Analysis
-
max time kernel
161s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05-05-2023 11:18
General
-
Target
wyCdPrh7QF.exe
-
Size
1.0MB
-
MD5
9f88f83efed561b5002940f8425d73bd
-
SHA1
e211bc5df1d01ed150e5f4c727ae33c021a2011f
-
SHA256
167645a3961ac8521e1db57b4a70c12adf03217b8f546fdd34c4fb770ccb4779
-
SHA512
71fc4523d93f6a9f0ba48291e54528e18c969e1dd0d3d45c75ef90a64a1b9b1a12e14a5ae1a0b23e9a7b91f8576d7e4c8c252523d684e18f0cc0f95ab38bd7b6
-
SSDEEP
24576:w0I5Wj1JZkaiSEZe1HOqJarhD85O/f6CDruxp6/XjtjWm:w0IEj1l131HOqJad85mSCDrCp6/0m
Malware Config
Extracted
redline
Youtube
5.75.169.103:18374
-
auth_value
fa6349261c48cdab29f1787f5ed475fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\wyCdPrh7QF.exe"C:\Users\Admin\AppData\Local\Temp\wyCdPrh7QF.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE6BB.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Sets service image path in registry
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lei4xsxu.bh4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpE6BB.tmp.batFilesize
151B
MD58d8dd9e6e8d9104d4c40a64f31fdcbdf
SHA11e08454c9d4b5969044671163c9c5466e008e267
SHA256b77f374516635356e12f51751f759dd825b654258e171243a2512e3156a17388
SHA5125ee1f5c306435064b49ed558486796505bf2b5f063cb0a00772ce22e4df13e803fac6c198617568874f801a433cd2eaf031086d8561398010017a7996adef92f
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
1.0MB
MD59f88f83efed561b5002940f8425d73bd
SHA1e211bc5df1d01ed150e5f4c727ae33c021a2011f
SHA256167645a3961ac8521e1db57b4a70c12adf03217b8f546fdd34c4fb770ccb4779
SHA51271fc4523d93f6a9f0ba48291e54528e18c969e1dd0d3d45c75ef90a64a1b9b1a12e14a5ae1a0b23e9a7b91f8576d7e4c8c252523d684e18f0cc0f95ab38bd7b6
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
1.0MB
MD59f88f83efed561b5002940f8425d73bd
SHA1e211bc5df1d01ed150e5f4c727ae33c021a2011f
SHA256167645a3961ac8521e1db57b4a70c12adf03217b8f546fdd34c4fb770ccb4779
SHA51271fc4523d93f6a9f0ba48291e54528e18c969e1dd0d3d45c75ef90a64a1b9b1a12e14a5ae1a0b23e9a7b91f8576d7e4c8c252523d684e18f0cc0f95ab38bd7b6
-
memory/676-153-0x00000218C95D0000-0x00000218C95F2000-memory.dmpFilesize
136KB
-
memory/676-158-0x00000218C94C0000-0x00000218C94D0000-memory.dmpFilesize
64KB
-
memory/676-162-0x00000218C94C0000-0x00000218C94D0000-memory.dmpFilesize
64KB
-
memory/676-159-0x00000218C94C0000-0x00000218C94D0000-memory.dmpFilesize
64KB
-
memory/1388-164-0x000000000B580000-0x000000000BB98000-memory.dmpFilesize
6.1MB
-
memory/1388-146-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1388-163-0x00000000053C0000-0x00000000053D0000-memory.dmpFilesize
64KB
-
memory/1388-165-0x000000000D710000-0x000000000D81A000-memory.dmpFilesize
1.0MB
-
memory/1388-166-0x000000000D620000-0x000000000D632000-memory.dmpFilesize
72KB
-
memory/1388-167-0x000000000D680000-0x000000000D6BC000-memory.dmpFilesize
240KB
-
memory/3672-134-0x000002D12BCD0000-0x000002D12BD46000-memory.dmpFilesize
472KB
-
memory/3672-133-0x000002D111770000-0x000002D111874000-memory.dmpFilesize
1.0MB
-
memory/3672-135-0x000002D12BEF0000-0x000002D12BF00000-memory.dmpFilesize
64KB
-
memory/3672-136-0x000002D113440000-0x000002D11345E000-memory.dmpFilesize
120KB