Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
16-12-2022 12:06
General
-
Target
tmp.exe
-
Size
638KB
-
MD5
fcee7bf402dedeaf3fcf18a52a56d75b
-
SHA1
f99c8a99be241fc82c06c2c0155bee4ce26e2e5e
-
SHA256
55fa30deba49d1278145e3ab083182e50146fdc55643c54d3126a7b8a76c0684
-
SHA512
0bac4d1f9e3c7d6ba58a4370a59a233506a6565debc81148a40a743188902abbc1e6e822c45a1cf5267f3e3227d913689fdd76bc3d812598b928fcd835c84c68
-
SSDEEP
12288:UPw4kbHpG72xQBtEOwhnG+ChQKyRHZVuTlnCAEPXemyHLH+:h1JG7ShnGQHZVuTgXu5D+
Malware Config
Extracted
redline
SPOOFER
20.197.226.40:32619
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Updater.exe"C:\Users\Admin\AppData\Local\Temp\Updater.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Updater.exeC:\Users\Admin\AppData\Local\Temp\Updater.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {A5130822-B037-4B25-8D93-B486605485CE} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Updater.exeC:\Users\Admin\AppData\Roaming\Updater.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Updater.exeC:\Users\Admin\AppData\Roaming\Updater.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Updater.exeFilesize
1.0MB
MD5bb233d4542a170be01c2d14cbb4a1d8a
SHA13f5b38c62ab67eb8612af6280294b524d94891cd
SHA2565e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352
SHA512fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3
-
C:\Users\Admin\AppData\Local\Temp\Updater.exeFilesize
1.0MB
MD5bb233d4542a170be01c2d14cbb4a1d8a
SHA13f5b38c62ab67eb8612af6280294b524d94891cd
SHA2565e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352
SHA512fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3
-
C:\Users\Admin\AppData\Local\Temp\Updater.exeFilesize
1.0MB
MD5bb233d4542a170be01c2d14cbb4a1d8a
SHA13f5b38c62ab67eb8612af6280294b524d94891cd
SHA2565e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352
SHA512fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD59d6c2305292bee1ec2ada5478cc28049
SHA1fe6e2bb262122291258d91e5661903356e48188b
SHA25610cace50b93051a3e4a567bafcc99b06725510bd320d818bb3b332e47548bf09
SHA512248bb1c61c26842118e60e0e4033204597ceb0f94fca9d125d0849c0e14ece1e887a58e590e5b75d36b4a43d1fb37e9a307ee10766f63f9c4db7d3f7a12de5b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD59d6c2305292bee1ec2ada5478cc28049
SHA1fe6e2bb262122291258d91e5661903356e48188b
SHA25610cace50b93051a3e4a567bafcc99b06725510bd320d818bb3b332e47548bf09
SHA512248bb1c61c26842118e60e0e4033204597ceb0f94fca9d125d0849c0e14ece1e887a58e590e5b75d36b4a43d1fb37e9a307ee10766f63f9c4db7d3f7a12de5b1
-
C:\Users\Admin\AppData\Roaming\Updater.exeFilesize
1.0MB
MD5bb233d4542a170be01c2d14cbb4a1d8a
SHA13f5b38c62ab67eb8612af6280294b524d94891cd
SHA2565e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352
SHA512fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3
-
C:\Users\Admin\AppData\Roaming\Updater.exeFilesize
1.0MB
MD5bb233d4542a170be01c2d14cbb4a1d8a
SHA13f5b38c62ab67eb8612af6280294b524d94891cd
SHA2565e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352
SHA512fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3
-
C:\Users\Admin\AppData\Roaming\Updater.exeFilesize
1.0MB
MD5bb233d4542a170be01c2d14cbb4a1d8a
SHA13f5b38c62ab67eb8612af6280294b524d94891cd
SHA2565e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352
SHA512fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\Updater.exeFilesize
1.0MB
MD5bb233d4542a170be01c2d14cbb4a1d8a
SHA13f5b38c62ab67eb8612af6280294b524d94891cd
SHA2565e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352
SHA512fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3
-
\Users\Admin\AppData\Local\Temp\Updater.exeFilesize
1.0MB
MD5bb233d4542a170be01c2d14cbb4a1d8a
SHA13f5b38c62ab67eb8612af6280294b524d94891cd
SHA2565e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352
SHA512fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3
-
\Users\Admin\AppData\Roaming\Updater.exeFilesize
1.0MB
MD5bb233d4542a170be01c2d14cbb4a1d8a
SHA13f5b38c62ab67eb8612af6280294b524d94891cd
SHA2565e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352
