Analysis
-
max time kernel
40s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
16-05-2023 12:01
General
-
Target
MavrodiBlack 2.exe
-
Size
592KB
-
MD5
a5f8768a97c74ecc4c26c402f2bcef11
-
SHA1
d234ce957544025614d49e1e18f3bac6352ca994
-
SHA256
679ecde4cd6afa60eaf6ab07179310def1cc22b0790b1efeb52ce1d80b06531c
-
SHA512
e425b6d9f19de18465af3ea438a9ec3ee9f0ca30608146f3094fa28960a841f5d3a9a2a13655c2123d93f5bcab79e57a37b10d7201ffddd8b8991c3f0eae6009
-
SSDEEP
6144:jS6d7abcho/OiptVSaPCpikafd5Y9k1WeR7LSxDxpaG6WiX22QbjMrgXScKl+mH1:W6dvhop3zlEyLeKXo8r2Kl+4mW/QKU6
Malware Config
Extracted
redline
37.220.87.13:48790
-
auth_value
5ccbd06c4978ff4912009e42060b2daf
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 10 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 4 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\MavrodiBlack 2.exe"C:\Users\Admin\AppData\Local\Temp\MavrodiBlack 2.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"3⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\200224.exe"C:\Users\Admin\AppData\Local\200224.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\631599.exe"C:\Users\Admin\AppData\Local\631599.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 4606⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 4646⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 1405⤵
- Program crash
-
C:\Users\Admin\AppData\Local\517221.exe"C:\Users\Admin\AppData\Local\517221.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 3245⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qlgljmw#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3600 -ip 36001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1564 -ip 15641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1252 -ip 12521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1564 -ip 15641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\200224.exeFilesize
9.9MB
MD59889b03f358c1e2a2635ae17eb4bf489
SHA13919276a8b72c4205512dd41ecf8c066bf721be0
SHA2560c879e57aab759d1e31ba1ac2a03ffe1be3f44bd028a2dd4c597acec333b83d6
SHA512ef9522066e646523c53249f788efdef9ac441087d8f6b6a5a56a2811f71cbf3b344be0f118bc9f3c12f62767d427736e5cab200c55ed66521170b3fc0ce31d6a
-
C:\Users\Admin\AppData\Local\200224.exeFilesize
9.9MB
MD59889b03f358c1e2a2635ae17eb4bf489
SHA13919276a8b72c4205512dd41ecf8c066bf721be0
SHA2560c879e57aab759d1e31ba1ac2a03ffe1be3f44bd028a2dd4c597acec333b83d6
SHA512ef9522066e646523c53249f788efdef9ac441087d8f6b6a5a56a2811f71cbf3b344be0f118bc9f3c12f62767d427736e5cab200c55ed66521170b3fc0ce31d6a
-
C:\Users\Admin\AppData\Local\517221.exeFilesize
1.7MB
MD5dcdc4c52c6a415cabd01d1c474e2e864
SHA1b820f7e29b10e9cb1c9ae973e038e44e2ba8c54c
SHA256277d23a2a848349b79d6a9d47cef165e6b8e8e160fed97dec27418bd468e402c
SHA512df2f1bd2d831c7e78eabbeee5547e4ff090289d66c66a84cad0910398ba7c152bc2a133dbda69b541d48173f837505a8321d6ccc51781fb7495c9e2ce2046270
-
C:\Users\Admin\AppData\Local\517221.exeFilesize
1.7MB
MD5dcdc4c52c6a415cabd01d1c474e2e864
SHA1b820f7e29b10e9cb1c9ae973e038e44e2ba8c54c
SHA256277d23a2a848349b79d6a9d47cef165e6b8e8e160fed97dec27418bd468e402c
