Analysis
-
max time kernel
73s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2023 06:54
Static task
static1
Behavioral task
behavioral1
Sample
06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exe
Resource
win10v2004-20220812-en
General
-
Target
06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exe
-
Size
1.4MB
-
MD5
fd165fda80732035427ac5c9536506ac
-
SHA1
f23998921c36740a05380fc53c1bc5747a19db05
-
SHA256
06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d
-
SHA512
a58425dc863f6af016233367efed8476cb4177aac90ea623fc0b4df6a4ad3b4df99dc26cf14cc3f61bf24a74ab4043dc3454004e788e6c7e12fb901c8767b9d4
-
SSDEEP
24576:MHWmAFrsR4eEdzvikBXTpH4fGQDt7R61rvu6xQd0px1xr52itKQCE16SOtF:9sRsd3BDpH4fGK01q68WFEisTEESO
Malware Config
Extracted
redline
main
birja1.com:29658
-
auth_value
7a6d3334d5db5d02c16eec7633780063
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
Processes:
Engine.exeSapphire.exe.pifpid process 424 Engine.exe 3108 Sapphire.exe.pif -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Engine.exe upx C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Engine.exe upx behavioral1/memory/424-136-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral1/memory/424-163-0x0000000000400000-0x0000000000558000-memory.dmp upx behavioral1/memory/424-164-0x0000000000400000-0x0000000000558000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Sapphire.exe.pifdescription pid process target process PID 3108 set thread context of 632 3108 Sapphire.exe.pif jsc.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe -
Modifies registry class 2 IoCs
Processes:
svchost.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{732789BD-B340-4DA2-B474-A71F314D6199} svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{C23A7B9D-4F77-4840-8DA1-61D3B45473C6} svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exepowershell.exeSapphire.exe.pifjsc.exepid process 5000 powershell.exe 5000 powershell.exe 5000 powershell.exe 3604 powershell.exe 3604 powershell.exe 3604 powershell.exe 3108 Sapphire.exe.pif 3108 Sapphire.exe.pif 3108 Sapphire.exe.pif 3108 Sapphire.exe.pif 3108 Sapphire.exe.pif 3108 Sapphire.exe.pif 3108 Sapphire.exe.pif 3108 Sapphire.exe.pif 632 jsc.exe 632 jsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exejsc.exedescription pid process Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 3604 powershell.exe Token: SeDebugPrivilege 632 jsc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Sapphire.exe.pifpid process 3108 Sapphire.exe.pif 3108 Sapphire.exe.pif 3108 Sapphire.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Sapphire.exe.pifpid process 3108 Sapphire.exe.pif 3108 Sapphire.exe.pif 3108 Sapphire.exe.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 1292 OpenWith.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exeEngine.exeCmD.execmd.exeSapphire.exe.pifdescription pid process target process PID 2424 wrote to memory of 424 2424 06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exe Engine.exe PID 2424 wrote to memory of 424 2424 06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exe Engine.exe PID 2424 wrote to memory of 424 2424 06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exe Engine.exe PID 424 wrote to memory of 2000 424 Engine.exe CmD.exe PID 424 wrote to memory of 2000 424 Engine.exe CmD.exe PID 424 wrote to memory of 2000 424 Engine.exe CmD.exe PID 2000 wrote to memory of 4544 2000 CmD.exe cmd.exe PID 2000 wrote to memory of 4544 2000 CmD.exe cmd.exe PID 2000 wrote to memory of 4544 2000 CmD.exe cmd.exe PID 4544 wrote to memory of 5000 4544 cmd.exe powershell.exe PID 4544 wrote to memory of 5000 4544 cmd.exe powershell.exe PID 4544 wrote to memory of 5000 4544 cmd.exe powershell.exe PID 4544 wrote to memory of 3604 