Analysis
-
max time kernel
140s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 10:13
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
General
-
Target
file.exe
-
Size
2.9MB
-
MD5
1e46438f13693aaa0f35a0c796d60c61
-
SHA1
a4cfbb31c87c7368554a5081157382bedded6551
-
SHA256
97df47266aba1d8e7c70c88c8bf0851a53579dfac7d2bb6545ca85e809bbf1c6
-
SHA512
b0348e5f8962261a64130208c86321afebaff4fe1b1cb2b164a8bc35dca73ecfaaf7d2348865bee88233f3feeff3deb2884f23e86c66ee88270f55c6252c4778
-
SSDEEP
49152:zgVPqtIzOYelWFO5zKLV/28K6gCCLP8FL5A3mACFkHtNX6GB4I7pvIOSA:z4PSInelcYwVVK677DkHLXlB4CIPA
Malware Config
Extracted
redline
Install
manddarinn.art:81
-
auth_value
f9affed97251c08e7a096257ba9edfb2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4892-140-0x0000000000400000-0x000000000042C000-memory.dmp family_redline behavioral2/memory/4892-141-0x000000000042218E-mapping.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
Processes:
resource yara_rule behavioral2/memory/1376-133-0x00000000007B0000-0x000000000106C000-memory.dmp themida behavioral2/memory/1376-142-0x00000000007B0000-0x000000000106C000-memory.dmp themida -
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
file.exepid process 1376 file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1376 set thread context of 4892 1376 file.exe InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 1376 file.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
file.exedescription pid process target process PID 1376 wrote to memory of 4892 1376 file.exe InstallUtil.exe PID 1376 wrote to memory of 4892 1376 file.exe InstallUtil.exe PID 1376 wrote to memory of 4892 1376 file.exe InstallUtil.exe PID 1376 wrote to memory of 4892 1376 file.exe InstallUtil.exe PID 1376 wrote to memory of 4892 1376 file.exe InstallUtil.exe PID 1376 wrote to memory of 4892 1376 file.exe InstallUtil.exe PID 1376 wrote to memory of 4892 1376 file.exe InstallUtil.exe PID 1376 wrote to memory of 4892 1376 file.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1376-143-0x00007FF9E57F0000-0x00007FF9E59E5000-memory.dmpFilesize
2.0MB
-
memory/1376-134-0x00000000007B0000-0x000000000106C000-memory.dmpFilesize
8.7MB
-
memory/1376-135-0x00007FF9E57F0000-0x00007FF9E59E5000-memory.dmpFilesize
2.0MB
-
memory/1376-136-0x00007FF9C7010000-0x00007FF9C7AD1000-memory.dmpFilesize
10.8MB
-
memory/1376-137-0x00000000007B0000-0x000000000106C000-memory.dmpFilesize
8.7MB
-
memory/1376-138-0x00007FF9E57F0000-0x00007FF9E59E5000-memory.dmpFilesize
2.0MB
-
memory/1376-139-0x00007FF9C7010000-0x00007FF9C7AD1000-memory.dmpFilesize
10.8MB
-
memory/1376-144-0x00007FF9C7010000-0x00007FF9C7AD1000-memory.dmpFilesize
10.8MB
-
memory/1376-133-0x00000000007B0000-0x000000000106C000-memory.dmpFilesize
8.7MB
-
memory/1376-142-0x00000000007B0000-0x000000000106C000-memory.dmpFilesize
8.7MB
-
memory/4892-141-0x000000000042218E-mapping.dmp
-
memory/4892-140-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4892-145-0x0000000005BF0000-0x0000000006208000-memory.dmpFilesize
6.1MB
-
memory/4892-146-0x00000000059F0000-0x0000000005AFA000-memory.dmpFilesize
1.0MB
-
memory/4892-147-0x0000000005920000-0x0000000005932000-memory.dmpFilesize
72KB
-
memory/4892-148-0x0000000005980000-0x00000000059BC000-memory.dmpFilesize
240KB