Analysis
-
max time kernel
95s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
01-04-2023 18:52
General
-
Target
https://mediafire.com/file_premium/2y96feq95azdc69/Script_GUI_%255B%25F0%259F%2594%2592_1515%255D.rar/file
Malware Config
Extracted
redline
@dxrkl0rd
5.206.224.176:46989
-
auth_value
9750c50e8073b21d538cfb6d993427dc
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 16 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://mediafire.com/file_premium/2y96feq95azdc69/Script_GUI_%255B%25F0%259F%2594%2592_1515%255D.rar/file1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:464 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap23745:102:7zEvent129991⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Desktop\GUIScript.exe"C:\Users\Admin\Desktop\GUIScript.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Users\Admin\Desktop\GUIScript.exe"C:\Users\Admin\Desktop\GUIScript.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Users\Admin\Desktop\GUIScript.exe"C:\Users\Admin\Desktop\GUIScript.exe"1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffebbac9758,0x7ffebbac9768,0x7ffebbac97782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1868,i,13205800860288960218,14906398153962978766,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1868,i,13205800860288960218,14906398153962978766,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 --field-trial-handle=1868,i,13205800860288960218,14906398153962978766,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3200 --field-trial-handle=1868,i,13205800860288960218,14906398153962978766,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3248 --field-trial-handle=1868,i,13205800860288960218,14906398153962978766,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4784 --field-trial-handle=1868,i,13205800860288960218,14906398153962978766,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=1868,i,13205800860288960218,14906398153962978766,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1868,i,13205800860288960218,14906398153962978766,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5ceef60fcd8ede49f517d99a4d313a6ef
SHA113b9a6d61387a04b9e9e0f40f0487f42bb0ee48e
SHA256fe1f7c753b746859031963be34e72e01d534b67b4b05daeac8a9c2ce4267405c
SHA5128942cbbd3ec4ca439242d9b305abfdb9478f82e1cb441c247e2da13714a8e5f9cee355161e65f076d57e2d13bc8d6b56be1b7306af0559cb1687cd38f8e46ee5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
15KB
MD5163313bb8fc3f0679005f0a0926da75f
SHA14dd986d1c6ed83a6b46f0fe29ec7bf27d7b86f80
SHA256e50837d52b861c95f7f0c38ea410bf0f330b6353d152f64d7306b4e28f1c8ef4
SHA512192a25d48d2bd98ec0df92eb90cdff1b244697f07e1726656186046c89b76b545a1a8cfddd51b5fb68193b7905574c9c73d962e2cb2d997a13bfb5c5d232beac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
175KB
MD5a5db8120ee7c2e655e8f3bf60343429f
SHA1eb04728c62bf75d65d5f6b4f43150e277e2beb02
SHA256879be2b0482fb084db3551bd894753af48b8fe96927d7c4d8c58970f07d736a5
SHA51257e819d2f9591bf6c2682294d396d2ef4473bf102cdf53083fc7dfe48e72caab5da50f687c5f51ffa4ac91fbf8e9a885f9b08175b4ff88cec69a611da9c2867e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
72KB
MD5a99adf1a425db172645319f743f6aa7c
SHA14ac450d5ce37df10c5f93da4104d605d226fe4c7
SHA256134f0901498dbf005e38d4355686e4285fc4763f46355815ed74d6425876dde2
SHA512f26cf10fde2368e4b7ebb79f686fa85dadf6dba6ab654a69df5517b018f1d8822950fcf7e307b46a8fb2347232bb9bf20a9f6fedf6f99c33396396412171e063
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
72KB
MD5a99adf1a425db172645319f743f6aa7c
SHA14ac450d5ce37df10c5f93da4104d605d226fe4c7
SHA256134f0901498dbf005e38d4355686e4285fc4763f46355815ed74d6425876dde2
SHA512f26cf10fde2368e4b7ebb79f686fa85dadf6dba6ab654a69df5517b018f1d8822950fcf7e307b46a8fb2347232bb9bf20a9f6fedf6f99c33396396412171e063
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.logFilesize
2KB
MD59995da6049486562b9bb0acf5083aa2b
SHA1c383bf8c2d328fcae53692bb6d77fa3c980026fa
SHA256bf25b1507c0222804361721181ae0cce254b70178b0e281140ec87c8374f6aa3
SHA51252613290613f9844976ef7719f97d74e1e0059cba3e4276eabc9d7e4e7189864df4a3035330ca12ab51af5e0a752a00a29999c33c6cf5cfc029a357469e29a7b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\Script GUI [🔒 1515][1].rarFilesize
3.3MB
MD5dc44d9ac63fb3f7bc9ed4543a7bef843
