Overview

overview

10

Static

static

1

7d87c4bc2f...61.exe

windows7-x64

10

7d87c4bc2f...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/02/2023, 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d87c4bc2f2d293c42d30b5c85b7a061.exe

  • Size

    518KB

  • MD5

    7d87c4bc2f2d293c42d30b5c85b7a061

  • SHA1

    4cab1a968d1e93eb0b6ec52f0df4f9d7e56029d1

  • SHA256

    72fa014db49738f6ab72b7e127c30d4d15a7e6c03aaa5c3a7e06be766858a124

  • SHA512

    d33fb6f6dca80349b1f23f206c85d915d683ebb8d3ce9dffa1ada6e48d25d45fafb19b6692e88a1431f1926faf48bec3f64516e42fe84e9b67c30bf47764c884

  • SSDEEP

    12288:JMrny90xCiQb5c+bKuZdZ3+Nxpsvka6OIOIpCNAJ:CyKCdba+nr37vP6s8CuJ

Score
10/10
redlinecryptdiscoveryinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

crypt

C2

176.113.115.17:4132

Attributes
  • auth_value

    407e05c9b3a74d99a20f90b091547bd6

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d87c4bc2f2d293c42d30b5c85b7a061.exe
    "C:\Users\Admin\AppData\Local\Temp\7d87c4bc2f2d293c42d30b5c85b7a061.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bzPf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bzPf.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3236
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 1912
        3⤵
        • Program crash
        PID:892
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\czPzPa.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\czPzPa.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:400
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3236 -ip 3236
    1⤵
      PID:1112

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bzPf.exe
      Filesize

      306KB

      MD5

      bfd3c9cc73189c612ad98425537629c0

      SHA1

      e6c5a48b6a75b9bd237212b0383e21cd6c267554

      SHA256

      b7348280cc2e1e0f18dde17f01245b80b54e5440a47231881f25ef8c03723680

      SHA512

      f30fc3389d407c9a003ad7b9b98f6e345a09d5ef9d44eb0c77de245b5b49b79a150afbe01029efceba610eaa2188d169528e04223e4fd83b44384526f633365e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bzPf.exe
      Filesize

      306KB

      MD5

      bfd3c9cc73189c612ad98425537629c0

      SHA1

      e6c5a48b6a75b9bd237212b0383e21cd6c267554

      SHA256

      b7348280cc2e1e0f18dde17f01245b80b54e5440a47231881f25ef8c03723680

      SHA512

      f30fc3389d407c9a003ad7b9b98f6e345a09d5ef9d44eb0c77de245b5b49b79a150afbe01029efceba610eaa2188d169528e04223e4fd83b44384526f633365e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\czPzPa.exe
      Filesize

      283KB

      MD5

      457dcca2cfa8e1592521e4bc580d2097

      SHA1

      de855fa7934126fd1cde834b752999ebe79e367f

      SHA256

      54ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc

      SHA512

      d15709dd44e184612a86e7201c78887771e7cc062e8b4daf83c5bbf1d6dd74320e8c5058cde295d412d8e5b135f8686f8ed56aa9aa2a439b022319e6723bb752

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\czPzPa.exe
      Filesize

      283KB

      MD5

      457dcca2cfa8e1592521e4bc580d2097

      SHA1

      de855fa7934126fd1cde834b752999ebe79e367f

      SHA256

      54ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc

      SHA512

      d15709dd44e184612a86e7201c78887771e7cc062e8b4daf83c5bbf1d6dd74320e8c5058cde295d412d8e5b135f8686f8ed56aa9aa2a439b022319e6723bb752

      Download Submit

    • memory/400-156-0x0000000000180000-0x00000000001B2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3236-144-0x0000000005E40000-0x0000000005EA6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3236-147-0x00000000007F4000-0x0000000000822000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3236-140-0x0000000005950000-0x0000000005A5A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3236-141-0x0000000005A90000-0x0000000005AA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3236-142-0x0000000005AB0000-0x0000000005AEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3236-143-0x0000000005DA0000-0x0000000005E32000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3236-145-0x0000000006640000-0x00000000066B6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3236-146-0x00000000066D0000-0x0000000006720000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3236-139-0x00000000052B0000-0x00000000058C8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3236-148-0x0000000006740000-0x0000000006902000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3236-149-0x0000000006920000-0x0000000006E4C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3236-150-0x00000000007F4000-0x0000000000822000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3236-151-0x0000000000400000-0x000000000057D000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3236-135-0x00000000007F4000-0x0000000000822000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3236-138-0x0000000004BA0000-0x0000000005144000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3236-137-0x0000000000400000-0x000000000057D000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3236-136-0x0000000000710000-0x000000000075B000-memory.dmp

      Filesize

      300KB

      Download