SHA512df2f1bd2d831c7e78eabbeee5547e4ff090289d66c66a84cad0910398ba7c152bc2a133dbda69b541d48173f837505a8321d6ccc51781fb7495c9e2ce2046270
-
C:\Users\Admin\AppData\Local\517221.exeFilesize
1.7MB
MD5dcdc4c52c6a415cabd01d1c474e2e864
SHA1b820f7e29b10e9cb1c9ae973e038e44e2ba8c54c
SHA256277d23a2a848349b79d6a9d47cef165e6b8e8e160fed97dec27418bd468e402c
SHA512df2f1bd2d831c7e78eabbeee5547e4ff090289d66c66a84cad0910398ba7c152bc2a133dbda69b541d48173f837505a8321d6ccc51781fb7495c9e2ce2046270
-
C:\Users\Admin\AppData\Local\631599.exeFilesize
327KB
MD522b25918bfdd12b1b6646cf6cdf1e867
SHA13b621a13ff4b1493df48992d37fcc9d67edf40ab
SHA2568be6deb199d15344938cca068b14d9af482d69b0e864c42bc0f11690dd8cf1f7
SHA51232fbbb221a7aa0977d07c4ad67c3564f133cdade6db8488e67345ecf5c8d594123da1ddb506166f1e25ce6174a004f3f5d428dfea44eda4b7ce4a24cd33721e2
-
C:\Users\Admin\AppData\Local\631599.exeFilesize
327KB
MD522b25918bfdd12b1b6646cf6cdf1e867
SHA13b621a13ff4b1493df48992d37fcc9d67edf40ab
SHA2568be6deb199d15344938cca068b14d9af482d69b0e864c42bc0f11690dd8cf1f7
SHA51232fbbb221a7aa0977d07c4ad67c3564f133cdade6db8488e67345ecf5c8d594123da1ddb506166f1e25ce6174a004f3f5d428dfea44eda4b7ce4a24cd33721e2
-
C:\Users\Admin\AppData\Local\631599.exeFilesize
327KB
MD522b25918bfdd12b1b6646cf6cdf1e867
SHA13b621a13ff4b1493df48992d37fcc9d67edf40ab
SHA2568be6deb199d15344938cca068b14d9af482d69b0e864c42bc0f11690dd8cf1f7
SHA51232fbbb221a7aa0977d07c4ad67c3564f133cdade6db8488e67345ecf5c8d594123da1ddb506166f1e25ce6174a004f3f5d428dfea44eda4b7ce4a24cd33721e2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hc23l5la.3gz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\x86\SQLite.Interop.dllFilesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
memory/516-313-0x0000027C516E0000-0x0000027C51707000-memory.dmpFilesize
156KB
-
memory/516-290-0x00007FF9644F0000-0x00007FF964500000-memory.dmpFilesize
64KB
-
memory/516-288-0x0000027C516E0000-0x0000027C51707000-memory.dmpFilesize
156KB
-
memory/612-259-0x00000203BB880000-0x00000203BB8A1000-memory.dmpFilesize
132KB
-
memory/612-302-0x00000203BB8B0000-0x00000203BB8D7000-memory.dmpFilesize
156KB
-
memory/612-262-0x00007FF9644F0000-0x00007FF964500000-memory.dmpFilesize
64KB
-
memory/612-261-0x00000203BB8B0000-0x00000203BB8D7000-memory.dmpFilesize
156KB
-
memory/668-305-0x000002BA64990000-0x000002BA649B7000-memory.dmpFilesize
156KB
-
memory/668-268-0x00007FF9644F0000-0x00007FF964500000-memory.dmpFilesize
64KB
-
memory/668-263-0x000002BA64990000-0x000002BA649B7000-memory.dmpFilesize
156KB
-
memory/912-307-0x000001B415890000-0x000001B4158B7000-memory.dmpFilesize
156KB
-
memory/912-311-0x00007FF9644F0000-0x00007FF964500000-memory.dmpFilesize
64KB
-
memory/940-283-0x00007FF9644F0000-0x00007FF964500000-memory.dmpFilesize
64KB
-
memory/940-271-0x00000223811A0000-0x00000223811C7000-memory.dmpFilesize
156KB
-
memory/940-306-0x00000223811A0000-0x00000223811C7000-memory.dmpFilesize
156KB
-
memory/1020-272-0x0000017B298A0000-0x0000017B298C7000-memory.dmpFilesize
156KB
-
memory/1020-310-0x0000017B298A0000-0x0000017B298C7000-memory.dmpFilesize
156KB
-