SHA1e5126b4fdd8b4b687270d59408f4e191843b0bd0
SHA25687738c9f89b27de5d18545ef1a64f588674aab995c2fbcaf859e5795d225144e
SHA5122bdd17eb62a87b88c37738fac75e652a6509b0610fc85b7dbae4c3c894c40e192c53b04c4f69705013c6a099e78d189c01bd01dcce3846f4f18e4f9c5f22961e
-
C:\Users\Admin\Desktop\GUIScript.exeFilesize
179.0MB
MD5e6139c1c899b0660faf9cd95e4573458
SHA14903c5fb289798deae08c11804c57f723714afe3
SHA2567be476aa899aec04bb16670d77a1e0ded1a03519bc477b4385ac90a7ffd51a1f
SHA5125b99c0159b10e2fcbf1fd006aa4bcc94e1e32ad2cc49e3468ff30ed780db65823b97f1b5859176b23d96a3b87a548e7a77e3776083cb600b96d31c2f0a8bcc90
-
C:\Users\Admin\Desktop\GUIScript.exeFilesize
165.9MB
MD5ffa2d8d4fd7db8fc92591596b46f09f8
SHA19bba0f67ddb0366753e814d8093bbd672802a272
SHA256c4fb753e0a5ff2f16b91e568c471e92f6f9d91003f25e1e85fef67d6f7220a6a
SHA5125f8f4acb2bf6c79df88327a52c4d9a35a163683f3abcdf500c3b7a00ae89dd4ffe8a6c54f47a58177f379d7b028902687aa7b641ba77ac1300923e81a4ec7ca9
-
C:\Users\Admin\Desktop\GUIScript.exeFilesize
182.6MB
MD55cb02ae4d8e94c24349fdc65414a6dac
SHA19d6ce974823b11979429cdc2834263843ad43a4a
SHA25658e442b692f7b2a8aafe017c0ffae7ea02fb8b9979cabb0f701ccafdd80a213a
SHA512581cb76a17454e530ddfc78d82159d97a0170d21f700d23ae0560ad887217b799509ac37308c3e6ccce236c0dc9c5f67b9ff1400005ffd55c1b0626e28570336
-
C:\Users\Admin\Desktop\GUIScript.exeFilesize
128.2MB
MD52dab348333df860908e491eff3724483
SHA101d535fe2f7f7b072c2a39cbb4be677071c0aab0
SHA256b09246b3f069cf0fb5b6cedea8b9e20b56200bda587ddcc234c693c08d482c80
SHA512b7f906331604f48af9a291ec4c4976422fc0e80ac5da72c6f11aa76538f4b0c380f6b9be04d0a4cfcab7efeff71c5fa50e316f2d8cbad9d4a385510ac7603f17
-
C:\Users\Admin\Desktop\README.txtFilesize
100B
MD5998406187e872595c63b791d84010813
SHA15daa70d15b0b648f82aa3989d4c3cc89f2364f71
SHA2562091fa667940e3674f2182f1b0ae0549f2add79591ec8af657dd954d555b7a45
SHA512ecfde36ce0a7e66114ad5a270d8af0ce9b3c39adcc2e83332fc0ad81b0b7e37de8a04cc8032e1c98c1ae9fed7980695baedf8c3b8864fd724c1d981e0df492ab
-
C:\Users\Admin\Downloads\Script GUI [🔒 1515].rar.mlizw0z.partialFilesize
3.3MB
MD5dc44d9ac63fb3f7bc9ed4543a7bef843
SHA1e5126b4fdd8b4b687270d59408f4e191843b0bd0
SHA25687738c9f89b27de5d18545ef1a64f588674aab995c2fbcaf859e5795d225144e
SHA5122bdd17eb62a87b88c37738fac75e652a6509b0610fc85b7dbae4c3c894c40e192c53b04c4f69705013c6a099e78d189c01bd01dcce3846f4f18e4f9c5f22961e
-
\??\pipe\crashpad_768_GBDIHVLZKCSWRESNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2576-179-0x00000000053A0000-0x00000000053B0000-memory.dmpFilesize
64KB
-
memory/2576-198-0x00000000053A0000-0x00000000053B0000-memory.dmpFilesize
64KB
-
memory/3056-180-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/3056-186-0x00000000052E0000-0x00000000052F0000-memory.dmpFilesize
64KB
-
memory/3056-190-0x00000000061E0000-0x0000000006272000-memory.dmpFilesize
584KB
-
memory/3056-191-0x0000000006280000-0x00000000062F6000-memory.dmpFilesize
472KB
-
memory/3056-192-0x00000000061C0000-0x00000000061DE000-memory.dmpFilesize
120KB
-
memory/3056-182-0x00000000057C0000-0x0000000005DD8000-memory.dmpFilesize
6.1MB
-
memory/3056-188-0x0000000005600000-0x0000000005666000-memory.dmpFilesize
408KB
-
memory/3056-195-0x0000000006E10000-0x0000000006FD2000-memory.dmpFilesize
1.8MB
-
memory/3056-196-0x0000000007510000-0x0000000007A3C000-memory.dmpFilesize
5.2MB
-
memory/3056-184-0x0000000005390000-0x000000000549A000-memory.dmpFilesize
1.0MB
-
memory/3056-185-0x00000000052F0000-0x000000000532C000-memory.dmpFilesize
240KB
-
memory/3056-189-0x0000000006690000-0x0000000006C34000-memory.dmpFilesize
5.6MB
-
memory/3636-203-0x0000000005000000-0x0000000005010000-memory.dmpFilesize
64KB
-
memory/3892-202-0x00000000057D0000-0x00000000057E0000-memory.dmpFilesize
64KB
-
memory/3892-212-0x00000000057D0000-0x00000000057E0000-memory.dmpFilesize
64KB
-
memory/3920-197-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB
-
memory/3920-178-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB
-
memory/3920-177-0x0000000000FD0000-0x0000000001018000-memory.dmpFilesize
288KB
-
memory/4144-187-0x00000000032E0000-0x00000000032F0000-memory.dmpFilesize
64KB
-
memory/4144-183-0x0000000003280000-0x0000000003292000-memory.dmpFilesize
72KB
-
memory/4144-193-0x00000000065F0000-0x0000000006640000-memory.dmpFilesize
320KB