1144-59-0x000007FEEC000000-0x000007FEECA23000-memory.dmpFilesize
10.1MB
-
memory/1144-58-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmpFilesize
8KB
-
memory/1144-57-0x0000000000000000-mapping.dmp
-
memory/1144-67-0x000000000292B000-0x000000000294A000-memory.dmpFilesize
124KB
-
memory/1144-66-0x0000000002924000-0x0000000002927000-memory.dmpFilesize
12KB
-
memory/1452-56-0x0000000000000000-mapping.dmp
-
memory/2032-54-0x0000000001330000-0x0000000001342000-memory.dmpFilesize
72KB
-
memory/2032-55-0x0000000000580000-0x000000000058C000-memory.dmpFilesize
48KB