Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://www.mediafir...

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2023, 21:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.mediafire.com/file/e8ue3gtppfrd373/Memory_Hack.rar/file

Score
10/10
redlinediscoveryinfostealerspywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 54 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mediafire.com/file/e8ue3gtppfrd373/Memory_Hack.rar/file
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1944
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3492
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Memory Hack\" -spe -an -ai#7zMap12674:84:7zEvent13917
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:808
    • C:\Users\Admin\Downloads\Memory Hack\Setup.exe
      "C:\Users\Admin\Downloads\Memory Hack\Setup.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Users\Admin\Downloads\Memory Hack\Setup.exe
        "C:\Users\Admin\Downloads\Memory Hack\Setup.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2644

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            0a18c4e5d48519f11d47e21d48beb4c1

            SHA1

            ef72edf3da93c8438e33829542296d86b9608d48

            SHA256

            572990d6df4be97a68222158083b64bc4391b26347069435b00407b3fd1d0e0e

            SHA512

            d6b78a5a080d0339a58a490122c80165dd3cce9ef1aad17e6363814859116c91a05142a5b8a7de4cbae658c9cc754dbbc1c99f96f139a17303db3f749ab6b7d8

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            293463a79fe8d92da2edf0a47b3ab2f5

            SHA1

            83cfc2342923f7fafc9952b67f8b13ac30bb751e

            SHA256

            7aa2826ff738f298e458502c141dbe1b0ef463458ff94ba8cfcee4a8c608dbbf

            SHA512

            2e672c79e8589071dc62ddbf95a406ab64c57ea12f6363a16c1cd491dae4e2d19effa4523933eac6cc474afb48bb0ed44bf6c9b12dbf13fde62e29967a09e195

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup.exe.log
            Filesize

            1KB

            MD5

            4f3fab3e5f44399e7f4162fd367eca2d

            SHA1

            adada0591db5f53bcc0565942047156de3464e6e

            SHA256

            5db52f2a6a0fbfaa29e27418a1b72b660298dfa58a12ac0f12897a06e557caef

            SHA512

            d8c3fe3a91e572627e31a44d88a71fc3072786b074d04484ff6aacfeab43e0d29ec88bf6ad2af2a5f8e70f0c0eea95dcea59a8159adf4c642e5f8fd5fc632db7

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\Memory Hack[1].rar
            Filesize

            10.0MB

            MD5

            3570f5461e7f1c3dfb6e5de84e745519

            SHA1

            7a3b98be96f467cd344519dafffa2bf9f8776ecc

            SHA256

            f2a5a15fcf44c4fbf6a45d14e0a5336b0e3c3f8d9675b1929f3fcae77f5474c3

            SHA512

            2c0f91b93246a4432b1b80d68e6f96f9fec41acc02fff03a41e2d959e59a24f435a7d1543cc9d749c84614f390141f0c1d6105d1380466f32f551193e4545f13

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\~DF53069C294BD76A36.TMP
            Filesize

            16KB

            MD5

            9fe8adb5588e796ed66a4f7afc92a757

            SHA1

            6e3fe16677bedf4c02eecbce1efa4fb6252e596f

            SHA256

            00dfbb84dfc92dad42cf4139e32eef4f2d06e38c8be06fe081354904295d98e0

            SHA512

            ce6bdc6788eb2de347eaf35a5f7c6cd04ac00102889cbe442102ad552085574d14c5f909c55da5e4c9b8f9a680679e6d37819e3d14444cffb7159bd050596e46

            Download Submit

          • C:\Users\Admin\Downloads\Memory Hack.rar.8trvx0e.partial
            Filesize

            10.0MB

            MD5

            3570f5461e7f1c3dfb6e5de84e745519

            SHA1

            7a3b98be96f467cd344519dafffa2bf9f8776ecc

            SHA256

            f2a5a15fcf44c4fbf6a45d14e0a5336b0e3c3f8d9675b1929f3fcae77f5474c3

            SHA512

            2c0f91b93246a4432b1b80d68e6f96f9fec41acc02fff03a41e2d959e59a24f435a7d1543cc9d749c84614f390141f0c1d6105d1380466f32f551193e4545f13

            Download Submit

          • C:\Users\Admin\Downloads\Memory Hack\Setup.exe
            Filesize

            9.4MB

            MD5

            9f116635778e2dbb2b91ed7966df9de6

            SHA1

            dc6b0bb86ab0bd0deb4bdad8a63475d17468ca89

            SHA256

            fd06fdecc238bfddc40fa0cb69328a6f19e6d4086f988eb74423395afd0ef7e2

            SHA512

            030b374f221c7d361e348f8f24b2b195b91d9713fd8b9969dc3b1df4aa94966bc1ebde3477b0849e3a523f2b78c5651087ca4dfbb63fcaeb7108534592efafb9

            Download Submit

          • C:\Users\Admin\Downloads\Memory Hack\Setup.exe
            Filesize

            9.4MB

            MD5

            9f116635778e2dbb2b91ed7966df9de6

            SHA1

            dc6b0bb86ab0bd0deb4bdad8a63475d17468ca89

            SHA256

            fd06fdecc238bfddc40fa0cb69328a6f19e6d4086f988eb74423395afd0ef7e2

            SHA512

            030b374f221c7d361e348f8f24b2b195b91d9713fd8b9969dc3b1df4aa94966bc1ebde3477b0849e3a523f2b78c5651087ca4dfbb63fcaeb7108534592efafb9

            Download Submit

          • C:\Users\Admin\Downloads\Memory Hack\Setup.exe
            Filesize

            9.4MB

            MD5

            9f116635778e2dbb2b91ed7966df9de6

            SHA1

            dc6b0bb86ab0bd0deb4bdad8a63475d17468ca89

            SHA256

            fd06fdecc238bfddc40fa0cb69328a6f19e6d4086f988eb74423395afd0ef7e2

            SHA512

            030b374f221c7d361e348f8f24b2b195b91d9713fd8b9969dc3b1df4aa94966bc1ebde3477b0849e3a523f2b78c5651087ca4dfbb63fcaeb7108534592efafb9

            Download Submit

          • memory/2644-450-0x0000000008200000-0x0000000008266000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2644-447-0x0000000007F90000-0x000000000809A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2644-456-0x0000000007E40000-0x0000000007E50000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2644-455-0x0000000009410000-0x000000000942E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2644-454-0x000000000AD90000-0x000000000B2BC000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/2644-441-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/2644-453-0x000000000A690000-0x000000000A852000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2644-445-0x0000000008450000-0x0000000008A68000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/2644-446-0x0000000007E60000-0x0000000007E72000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2644-452-0x0000000009000000-0x0000000009076000-memory.dmp

            Filesize

            472KB

            Download

          • memory/2644-448-0x0000000007EC0000-0x0000000007EFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2644-449-0x0000000007E40000-0x0000000007E50000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2644-451-0x0000000008FB0000-0x0000000009000000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4948-435-0x0000000000DB0000-0x000000000171A000-memory.dmp

            Filesize

            9.4MB

            Download

          • memory/4948-438-0x0000000003D90000-0x0000000003D9A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4948-436-0x00000000067C0000-0x0000000006D64000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4948-437-0x0000000006140000-0x00000000061D2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4948-440-0x0000000007E20000-0x0000000007E42000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4948-439-0x0000000006200000-0x0000000006210000-memory.dmp

            Filesize

            64KB

            Download