Analysis
-
max time kernel
82s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
17-09-2023 21:41
Static task
static1
Behavioral task
behavioral1
Sample
Setupp.zip
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Setupp.zip
Resource
win10v2004-20230915-en
General
-
Target
Setupp.zip
-
Size
132.8MB
-
MD5
1b05efdd19f4f3f08225bc2329386a32
-
SHA1
dac6df0393b94ff4872f231b4304e27d14ac3f4b
-
SHA256
6ba0530cb54066d2ff66b8d57639542c2f6053f2e3e5cb69e051ab55eadb406f
-
SHA512
bf5c74121bb82e73de691d256ff0adf0413499f7225d610e67abb703bef30b894cdded1fdc230fc145ae2d554e0b381a34f01e4905ebb7cf6b43bbd41ee3442b
-
SSDEEP
3145728:qFChK0NJRkBk96UY4wtc1Tv+iq7vfaFBYNnljoJpwl14moVruNxRIIP8g:qFCK3Bz4wK9qbKBQljewEBANxP
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral1/memory/2452-25-0x0000000000400000-0x0000000000442000-memory.dmp family_redline behavioral1/memory/2452-26-0x0000000000400000-0x0000000000442000-memory.dmp family_redline behavioral1/memory/2452-29-0x0000000000400000-0x0000000000442000-memory.dmp family_redline behavioral1/memory/2452-31-0x0000000000400000-0x0000000000442000-memory.dmp family_redline behavioral1/memory/2452-34-0x0000000000400000-0x0000000000442000-memory.dmp family_redline behavioral1/memory/2452-36-0x0000000004720000-0x0000000004760000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
pid Process 1100 Setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1100 set thread context of 2452 1100 Setup.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1064 ipconfig.exe 1888 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1100 Setup.exe 1160 7zFM.exe 2452 aspnet_compiler.exe 2452 aspnet_compiler.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1160 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 1160 7zFM.exe Token: 35 1160 7zFM.exe Token: SeSecurityPrivilege 1160 7zFM.exe Token: SeDebugPrivilege 1100 Setup.exe Token: SeDebugPrivilege 2452 aspnet_compiler.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1160 7zFM.exe 1160 7zFM.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1160 wrote to memory of 1100 1160 7zFM.exe 34 PID 1160 wrote to memory of 1100 1160 7zFM.exe 34 PID 1160 wrote to memory of 1100 1160 7zFM.exe 34 PID 1160 wrote to memory of 1100 1160 7zFM.exe 34 PID 1160 wrote to memory of 1100 1160 7zFM.exe 34 PID 1160 wrote to memory of 1100 1160 7zFM.exe 34 PID 1160 wrote to memory of 1100 1160 7zFM.exe 34 PID 1100 wrote to memory of 2076 1100 Setup.exe 35 PID 1100 wrote to memory of 2076 1100 Setup.exe 35 PID 1100 wrote to memory of 2076 1100 Setup.exe 35 PID 1100 wrote to memory of 2076 1100 Setup.exe 35 PID 2076 wrote to memory of 1064 2076 cmd.exe 37 PID 2076 wrote to memory of 1064 2076 cmd.exe 37 PID 2076 wrote to memory of 1064 2076 cmd.exe 37 PID 2076 wrote to memory of 1064 2076 cmd.exe 37 PID 1100 wrote to memory of 2360 1100 Setup.exe 38 PID 1100 wrote to memory of 2360 1100 Setup.exe 38 PID 1100 wrote to memory of 2360 1100 Setup.exe 38 PID 1100 wrote to memory of 2360 1100 Setup.exe 38 PID 2360 wrote to memory of 1888 2360 cmd.exe 39 PID 2360 wrote to memory of 1888 2360 cmd.exe 39 PID 2360 wrote to memory of 1888 2360 cmd.exe 39 PID 2360 wrote to memory of 1888 2360 cmd.exe 39 PID 1100 wrote to memory of 2452 1100 Setup.exe 41 PID 1100 wrote to memory of 2452 1100 Setup.exe 41 PID 1100 wrote to memory of 2452 1100 Setup.exe 41 PID 1100 wrote to memory of 2452 1100 Setup.exe 41 PID 1100 wrote to memory of 2452 1100 Setup.exe 41 PID 1100 wrote to memory of 2452 1100 Setup.exe 41 PID 1100 wrote to memory of 2452 1100 Setup.exe 41 PID 1100 wrote to memory of 2452 1100 Setup.exe 41 PID 1100 wrote to memory of 2452 1100 Setup.exe 41
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Setupp.zip1⤵PID:1404
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2496
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setupp.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\7zO884A5C17\Setup.exe"C:\Users\Admin\AppData\Local\Temp\7zO884A5C17\Setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release3⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- Gathers network information
PID:1064
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew3⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- Gathers network information
PID:1888
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
389.1MB
MD50a0d715aba787ffc967b0ec08ca4abc5
SHA18a24988c8355a85b39cf348a6e21f3bd527fc1df
SHA256392d3960bccf8da7688e5f0f59bb3fc326e25b9be8147815b8b23813d668f91d
SHA5124cf2a673f29808e70e5d6c59e70bad56640be7dfeaf3bb2beb903fa459b1cf65e4918a7a5c882ffc13808bf19ce714d8682df0c6b7bf634b96e7b4994684c35f
-
Filesize
488.9MB
MD5c013f924fe04c61baafb46118f79b54c
SHA193c130fc8c3ecbeee9658b9799ba94174e0c1324
SHA25682251e875c64777065d78aff3bf4e3a00f2257712d92097c2e94bb20047fd829
SHA512541da64330c46d7ba57622557e697be1dac1fdc6fa0a9e059ffc531c8c04d6df1888672fc0bc66c51317dd827581e63e3475e7c1abb83df8558291f9f4e3fd8e
-
Filesize
488.5MB
MD5adb71e34d1d367498227f12817de6647
SHA1fc7f00df701122f7036dd4975e45b92e383a1077
SHA256b12fe37e478296348e0af512d1717a1bd71469baacfe7e74c980d3061b3ea64f
SHA5124dafc60931a5c411fe14f198345ab7a69f53f01922a0c0af83ee49112205002ce97e34a3696308a5f333d7c11810084787849416be4badd530fbf71de34ee888
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf