Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2023 03:03
Static task
static1
Behavioral task
behavioral1
Sample
fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe
Resource
win7-20230220-en
General
-
Target
fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe
-
Size
2.4MB
-
MD5
b39a7bc324162d5bbe0ebb53c5f72a74
-
SHA1
1c3cb0cba6b2aca973aed18953bf394c96aadddd
-
SHA256
fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060
-
SHA512
72a8de9c826aff66f11ca849652d291a5cccf317830d8b6dc063c446a6982e2efc416a933a6a071448d26102aa1d2e5f4bad264c46abdb57d00e132ab87aaef9
-
SSDEEP
24576:W3Sui5m+5yX+RNFlnRgyuMnb9310oUUS/qnwpJDQgbf2Ma9yzncNsJPsHah+uAAw:cQNFRLgXD2NkznzAviKVCvbRN/sp
Malware Config
Extracted
redline
new1
hfiepqnsyosb.top:81
fhgerbugjreqnhfegrb.top:81
-
auth_value
3a3079db884153e24cc7bde3453aec7a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe -
Executes dropped EXE 1 IoCs
Processes:
Mpqxrnojqbnwqpnomnew2.exepid process 2188 Mpqxrnojqbnwqpnomnew2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exedescription pid process target process PID 3804 set thread context of 676 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 3600 ipconfig.exe 4652 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exefcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exeMpqxrnojqbnwqpnomnew2.exepid process 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe 676 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe 2188 Mpqxrnojqbnwqpnomnew2.exe 2188 Mpqxrnojqbnwqpnomnew2.exe 676 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exefcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exeMpqxrnojqbnwqpnomnew2.exedescription pid process Token: SeDebugPrivilege 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe Token: SeDebugPrivilege 676 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe Token: SeDebugPrivilege 2188 Mpqxrnojqbnwqpnomnew2.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.execmd.execmd.exedescription pid process target process PID 3804 wrote to memory of 3176 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe cmd.exe PID 3804 wrote to memory of 3176 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe cmd.exe PID 3804 wrote to memory of 3176 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe cmd.exe PID 3176 wrote to memory of 3600 3176 cmd.exe ipconfig.exe PID 3176 wrote to memory of 3600 3176 cmd.exe ipconfig.exe PID 3176 wrote to memory of 3600 3176 cmd.exe ipconfig.exe PID 3804 wrote to memory of 2188 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe Mpqxrnojqbnwqpnomnew2.exe PID 3804 wrote to memory of 2188 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe Mpqxrnojqbnwqpnomnew2.exe PID 3804 wrote to memory of 2188 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe Mpqxrnojqbnwqpnomnew2.exe PID 3804 wrote to memory of 1456 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe cmd.exe PID 3804 wrote to memory of 1456 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe cmd.exe PID 3804 wrote to memory of 1456 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe cmd.exe PID 1456 wrote to memory of 4652 1456 cmd.exe ipconfig.exe PID 1456 wrote to memory of 4652 1456 cmd.exe ipconfig.exe PID 1456 wrote to memory of 4652 1456 cmd.exe ipconfig.exe PID 3804 wrote to memory of 676 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe PID 3804 wrote to memory of 676 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe PID 3804 wrote to memory of 676 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe PID 3804 wrote to memory of 676 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe PID 3804 wrote to memory of 676 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe PID 3804 wrote to memory of 676 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe PID 3804 wrote to memory of 676 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe PID 3804 wrote to memory of 676 3804 fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe"C:\Users\Admin\AppData\Local\Temp\fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