SHA512fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3
-
memory/764-102-0x000000001B1D0000-0x000000001B224000-memory.dmpFilesize
336KB
-
memory/764-90-0x0000000140000000-0x0000000140078000-memory.dmpFilesize
480KB
-
memory/764-92-0x0000000140000000-0x0000000140078000-memory.dmpFilesize
480KB
-
memory/764-89-0x0000000140000000-0x0000000140078000-memory.dmpFilesize
480KB
-
memory/764-93-0x0000000140000000-0x0000000140078000-memory.dmpFilesize
480KB
-
memory/764-94-0x0000000140000000-mapping.dmp
-
memory/764-99-0x0000000001260000-0x0000000001300000-memory.dmpFilesize
640KB
-
memory/764-100-0x0000000000DD0000-0x0000000000E26000-memory.dmpFilesize
344KB
-
memory/764-101-0x0000000002940000-0x000000000298C000-memory.dmpFilesize
304KB
-
memory/856-122-0x000000001B700000-0x000000001B9FF000-memory.dmpFilesize
3.0MB
-
memory/856-117-0x0000000000000000-mapping.dmp
-
memory/856-120-0x000007FEED020000-0x000007FEEDA43000-memory.dmpFilesize
10.1MB
-
memory/856-121-0x000007FEEC4C0000-0x000007FEED01D000-memory.dmpFilesize
11.4MB
-
memory/856-123-0x0000000002764000-0x0000000002767000-memory.dmpFilesize
12KB
-
memory/856-126-0x000000000276B000-0x000000000278A000-memory.dmpFilesize
124KB
-
memory/856-127-0x0000000002764000-0x0000000002767000-memory.dmpFilesize
12KB
-
memory/856-128-0x000000000276B000-0x000000000278A000-memory.dmpFilesize
124KB
-
memory/936-60-0x000000006E5C0000-0x000000006EB6B000-memory.dmpFilesize
5.7MB
-
memory/936-61-0x000000006E5C0000-0x000000006EB6B000-memory.dmpFilesize
5.7MB
-
memory/936-58-0x0000000000000000-mapping.dmp
-
memory/1408-57-0x00000000750A1000-0x00000000750A3000-memory.dmpFilesize
8KB
-
memory/1408-54-0x0000000000D90000-0x0000000000E36000-memory.dmpFilesize
664KB
-
memory/1408-56-0x0000000004BB0000-0x0000000004C42000-memory.dmpFilesize
584KB
-
memory/1408-55-0x00000000009F0000-0x0000000000A94000-memory.dmpFilesize
656KB
-
memory/1560-139-0x00000000025D6000-0x00000000025F5000-memory.dmpFilesize
124KB
-
memory/1560-134-0x0000000140000000-mapping.dmp
-
memory/1632-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1632-65-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1632-70-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1632-62-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1632-68-0x000000000041933E-mapping.dmp
-
memory/1632-66-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1632-67-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1632-72-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1668-83-0x000007FEEA560000-0x000007FEEAF83000-memory.dmpFilesize
10.1MB
-
memory/1668-85-0x00000000023D4000-0x00000000023D7000-memory.dmpFilesize
12KB
-
memory/1668-87-0x00000000023DB000-0x00000000023FA000-memory.dmpFilesize
124KB
-
memory/1668-86-0x00000000023DB000-0x00000000023FA000-memory.dmpFilesize
124KB
-
memory/1668-84-0x000007FEE9A00000-0x000007FEEA55D000-memory.dmpFilesize
11.4MB
-
memory/1668-81-0x0000000000000000-mapping.dmp
-
memory/1760-136-0x000000001AE16000-0x000000001AE35000-memory.dmpFilesize
124KB
-
memory/1760-111-0x0000000000000000-mapping.dmp
-
memory/1760-114-0x0000000000AC0000-0x0000000000BC4000-memory.dmpFilesize
1.0MB
-
memory/1788-80-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB
-
memory/1788-98-0x0000000002986000-0x00000000029A5000-memory.dmpFilesize
124KB
-
memory/1788-78-0x0000000001320000-0x0000000001424000-memory.dmpFilesize
1.0MB
-
memory/1788-75-0x0000000000000000-mapping.dmp
-
memory/1788-79-0x0000000000F90000-0x0000000001094000-memory.dmpFilesize
1.0MB
-
memory/1928-124-0x00000000025BB000-0x00000000025DA000-memory.dmpFilesize
124KB
-
memory/1928-109-0x00000000025B4000-0x00000000025B7000-memory.dmpFilesize
12KB
-
memory/1928-103-0x0000000000000000-mapping.dmp
-
memory/1928-125-0x00000000025B4000-0x00000000025B7000-memory.dmpFilesize
12KB
-
memory/1928-115-0x00000000025BB000-0x00000000025DA000-memory.dmpFilesize
124KB
-
memory/1928-107-0x000007FEED020000-0x000007FEEDA43000-memory.dmpFilesize
10.1MB
-
memory/1928-108-0x000007FEEC4C0000-0x000007FEED01D000-memory.dmpFilesize
11.4MB