Overview

overview

10

Static

static

3

Setupppp.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    501s
  • max time network
    504s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    07/06/2023, 21:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Setupppp.rar

  • Size

    2.7MB

  • MD5

    b92274784508801cc505787210efecc7

  • SHA1

    edddb4e063c4c1b06de759479bc368817601e6c3

  • SHA256

    9d7429145a7643272e55fb1e756582ea9e3dd2daf182c518ee9816f44d81cf81

  • SHA512

    e0b2bd505e515eb6c0f9d303cc3d3fc3797a23d36c38e43ff46e808bd4b920e6ea2f5b2fe7e836a4b4ff2a555956e2e8bac379ee63ccbe75fac9a5ced63d034c

  • SSDEEP

    49152:i+7Kh+VRGEfU4z0J3VVHTych7Rwy0KputAmb6iqnOyG/0Onc63bg:iiKhcGMcfHTygl0uutJzfg

Score
10/10
redlineinfostealerspyware

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Setupppp.rar
    1⤵
    • Modifies registry class
    PID:2360
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5064
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:984
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Setupppp\" -spe -an -ai#7zMap7061:74:7zEvent18559
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4140
    • C:\Users\Admin\Desktop\Setupppp\Setup.exe
      "C:\Users\Admin\Desktop\Setupppp\Setup.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4248
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 624
        2⤵
        • Program crash
        PID:544
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4812 -ip 4812
      1⤵
        PID:3272

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\Desktop\Setupppp\Setup.exe
              Filesize

              1.0MB

              MD5

              d043e279c61ead42c8eb4be11c440bfa

              SHA1

              8d331bf365dae952d737851461e34b356c4c7038

              SHA256

              7acc1dc6e32284f96d588b74fb50bd6358b441fb1c31b09b9c3aafb370bda9a0

              SHA512

              2fdbbf54cf3fd4de08445268383d0bc16bb9e4ed6361c41c1f96e5fa97cbc5251d443c3e69d45f43c407483950ed62f7f6a62902005f226516caff824cc75603

              Download Submit

            • C:\Users\Admin\Desktop\Setupppp\Setup.exe
              Filesize

              1.0MB

              MD5

              d043e279c61ead42c8eb4be11c440bfa

              SHA1

              8d331bf365dae952d737851461e34b356c4c7038

              SHA256

              7acc1dc6e32284f96d588b74fb50bd6358b441fb1c31b09b9c3aafb370bda9a0

              SHA512

              2fdbbf54cf3fd4de08445268383d0bc16bb9e4ed6361c41c1f96e5fa97cbc5251d443c3e69d45f43c407483950ed62f7f6a62902005f226516caff824cc75603

              Download Submit

            • memory/4248-175-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/4248-180-0x0000000007FB0000-0x00000000085C8000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/4248-181-0x0000000007A00000-0x0000000007A12000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4248-182-0x0000000007B30000-0x0000000007C3A000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/4248-183-0x0000000007A60000-0x0000000007A9C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/4248-184-0x0000000007DD0000-0x0000000007DE0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4248-185-0x0000000007DB0000-0x0000000007DD0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4248-186-0x00000000088D0000-0x0000000008936000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4248-187-0x00000000089E0000-0x0000000008A72000-memory.dmp

              Filesize

              584KB

              Download

            • memory/4248-188-0x0000000009030000-0x00000000095D4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4248-189-0x0000000008C60000-0x0000000008D62000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/4248-190-0x0000000008A80000-0x0000000008AF6000-memory.dmp

              Filesize

              472KB

              Download

            • memory/4248-191-0x00000000095E0000-0x00000000097A2000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/4248-192-0x0000000009CE0000-0x000000000A20C000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/4248-193-0x0000000008C30000-0x0000000008C4E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4248-194-0x0000000008F70000-0x0000000008FC0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4248-195-0x0000000007DD0000-0x0000000007DE0000-memory.dmp

              Filesize

              64KB

              Download