Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 06:16
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
47KB
-
MD5
6d717fe6e6123691c7d9ffee92625c2f
-
SHA1
ac8e4b99c2398a48884805255f2fa90daf0dff3c
-
SHA256
39ae1a73d9326d866c0ea79742243790ed3aeeceac161f1a23f7b0c7b84b4570
-
SHA512
2b1d1ef8cc59b9916ccea5712609117d99576d59d3376bfe187eca473f988c0c76bc16dfff75d0e936af769963e13135f2f5f45ae7d4b62c619ffb88d20afdf8
-
SSDEEP
768:R/IO5VILWCyh+DiWtelDSN+iV08YbygejovEgK/J/ZVc6KN:R/PNWtKDs4zb1BnkJ/ZVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
193.233.48.17:8848
dfas9asdf8as8z
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
redline
test
193.233.48.17:9832
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\build.exe family_redline C:\Users\Admin\AppData\Local\Temp\build.exe family_redline behavioral2/memory/1484-145-0x00000000004A0000-0x00000000004BE000-memory.dmp family_redline -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2220-132-0x0000000000B20000-0x0000000000B32000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
build.exepid process 1484 build.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exetmp.exebuild.exepid process 4240 powershell.exe 4240 powershell.exe 2220 tmp.exe 1484 build.exe 1484 build.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tmp.exepowershell.exebuild.exedescription pid process Token: SeDebugPrivilege 2220 tmp.exe Token: SeDebugPrivilege 4240 powershell.exe Token: SeDebugPrivilege 1484 build.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
tmp.execmd.exepowershell.exedescription pid process target process PID 2220 wrote to memory of 3584 2220 tmp.exe cmd.exe PID 2220 wrote to memory of 3584 2220 tmp.exe cmd.exe PID 3584 wrote to memory of 4240 3584 cmd.exe powershell.exe PID 3584 wrote to memory of 4240 3584 cmd.exe powershell.exe PID 4240 wrote to memory of 1484 4240 powershell.exe build.exe PID 4240 wrote to memory of 1484 4240 powershell.exe build.exe PID 4240 wrote to memory of 1484 4240 powershell.exe build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\build.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\build.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
95KB
MD537ccecb56eb0d2db0a5159b5bbc3ec5b
SHA17ba3a1ef06bbd6b1444337ff58736aeeec6d4164
SHA2568dfbcef9c1dfe6a9bbc7d3a97ba8ac8928e6b4abc83bbd49e67a33c061a119cc
SHA5128f93b9dce515b51cfb61fbc21881a83d8623a30849195299759edc9c8c2f3898562d5f461bc15b22c1abc7a9b3ab430a9bfdd7d610cf24d842ce28d672c77354
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
95KB
MD537ccecb56eb0d2db0a5159b5bbc3ec5b
SHA17ba3a1ef06bbd6b1444337ff58736aeeec6d4164
SHA2568dfbcef9c1dfe6a9bbc7d3a97ba8ac8928e6b4abc83bbd49e67a33c061a119cc
SHA5128f93b9dce515b51cfb61fbc21881a83d8623a30849195299759edc9c8c2f3898562d5f461bc15b22c1abc7a9b3ab430a9bfdd7d610cf24d842ce28d672c77354
-
memory/1484-147-0x0000000004E20000-0x0000000004E32000-memory.dmpFilesize
72KB
-
memory/1484-153-0x0000000006760000-0x00000000067F2000-memory.dmpFilesize
584KB
-
memory/1484-152-0x0000000007770000-0x0000000007D14000-memory.dmpFilesize
5.6MB
-
memory/1484-151-0x0000000006C90000-0x00000000071BC000-memory.dmpFilesize
5.2MB
-
memory/1484-150-0x0000000006590000-0x0000000006752000-memory.dmpFilesize
1.8MB
-
memory/1484-156-0x0000000006C30000-0x0000000006C4E000-memory.dmpFilesize
120KB
-
memory/1484-155-0x0000000006A20000-0x0000000006A96000-memory.dmpFilesize
472KB
-
memory/1484-149-0x0000000005130000-0x000000000523A000-memory.dmpFilesize
1.0MB
-
memory/1484-142-0x0000000000000000-mapping.dmp
-
memory/1484-148-0x0000000004E80000-0x0000000004EBC000-memory.dmpFilesize
240KB
-
memory/1484-154-0x0000000006800000-0x0000000006866000-memory.dmpFilesize
408KB
-
memory/1484-145-0x00000000004A0000-0x00000000004BE000-memory.dmpFilesize
120KB
-
memory/1484-146-0x00000000055A0000-0x0000000005BB8000-memory.dmpFilesize
6.1MB
-
memory/2220-135-0x000000001D220000-0x000000001D296000-memory.dmpFilesize
472KB
-
memory/2220-133-0x00007FF905BB0000-0x00007FF906671000-memory.dmpFilesize
10.8MB
-
memory/2220-134-0x00007FF905BB0000-0x00007FF906671000-memory.dmpFilesize
10.8MB
-
memory/2220-132-0x0000000000B20000-0x0000000000B32000-memory.dmpFilesize
72KB
-
memory/2220-136-0x00000000014E0000-0x00000000014FE000-memory.dmpFilesize
120KB
-
memory/3584-137-0x0000000000000000-mapping.dmp
-
memory/4240-138-0x0000000000000000-mapping.dmp
-
memory/4240-144-0x00007FF905BB0000-0x00007FF906671000-memory.dmpFilesize
10.8MB
-
memory/4240-140-0x00007FF905BB0000-0x00007FF906671000-memory.dmpFilesize
10.8MB
-
memory/4240-139-0x00000205F4940000-0x00000205F4962000-memory.dmpFilesize
136KB