Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09/02/2023, 13:11
Static task
static1
Behavioral task
behavioral1
Sample
7d87c4bc2f2d293c42d30b5c85b7a061.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7d87c4bc2f2d293c42d30b5c85b7a061.exe
Resource
win10v2004-20220812-en
General
-
Target
7d87c4bc2f2d293c42d30b5c85b7a061.exe
-
Size
518KB
-
MD5
7d87c4bc2f2d293c42d30b5c85b7a061
-
SHA1
4cab1a968d1e93eb0b6ec52f0df4f9d7e56029d1
-
SHA256
72fa014db49738f6ab72b7e127c30d4d15a7e6c03aaa5c3a7e06be766858a124
-
SHA512
d33fb6f6dca80349b1f23f206c85d915d683ebb8d3ce9dffa1ada6e48d25d45fafb19b6692e88a1431f1926faf48bec3f64516e42fe84e9b67c30bf47764c884
-
SSDEEP
12288:JMrny90xCiQb5c+bKuZdZ3+Nxpsvka6OIOIpCNAJ:CyKCdba+nr37vP6s8CuJ
Malware Config
Extracted
redline
crypt
176.113.115.17:4132
-
auth_value
407e05c9b3a74d99a20f90b091547bd6
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 3236 bzPf.exe 4344 czPzPa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7d87c4bc2f2d293c42d30b5c85b7a061.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7d87c4bc2f2d293c42d30b5c85b7a061.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4344 set thread context of 400 4344 czPzPa.exe 85 -
Program crash 1 IoCs
pid pid_target Process procid_target 892 3236 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3236 bzPf.exe 3236 bzPf.exe 400 AppLaunch.exe 400 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3236 bzPf.exe Token: SeDebugPrivilege 400 AppLaunch.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1456 wrote to memory of 3236 1456 7d87c4bc2f2d293c42d30b5c85b7a061.exe 79 PID 1456 wrote to memory of 3236 1456 7d87c4bc2f2d293c42d30b5c85b7a061.exe 79 PID 1456 wrote to memory of 3236 1456 7d87c4bc2f2d293c42d30b5c85b7a061.exe 79 PID 1456 wrote to memory of 4344 1456 7d87c4bc2f2d293c42d30b5c85b7a061.exe 83 PID 1456 wrote to memory of 4344 1456 7d87c4bc2f2d293c42d30b5c85b7a061.exe 83 PID 1456 wrote to memory of 4344 1456 7d87c4bc2f2d293c42d30b5c85b7a061.exe 83 PID 4344 wrote to memory of 400 4344 czPzPa.exe 85 PID 4344 wrote to memory of 400 4344 czPzPa.exe 85 PID 4344 wrote to memory of 400 4344 czPzPa.exe 85 PID 4344 wrote to memory of 400 4344 czPzPa.exe 85 PID 4344 wrote to memory of 400 4344 czPzPa.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d87c4bc2f2d293c42d30b5c85b7a061.exe"C:\Users\Admin\AppData\Local\Temp\7d87c4bc2f2d293c42d30b5c85b7a061.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bzPf.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bzPf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 19123⤵
- Program crash
PID:892
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\czPzPa.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\czPzPa.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3236 -ip 32361⤵PID:1112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306KB
MD5bfd3c9cc73189c612ad98425537629c0
SHA1e6c5a48b6a75b9bd237212b0383e21cd6c267554
SHA256b7348280cc2e1e0f18dde17f01245b80b54e5440a47231881f25ef8c03723680
SHA512f30fc3389d407c9a003ad7b9b98f6e345a09d5ef9d44eb0c77de245b5b49b79a150afbe01029efceba610eaa2188d169528e04223e4fd83b44384526f633365e
-
Filesize
306KB
MD5bfd3c9cc73189c612ad98425537629c0
SHA1e6c5a48b6a75b9bd237212b0383e21cd6c267554
SHA256b7348280cc2e1e0f18dde17f01245b80b54e5440a47231881f25ef8c03723680
SHA512f30fc3389d407c9a003ad7b9b98f6e345a09d5ef9d44eb0c77de245b5b49b79a150afbe01029efceba610eaa2188d169528e04223e4fd83b44384526f633365e
-
Filesize
283KB
MD5457dcca2cfa8e1592521e4bc580d2097
SHA1de855fa7934126fd1cde834b752999ebe79e367f
SHA25654ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc
SHA512d15709dd44e184612a86e7201c78887771e7cc062e8b4daf83c5bbf1d6dd74320e8c5058cde295d412d8e5b135f8686f8ed56aa9aa2a439b022319e6723bb752
-
Filesize
283KB
MD5457dcca2cfa8e1592521e4bc580d2097
SHA1de855fa7934126fd1cde834b752999ebe79e367f
SHA25654ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc
SHA512d15709dd44e184612a86e7201c78887771e7cc062e8b4daf83c5bbf1d6dd74320e8c5058cde295d412d8e5b135f8686f8ed56aa9aa2a439b022319e6723bb752