4544 cmd.exe powershell.exe PID 4544 wrote to memory of 3604 4544 cmd.exe powershell.exe PID 4544 wrote to memory of 3604 4544 cmd.exe powershell.exe PID 4544 wrote to memory of 936 4544 cmd.exe certutil.exe PID 4544 wrote to memory of 936 4544 cmd.exe certutil.exe PID 4544 wrote to memory of 936 4544 cmd.exe certutil.exe PID 4544 wrote to memory of 2968 4544 cmd.exe findstr.exe PID 4544 wrote to memory of 2968 4544 cmd.exe findstr.exe PID 4544 wrote to memory of 2968 4544 cmd.exe findstr.exe PID 4544 wrote to memory of 3108 4544 cmd.exe Sapphire.exe.pif PID 4544 wrote to memory of 3108 4544 cmd.exe Sapphire.exe.pif PID 4544 wrote to memory of 3108 4544 cmd.exe Sapphire.exe.pif PID 4544 wrote to memory of 4228 4544 cmd.exe PING.EXE PID 4544 wrote to memory of 4228 4544 cmd.exe PING.EXE PID 4544 wrote to memory of 4228 4544 cmd.exe PING.EXE PID 3108 wrote to memory of 632 3108 Sapphire.exe.pif jsc.exe PID 3108 wrote to memory of 632 3108 Sapphire.exe.pif jsc.exe PID 3108 wrote to memory of 632 3108 Sapphire.exe.pif jsc.exe PID 3108 wrote to memory of 632 3108 Sapphire.exe.pif jsc.exe PID 3108 wrote to memory of 632 3108 Sapphire.exe.pif jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exe"C:\Users\Admin\AppData\Local\Temp\06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Engine.exeC:\Users\Admin\AppData\Local\Temp\SETUP_27185\Engine.exe /TH_ID=_4516 /OriginExe="C:\Users\Admin\AppData\Local\Temp\06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CmD.exeC:\Windows\system32\CmD.exe /c cmd < 643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avastui5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avgui5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\certutil.execertutil -decode 23 23DDdRqF5⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^jdjfUCLAznmSSizqPiNAzpcaRJECVAbEQRcNMoxDprqvwRmVfhrHtNGeUUnlXpESwUewLGgHNpsdoZdqlJhIbQmela$" 23DDdRqF5⤵
-
C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\30645\Sapphire.exe.pif30645\\Sapphire.exe.pif 30645\\a5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 85⤵
- Runs ping.exe
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD525ef5d3305311185916d884f9ee69dbb
SHA18d7726c0a1f7099c900ca8f0150e8917edd8afd6
SHA256624b05819b5d929b90cda8a4a56a39425ba9b84bd6d32f4bb628131085b7342d
SHA512d40c42c567ad794ee832b6b35557858a99db40fd68331df4c7138324d98c6c8d9308cb9c4dd43f84957d0a3535dcc3cc7bf06c40093c3528be3bf08cd4b9777b
-
C:\Users\Admin\AppData\Local\Temp\SETUP_27185\00000#15Filesize
703KB
MD5df71877bb70145c158ee749484d637e5
SHA1af402cbddb2166c83fe4a22d542442b4e0690768
SHA256b645ec264e0cfb2bdc9551902fd026c32808c2b3d4837a43c2303151ed994144
SHA512ba024d5cadc7483f10566da88e99273d5d38c17f9206392f2f3d86fb0d8f75eaeedb11c7b8d57a378089b5e90d45cbd1e1a787b80a6cfdcc7e162342e7d86330
-
C:\Users\Admin\AppData\Local\Temp\SETUP_27185\00001#23Filesize
1.2MB
MD5701d6702294745ec4dacfa44185f3a1f
SHA12f10d2d401ea759b215df8f226f9aaef292b4078
SHA25600a8e70fa0887bf3f554be24e02b319c8d2cb272304faed4bcb78349902992e0
SHA51295ede9988f3cf0a549bf3b28667710683e7936ec7fdd3b4c0ad4e38fda17916d3e5c7cf54b859cea54ff88f25fe487d24db4b8f03ce2d16401b3958de0b8a190
-
C:\Users\Admin\AppData\Local\Temp\SETUP_27185\00002#64Filesize
14KB
MD5a298fc34bd36502c2feb227ab10877eb
SHA13e088657aa4207907e206194149185bc03bdee5d
SHA25652ba970eecdcb4253474ec350e960d6a4dc3a1e44680ea9a970119129d158191
SHA51211fb7c57fd29145781bd0ed2ebd0f277fdee06978791a2ccff1b0f84dd4ae4ec165a2622976493d27a852d7ca2118302002b685b1fbb6d71270e0ccaa14728a4
-
C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Engine.exeFilesize
392KB
MD5debfb007af59891f08aaa75bff0e0df0
SHA1cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87
SHA256e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7
