Analysis
-
max time kernel
86s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17-01-2023 08:13
Static task
static1
Behavioral task
behavioral1
Sample
MicrosoftRuntimeComponentsX86.exe
Resource
win7-20220812-en
General
-
Target
MicrosoftRuntimeComponentsX86.exe
-
Size
853.5MB
-
MD5
3fc8c48701df1828c47376ee5df96bd5
-
SHA1
0cf749ecd1750fa50975d7ebc9fecb16d5480337
-
SHA256
735dcf6c201cc373d21f08a4ea4b5d700f25d2a230e4d1fdb1d6514866df61cb
-
SHA512
e3e5e88d50e5d63448f4dcc5501ec6a907c1f77b2482c35a0fe0d416092b5b83cb03b5879d8291db37af8b76d5d72ec0544952dc36f885e00d907903a5dcfd96
-
SSDEEP
24576:6FJ4cp8auK1VOS4JfFm7DTzPCOeuThaPD1:6FJ3pxucOS4bm3HmuT0PD1
Malware Config
Extracted
redline
4
95.217.102.105:1695
-
auth_value
e17158d5fc1b8a0e6865d1b4aed75b6a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
MicrosoftRuntimeComponentsX86.exedescription pid process target process PID 848 set thread context of 2020 848 MicrosoftRuntimeComponentsX86.exe MicrosoftRuntimeComponentsX86.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MicrosoftRuntimeComponentsX86.exepid process 2020 MicrosoftRuntimeComponentsX86.exe 2020 MicrosoftRuntimeComponentsX86.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MicrosoftRuntimeComponentsX86.exedescription pid process Token: SeDebugPrivilege 2020 MicrosoftRuntimeComponentsX86.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
MicrosoftRuntimeComponentsX86.exedescription pid process target process PID 848 wrote to memory of 2020 848 MicrosoftRuntimeComponentsX86.exe MicrosoftRuntimeComponentsX86.exe PID 848 wrote to memory of 2020 848 MicrosoftRuntimeComponentsX86.exe MicrosoftRuntimeComponentsX86.exe PID 848 wrote to memory of 2020 848 MicrosoftRuntimeComponentsX86.exe MicrosoftRuntimeComponentsX86.exe PID 848 wrote to memory of 2020 848 MicrosoftRuntimeComponentsX86.exe MicrosoftRuntimeComponentsX86.exe PID 848 wrote to memory of 2020 848 MicrosoftRuntimeComponentsX86.exe MicrosoftRuntimeComponentsX86.exe PID 848 wrote to memory of 2020 848 MicrosoftRuntimeComponentsX86.exe MicrosoftRuntimeComponentsX86.exe PID 848 wrote to memory of 2020 848 MicrosoftRuntimeComponentsX86.exe MicrosoftRuntimeComponentsX86.exe PID 848 wrote to memory of 2020 848 MicrosoftRuntimeComponentsX86.exe MicrosoftRuntimeComponentsX86.exe PID 848 wrote to memory of 2020 848 MicrosoftRuntimeComponentsX86.exe MicrosoftRuntimeComponentsX86.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponentsX86.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponentsX86.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponentsX86.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponentsX86.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/848-54-0x0000000000BB0000-0x0000000000D5C000-memory.dmpFilesize
1.7MB
-
memory/848-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmpFilesize
8KB
-
memory/848-56-0x0000000000920000-0x0000000000936000-memory.dmpFilesize
88KB
-
memory/848-57-0x0000000000930000-0x000000000093A000-memory.dmpFilesize
40KB
-
memory/848-58-0x0000000005D10000-0x0000000005D86000-memory.dmpFilesize
472KB
-
memory/848-59-0x00000000042D0000-0x0000000004316000-memory.dmpFilesize
280KB
-
memory/2020-60-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2020-61-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2020-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2020-65-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2020-66-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2020-67-0x000000000041B58E-mapping.dmp
-
memory/2020-69-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2020-71-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB