Analysis
-
max time kernel
173s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 12:20
Static task
static1
Behavioral task
behavioral1
Sample
24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
Resource
win7-20220812-en
General
-
Target
24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
-
Size
3.1MB
-
MD5
1cd91de8f373882db0e2293f468544c8
-
SHA1
ff788f0bdbcc0e5951dc4b1f60c21d6dcfa7c90a
-
SHA256
24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109
-
SHA512
20cda0f10e9e01e09d75eba4724b060b2300ea707da33e12c1853c623311c54b038e21250b6bd68716b85f861bd7278949e00a58894f57418cacc021e5a21d62
-
SSDEEP
49152:zF1vNuhz6lqOEBsZEFDMEPrNeRfy8AJx4GV6UHRtLTwsOwu3B3WwepUBe1R:p1FuhzbsZMAEP0f3AXAUnosO/x3WSg
Malware Config
Extracted
redline
11-25
172.99.189.117:44670
-
auth_value
f3754aeb17f33c672540bd6f71407965
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3900-145-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exedescription pid process target process PID 5112 set thread context of 3900 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exe24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exepid process 176 powershell.exe 176 powershell.exe 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe 3900 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe 3900 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exepowershell.exe24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exedescription pid process Token: SeDebugPrivilege 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe Token: SeDebugPrivilege 176 powershell.exe Token: SeDebugPrivilege 3900 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exedescription pid process target process PID 5112 wrote to memory of 176 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe powershell.exe PID 5112 wrote to memory of 176 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe powershell.exe PID 5112 wrote to memory of 176 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe powershell.exe PID 5112 wrote to memory of 3900 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe PID 5112 wrote to memory of 3900 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe PID 5112 wrote to memory of 3900 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe PID 5112 wrote to memory of 3900 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe PID 5112 wrote to memory of 3900 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe PID 5112 wrote to memory of 3900 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe PID 5112 wrote to memory of 3900 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe PID 5112 wrote to memory of 3900 5112 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe"C:\Users\Admin\AppData\Local\Temp\24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exeC:\Users\Admin\AppData\Local\Temp\24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe.logFilesize
1KB
MD5026fb31495d30e5dbfd00f398c2efbf8
SHA19cda8f5f58129e4d592ca1b9867835c86f38ab1b
SHA256b008f16eeae90b4c6ba119fb308616c0795cdaca51adf2b64470a0c01aeeb8b7
SHA5126d1cc01c90613522cfb7be7ea67ff03732b367dfc7bfd245ad6d7ea8e5e5def431b3339d17893b7b193cee2c3b4c22a459acd3d852ee88fce711e30c5af195a1
-
memory/176-142-0x00000000079A0000-0x000000000801A000-memory.dmpFilesize
6.5MB
-
memory/176-141-0x0000000006170000-0x000000000618E000-memory.dmpFilesize
120KB
-
memory/176-143-0x0000000006670000-0x000000000668A000-memory.dmpFilesize
104KB
-
memory/176-136-0x0000000000000000-mapping.dmp
-
memory/176-137-0x0000000004BA0000-0x0000000004BD6000-memory.dmpFilesize
216KB
-
memory/176-138-0x0000000005280000-0x00000000058A8000-memory.dmpFilesize
6.2MB
-
memory/176-139-0x0000000005A80000-0x0000000005AE6000-memory.dmpFilesize
408KB
-
memory/176-140-0x0000000005B60000-0x0000000005BC6000-memory.dmpFilesize
408KB
-
memory/3900-149-0x0000000005980000-0x0000000005992000-memory.dmpFilesize
72KB
-
memory/3900-148-0x0000000005A40000-0x0000000005B4A000-memory.dmpFilesize
1.0MB
-
memory/3900-154-0x0000000008710000-0x0000000008C3C000-memory.dmpFilesize
5.2MB
-
memory/3900-144-0x0000000000000000-mapping.dmp
-
memory/3900-145-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3900-153-0x0000000008010000-0x00000000081D2000-memory.dmpFilesize
1.8MB
-
memory/3900-147-0x0000000005F20000-0x0000000006538000-memory.dmpFilesize
6.1MB
-
memory/3900-152-0x0000000007120000-0x0000000007170000-memory.dmpFilesize
320KB
-
memory/3900-151-0x00000000070A0000-0x0000000007116000-memory.dmpFilesize
472KB
-
memory/3900-150-0x00000000059E0000-0x0000000005A1C000-memory.dmpFilesize
240KB
-
memory/5112-134-0x0000000007840000-0x0000000007DE4000-memory.dmpFilesize
5.6MB
-
memory/5112-132-0x00000000006C0000-0x00000000009E4000-memory.dmpFilesize
3.1MB
-
memory/5112-133-0x00000000071F0000-0x0000000007282000-memory.dmpFilesize
584KB
-
memory/5112-135-0x00000000072C0000-0x00000000072E2000-memory.dmpFilesize
136KB