SHA5121bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Engine.exeFilesize
392KB
MD5debfb007af59891f08aaa75bff0e0df0
SHA1cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87
SHA256e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7
SHA5121bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1
-
C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Modern_Icon.bmpFilesize
7KB
MD51dd88f67f029710d5c5858a6293a93f1
SHA13e5ef66613415fe9467b2a24ccc27d8f997e7df6
SHA256b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532
SHA5127071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94
-
C:\Users\Admin\AppData\Local\Temp\SETUP_27185\Setup.txtFilesize
2KB
MD54659c49e470bbfee63e5fb5c3124b5f5
SHA1f6d8fec5e142f7bef189222876184e7a4f328d77
SHA25657be12e2d60db927a577b4b6b2a9fc3bb675a45b9800eea0e8f746d4da9baac2
SHA5123c3d59266297ef361c79c016dd6814e1c762d3d2fb5063d0c5c66a0ce214a163cbff4406c03f91268e967f7fdecd7cfd529a4e5ced5729322cc3d41f9890a895
-
C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\23DDdRqFFilesize
872KB
MD5bffb8a21a31753c1b89ed768421d6762
SHA1133606479ee6fc8a60dc2dd3f0a13b62b79da54a
SHA2565957bb04b17675dde4f67b46c0521ca34245ae2ef30d1107f3bf3a2d2c7b7db7
SHA5122a76dc72c5d02cfbdd2eba4823b6f62bdf7700ab21709bbbe8f2f13a0bca208ff1b3c4e189e9c93745f33d929b7609065c01b21cc45493f9fac42ebc46186677
-
C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\30645\Sapphire.exe.pifFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/424-164-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/424-163-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/424-136-0x0000000000400000-0x0000000000558000-memory.dmpFilesize
1.3MB
-
memory/424-132-0x0000000000000000-mapping.dmp
-
memory/632-165-0x0000000000000000-mapping.dmp
-
memory/632-172-0x00000000067D0000-0x0000000006862000-memory.dmpFilesize
584KB
-
memory/632-169-0x0000000005940000-0x0000000005A4A000-memory.dmpFilesize
1.0MB
-
memory/632-168-0x0000000005E10000-0x0000000006428000-memory.dmpFilesize
6.1MB
-
memory/632-166-0x0000000000F70000-0x0000000000FA2000-memory.dmpFilesize
200KB
-
memory/632-174-0x0000000007990000-0x0000000007EBC000-memory.dmpFilesize
5.2MB
-
memory/632-171-0x00000000058D0000-0x000000000590C000-memory.dmpFilesize
240KB
-
memory/632-170-0x0000000005870000-0x0000000005882000-memory.dmpFilesize
72KB
-
memory/632-175-0x0000000006B00000-0x0000000006B76000-memory.dmpFilesize
472KB
-
memory/632-176-0x0000000006B80000-0x0000000006BD0000-memory.dmpFilesize
320KB
-
memory/632-173-0x0000000007290000-0x0000000007452000-memory.dmpFilesize
1.8MB
-
memory/936-157-0x0000000000000000-mapping.dmp
-
memory/2000-141-0x0000000000000000-mapping.dmp
-
memory/2968-158-0x0000000000000000-mapping.dmp
-
memory/3108-160-0x0000000000000000-mapping.dmp
-
memory/3604-154-0x0000000000000000-mapping.dmp
-
memory/4228-162-0x0000000000000000-mapping.dmp
-
memory/4544-142-0x0000000000000000-mapping.dmp
-
memory/5000-148-0x0000000005B30000-0x0000000005B96000-memory.dmpFilesize
408KB
-
memory/5000-151-0x0000000006610000-0x000000000662A000-memory.dmpFilesize
104KB
-
memory/5000-150-0x00000000070D0000-0x0000000007166000-memory.dmpFilesize
600KB
-
memory/5000-149-0x0000000006110000-0x000000000612E000-memory.dmpFilesize
120KB
-
memory/5000-152-0x0000000006660000-0x0000000006682000-memory.dmpFilesize
136KB
-
memory/5000-147-0x0000000005A50000-0x0000000005AB6000-memory.dmpFilesize
408KB
-
memory/5000-146-0x0000000005160000-0x0000000005182000-memory.dmpFilesize
136KB
-
memory/5000-145-0x0000000005320000-0x0000000005948000-memory.dmpFilesize
6.2MB
-
memory/5000-144-0x00000000027F0000-0x0000000002826000-memory.dmpFilesize
216KB
-
memory/5000-143-0x0000000000000000-mapping.dmp
-
memory/5000-153-0x0000000007720000-0x0000000007CC4000-memory.dmpFilesize
5.6MB