-
C:\Users\Admin\AppData\Local\Temp\Mpqxrnojqbnwqpnomnew2.exe"C:\Users\Admin\AppData\Local\Temp\Mpqxrnojqbnwqpnomnew2.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
-
C:\Users\Admin\AppData\Local\Temp\fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exeC:\Users\Admin\AppData\Local\Temp\fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fcc6630a3781bc584f63448d62e3aeab8c1b7287115cddf06edb4a88a4a7c060.exe.logFilesize
1KB
MD57e88081fcf716d85992bb3af3d9b6454
SHA12153780fbc71061b0102a7a7b665349e1013e250
SHA2565ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2
SHA512ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7
-
C:\Users\Admin\AppData\Local\Temp\Mpqxrnojqbnwqpnomnew2.exeFilesize
254KB
MD5f0ea5f95775ebf4f1dd466643cd1ada0
SHA1bca03393f7949ad007d4131b2abdc877ae3706e3
SHA25628c76e66d29a449750c2331ed783af24a77f09cfbe392153a72e752ff5f4b3f8
SHA5124a9df69c98e83f47263482ebce3e8b9df9b2a9bb70cf13728fbaace45b302902db443e40ba9be2e9dd69ad5c3576e2fc0e52e23ed91023b57bbeff56f0f2f4f9
-
C:\Users\Admin\AppData\Local\Temp\Mpqxrnojqbnwqpnomnew2.exeFilesize
254KB
MD5f0ea5f95775ebf4f1dd466643cd1ada0
SHA1bca03393f7949ad007d4131b2abdc877ae3706e3
SHA25628c76e66d29a449750c2331ed783af24a77f09cfbe392153a72e752ff5f4b3f8
SHA5124a9df69c98e83f47263482ebce3e8b9df9b2a9bb70cf13728fbaace45b302902db443e40ba9be2e9dd69ad5c3576e2fc0e52e23ed91023b57bbeff56f0f2f4f9
-
C:\Users\Admin\AppData\Local\Temp\Mpqxrnojqbnwqpnomnew2.exeFilesize
254KB
MD5f0ea5f95775ebf4f1dd466643cd1ada0
SHA1bca03393f7949ad007d4131b2abdc877ae3706e3
SHA25628c76e66d29a449750c2331ed783af24a77f09cfbe392153a72e752ff5f4b3f8
SHA5124a9df69c98e83f47263482ebce3e8b9df9b2a9bb70cf13728fbaace45b302902db443e40ba9be2e9dd69ad5c3576e2fc0e52e23ed91023b57bbeff56f0f2f4f9
-
memory/676-151-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/676-156-0x0000000005930000-0x0000000005940000-memory.dmpFilesize
64KB
-
memory/676-163-0x0000000008E60000-0x000000000938C000-memory.dmpFilesize
5.2MB
-
memory/676-162-0x0000000008760000-0x0000000008922000-memory.dmpFilesize
1.8MB
-
memory/676-161-0x0000000007120000-0x000000000713E000-memory.dmpFilesize
120KB
-
memory/676-160-0x00000000071A0000-0x0000000007216000-memory.dmpFilesize
472KB
-
memory/676-159-0x0000000007530000-0x0000000007AD4000-memory.dmpFilesize
5.6MB
-
memory/2188-150-0x0000000004C40000-0x0000000004D4A000-memory.dmpFilesize
1.0MB
-
memory/2188-153-0x0000000004B70000-0x0000000004BAC000-memory.dmpFilesize
240KB
-
memory/2188-155-0x0000000004F30000-0x0000000004F40000-memory.dmpFilesize
64KB
-
memory/2188-157-0x0000000004EB0000-0x0000000004F16000-memory.dmpFilesize
408KB
-
memory/2188-158-0x00000000061E0000-0x0000000006272000-memory.dmpFilesize
584KB
-
memory/2188-149-0x0000000004B10000-0x0000000004B22000-memory.dmpFilesize
72KB
-
memory/2188-148-0x00000000050A0000-0x00000000056B8000-memory.dmpFilesize
6.1MB
-
memory/2188-147-0x00000000002B0000-0x00000000002F6000-memory.dmpFilesize
280KB
-
memory/3804-134-0x0000000005AF0000-0x0000000005B12000-memory.dmpFilesize
136KB
-
memory/3804-133-0x0000000000B80000-0x0000000000DEE000-memory.dmpFilesize
2.4MB
-
memory/3804-135-0x00000000056A0000-0x00000000056B0000-memory.dmpFilesize
64KB