Analysis
-
max time kernel
161s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2023 11:18
Static task
static1
Behavioral task
behavioral1
Sample
wyCdPrh7QF.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
wyCdPrh7QF.exe
Resource
win10v2004-20230220-en
General
-
Target
wyCdPrh7QF.exe
-
Size
1.0MB
-
MD5
9f88f83efed561b5002940f8425d73bd
-
SHA1
e211bc5df1d01ed150e5f4c727ae33c021a2011f
-
SHA256
167645a3961ac8521e1db57b4a70c12adf03217b8f546fdd34c4fb770ccb4779
-
SHA512
71fc4523d93f6a9f0ba48291e54528e18c969e1dd0d3d45c75ef90a64a1b9b1a12e14a5ae1a0b23e9a7b91f8576d7e4c8c252523d684e18f0cc0f95ab38bd7b6
-
SSDEEP
24576:w0I5Wj1JZkaiSEZe1HOqJarhD85O/f6CDruxp6/XjtjWm:w0IEj1l131HOqJad85mSCDrCp6/0m
Malware Config
Extracted
redline
Youtube
5.75.169.103:18374
-
auth_value
fa6349261c48cdab29f1787f5ed475fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
wyCdPrh7QF.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions wyCdPrh7QF.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
wyCdPrh7QF.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools wyCdPrh7QF.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools svchost.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" svchost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wyCdPrh7QF.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wyCdPrh7QF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wyCdPrh7QF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.exewyCdPrh7QF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation wyCdPrh7QF.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4168 svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wyCdPrh7QF.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" wyCdPrh7QF.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wyCdPrh7QF.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wyCdPrh7QF.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wyCdPrh7QF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4168 set thread context of 1388 4168 svchost.exe CasPol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4392 timeout.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
wyCdPrh7QF.exepowershell.exepid process 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 3672 wyCdPrh7QF.exe 676 powershell.exe 676 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
svchost.exepid process 4168 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wyCdPrh7QF.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 3672 wyCdPrh7QF.exe Token: SeDebugPrivilege 4168 svchost.exe Token: SeDebugPrivilege 4168 svchost.exe Token: SeLoadDriverPrivilege 4168 svchost.exe Token: SeDebugPrivilege 676 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
wyCdPrh7QF.execmd.execmd.exesvchost.exedescription pid process target process PID 3672 wrote to memory of 396 3672 wyCdPrh7QF.exe cmd.exe PID 3672 wrote to memory of 396 3672 wyCdPrh7QF.exe cmd.exe PID 3672 wrote to memory of 3988 3672 wyCdPrh7QF.exe cmd.exe PID 3672 wrote to memory of 3988 3672 wyCdPrh7QF.exe cmd.exe PID 3988 wrote to memory of 4392 3988 cmd.exe timeout.exe PID 3988 wrote to memory of 4392 3988 cmd.exe timeout.exe PID 396 wrote to memory of 1120 396 cmd.exe schtasks.exe PID 396 wrote to memory of 1120 396 cmd.exe schtasks.exe PID 3988 wrote to memory of 4168 3988 cmd.exe svchost.exe PID 3988 wrote to memory of 4168 3988 cmd.exe svchost.exe PID 4168 wrote to memory of 676 4168 svchost.exe powershell.exe PID 4168 wrote to memory of 676 4168 svchost.exe powershell.exe PID 4168 wrote to memory of 1388 4168 svchost.exe CasPol.exe PID 4168 wrote to memory of 1388 4168 svchost.exe CasPol.exe PID 4168 wrote to memory of 1388 4168 svchost.exe CasPol.exe PID 4168 wrote to memory of 1388 4168 svchost.exe CasPol.exe PID 4168 wrote to memory of 1388 4168 svchost.exe CasPol.exe PID 4168 wrote to memory of 1388 4168 svchost.exe CasPol.exe PID 4168 wrote to memory of 1388 4168 svchost.exe CasPol.exe PID 4168 wrote to memory of 1388 4168 svchost.exe CasPol.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\wyCdPrh7QF.exe"C:\Users\Admin\AppData\Local\Temp\wyCdPrh7QF.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE6BB.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Sets service image path in registry
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lei4xsxu.bh4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpE6BB.tmp.batFilesize
151B
MD58d8dd9e6e8d9104d4c40a64f31fdcbdf
SHA11e08454c9d4b5969044671163c9c5466e008e267
SHA256b77f374516635356e12f51751f759dd825b654258e171243a2512e3156a17388
SHA5125ee1f5c306435064b49ed558486796505bf2b5f063cb0a00772ce22e4df13e803fac6c198617568874f801a433cd2eaf031086d8561398010017a7996adef92f
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
1.0MB
MD59f88f83efed561b5002940f8425d73bd
SHA1e211bc5df1d01ed150e5f4c727ae33c021a2011f
SHA256167645a3961ac8521e1db57b4a70c12adf03217b8f546fdd34c4fb770ccb4779
SHA51271fc4523d93f6a9f0ba48291e54528e18c969e1dd0d3d45c75ef90a64a1b9b1a12e14a5ae1a0b23e9a7b91f8576d7e4c8c252523d684e18f0cc0f95ab38bd7b6
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
1.0MB
MD59f88f83efed561b5002940f8425d73bd
SHA1e211bc5df1d01ed150e5f4c727ae33c021a2011f
SHA256167645a3961ac8521e1db57b4a70c12adf03217b8f546fdd34c4fb770ccb4779
SHA51271fc4523d93f6a9f0ba48291e54528e18c969e1dd0d3d45c75ef90a64a1b9b1a12e14a5ae1a0b23e9a7b91f8576d7e4c8c252523d684e18f0cc0f95ab38bd7b6
-
memory/676-153-0x00000218C95D0000-0x00000218C95F2000-memory.dmpFilesize
136KB
-
memory/676-158-0x00000218C94C0000-0x00000218C94D0000-memory.dmpFilesize
64KB
-
memory/676-162-0x00000218C94C0000-0x00000218C94D0000-memory.dmpFilesize
64KB
-
memory/676-159-0x00000218C94C0000-0x00000218C94D0000-memory.dmpFilesize
64KB
-
memory/1388-164-0x000000000B580000-0x000000000BB98000-memory.dmpFilesize
6.1MB
-
memory/1388-146-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1388-163-0x00000000053C0000-0x00000000053D0000-memory.dmpFilesize
64KB
-
memory/1388-165-0x000000000D710000-0x000000000D81A000-memory.dmpFilesize
1.0MB
-
memory/1388-166-0x000000000D620000-0x000000000D632000-memory.dmpFilesize
72KB
-
memory/1388-167-0x000000000D680000-0x000000000D6BC000-memory.dmpFilesize
240KB
-
memory/3672-134-0x000002D12BCD0000-0x000002D12BD46000-memory.dmpFilesize
472KB
-
memory/3672-133-0x000002D111770000-0x000002D111874000-memory.dmpFilesize
1.0MB
-
memory/3672-135-0x000002D12BEF0000-0x000002D12BF00000-memory.dmpFilesize
64KB
-
memory/3672-136-0x000002D113440000-0x000002D11345E000-memory.dmpFilesize
120KB