memory/1020-284-0x00007FF9644F0000-0x00007FF964500000-memory.dmpFilesize
64KB
-
memory/1060-317-0x000001D56FDB0000-0x000001D56FDD7000-memory.dmpFilesize
156KB
-
memory/1060-312-0x00007FF9644F0000-0x00007FF964500000-memory.dmpFilesize
64KB
-
memory/1060-308-0x000001D56FDB0000-0x000001D56FDD7000-memory.dmpFilesize
156KB
-
memory/1292-266-0x00007FF73D670000-0x00007FF73E069000-memory.dmpFilesize
10.0MB
-
memory/1564-228-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1564-234-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1856-210-0x0000022AEC360000-0x0000022AEC370000-memory.dmpFilesize
64KB
-
memory/1856-205-0x0000022AEC2A0000-0x0000022AEC2C2000-memory.dmpFilesize
136KB
-
memory/1856-211-0x0000022AEC360000-0x0000022AEC370000-memory.dmpFilesize
64KB
-
memory/2124-319-0x0000000004C00000-0x0000000004C3C000-memory.dmpFilesize
240KB
-
memory/2124-293-0x0000000000700000-0x0000000000744000-memory.dmpFilesize
272KB
-
memory/2124-314-0x0000000004BA0000-0x0000000004BB2000-memory.dmpFilesize
72KB
-
memory/2124-318-0x0000000004CD0000-0x0000000004DDA000-memory.dmpFilesize
1.0MB
-
memory/2124-309-0x0000000005040000-0x0000000005658000-memory.dmpFilesize
6.1MB
-
memory/3268-251-0x0000000004EC0000-0x0000000004F16000-memory.dmpFilesize
344KB
-
memory/3268-248-0x0000000002810000-0x000000000281A000-memory.dmpFilesize
40KB
-
memory/3268-294-0x00000000027E0000-0x00000000027F0000-memory.dmpFilesize
64KB
-
memory/3268-236-0x0000000000370000-0x0000000000386000-memory.dmpFilesize
88KB
-
memory/3268-244-0x0000000004C70000-0x0000000004D0C000-memory.dmpFilesize
624KB
-
memory/3404-296-0x0000024C69670000-0x0000024C69680000-memory.dmpFilesize
64KB
-
memory/3404-299-0x0000024C69670000-0x0000024C69680000-memory.dmpFilesize
64KB
-
memory/4384-246-0x00007FF9A2EA0000-0x00007FF9A2F5E000-memory.dmpFilesize
760KB
-
memory/4384-285-0x00007FF69C490000-0x00007FF69C4B9000-memory.dmpFilesize
164KB
-
memory/4384-245-0x00007FF9A4470000-0x00007FF9A4665000-memory.dmpFilesize
2.0MB
-
memory/4696-140-0x0000000005590000-0x0000000005B34000-memory.dmpFilesize
5.6MB
-
memory/4696-173-0x0000000007C50000-0x0000000007CC6000-memory.dmpFilesize
472KB
-
memory/4696-134-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4696-162-0x0000000007A10000-0x0000000007A4C000-memory.dmpFilesize
240KB
-
memory/4696-153-0x00000000065B0000-0x0000000006772000-memory.dmpFilesize
1.8MB
-
memory/4696-180-0x0000000008000000-0x000000000801E000-memory.dmpFilesize
120KB
-
memory/4696-139-0x0000000004ED0000-0x0000000004EEA000-memory.dmpFilesize
104KB
-
memory/4696-141-0x0000000004FD0000-0x0000000004FE0000-memory.dmpFilesize
64KB
-
memory/4696-179-0x0000000004FD0000-0x0000000004FE0000-memory.dmpFilesize
64KB
-
memory/4696-142-0x0000000006030000-0x0000000006096000-memory.dmpFilesize
408KB
-
memory/4696-151-0x0000000006340000-0x00000000063D2000-memory.dmpFilesize
584KB
-
memory/4696-152-0x00000000062D0000-0x00000000062E2000-memory.dmpFilesize
72KB
-
memory/4696-157-0x0000000006930000-0x0000000006992000-memory.dmpFilesize
392KB
-
memory/4696-195-0x0000000004FD0000-0x0000000004FE0000-memory.dmpFilesize
64KB