Analysis
-
max time kernel
138s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2023 13:54
General
-
Target
172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
-
Size
6.9MB
-
MD5
56c197e493f74f9233a16cdefab3109f
-
SHA1
af35bd2fd5d884bdf6bea8aac695e98f5a00715a
-
SHA256
172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01
-
SHA512
d2830cfebfaa859f5fca15e3c81799e99c3cb31f72b1075d8828f03a490bfe6196b34d35bbcaede32a6d63d5c2d9bc17bea009e1bd8787cb4397f6627328b086
-
SSDEEP
98304:ULop5mhzd71cBjG9Azp56BV8cM0AnwGSOnTXsYGeCW1zbiG54WeOVEMMRHGV7E:0op5mqU9KE8nNZnTXaexbZWsMGV7E
Malware Config
Extracted
amadey
3.89
http://5.42.64.33/vu3skClDn/index.php
-
install_dir
a304d35d74
-
install_file
yiueea.exe
-
strings_key
3ae6c4e6339065c6f5a368011bb5cb8c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3812-69-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe -
Executes dropped EXE 2 IoCs
Processes:
BestSoftware.exeBestSoftware.exepid Process 2072 BestSoftware.exe 664 BestSoftware.exe -
Processes:
resource yara_rule behavioral1/memory/4012-1-0x0000000000CD0000-0x0000000001740000-memory.dmp vmprotect behavioral1/memory/4012-2-0x0000000000CD0000-0x0000000001740000-memory.dmp vmprotect behavioral1/memory/4012-14-0x0000000000CD0000-0x0000000001740000-memory.dmp vmprotect behavioral1/memory/3964-17-0x0000000000CD0000-0x0000000001740000-memory.dmp vmprotect behavioral1/memory/3964-16-0x0000000000CD0000-0x0000000001740000-memory.dmp vmprotect behavioral1/memory/3964-20-0x0000000000CD0000-0x0000000001740000-memory.dmp vmprotect behavioral1/memory/3152-91-0x0000000000CD0000-0x0000000001740000-memory.dmp vmprotect behavioral1/memory/3152-90-0x0000000000CD0000-0x0000000001740000-memory.dmp vmprotect behavioral1/memory/3152-94-0x0000000000CD0000-0x0000000001740000-memory.dmp vmprotect behavioral1/memory/4312-154-0x0000000000CD0000-0x0000000001740000-memory.dmp vmprotect behavioral1/memory/4312-155-0x0000000000CD0000-0x0000000001740000-memory.dmp vmprotect behavioral1/memory/4312-158-0x0000000000CD0000-0x0000000001740000-memory.dmp vmprotect -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
BestSoftware.exeBestSoftware.exedescription pid Process procid_target PID 2072 set thread context of 3812 2072 BestSoftware.exe 95 PID 664 set thread context of 2192 664 BestSoftware.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exeRegSvcs.exe172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exeRegSvcs.exe172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exepid Process 4012 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 4012 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 3964 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 3964 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 3812 RegSvcs.exe 3812 RegSvcs.exe 3812 RegSvcs.exe 3812 RegSvcs.exe 3152 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 3152 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 2192 RegSvcs.exe 2192 RegSvcs.exe 2192 RegSvcs.exe 2192 RegSvcs.exe 4312 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 4312 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
BestSoftware.exeRegSvcs.exeBestSoftware.exeRegSvcs.exedescription pid Process Token: SeDebugPrivilege 2072 BestSoftware.exe Token: SeDebugPrivilege 3812 RegSvcs.exe Token: SeDebugPrivilege 664 BestSoftware.exe Token: SeDebugPrivilege 2192 RegSvcs.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exeBestSoftware.exeBestSoftware.exedescription pid Process procid_target PID 4012 wrote to memory of 4644 4012 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 85 PID 4012 wrote to memory of 4644 4012 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 85 PID 4012 wrote to memory of 4644 4012 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 85 PID 4012 wrote to memory of 2072 4012 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 94 PID 4012 wrote to memory of 2072 4012 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 94 PID 4012 wrote to memory of 2072 4012 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 94 PID 2072 wrote to memory of 3812 2072 BestSoftware.exe 95 PID 2072 wrote to memory of 3812 2072 BestSoftware.exe 95 PID 2072 wrote to memory of 3812 2072 BestSoftware.exe 95 PID 2072 wrote to memory of 3812 2072 BestSoftware.exe 95 PID 2072 wrote to memory of 3812 2072 BestSoftware.exe 95 PID 2072 wrote to memory of 3812 2072 BestSoftware.exe 95 PID 2072 wrote to memory of 3812 2072 BestSoftware.exe 95 PID 2072 wrote to memory of 3812 2072 BestSoftware.exe 95 PID 4012 wrote to memory of 664 4012 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 97 PID 4012 wrote to memory of 664 4012 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 97 PID 4012 wrote to memory of 664 4012 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe 97 PID 664 wrote to memory of 2192 664 BestSoftware.exe 98 PID 664 wrote to memory of 2192 664 BestSoftware.exe 98 PID 664 wrote to memory of 2192 664 BestSoftware.exe 98 PID 664 wrote to memory of 2192 664 BestSoftware.exe 98 PID 664 wrote to memory of 2192 664 BestSoftware.exe 98 PID 664 wrote to memory of 2192 664 BestSoftware.exe 98 PID 664 wrote to memory of 2192 664 BestSoftware.exe 98 PID 664 wrote to memory of 2192 664 BestSoftware.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe"C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe /TR "C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe" /F2⤵
- Creates scheduled task(s)
PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\BestSoftware.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\BestSoftware.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000068001\BestSoftware.exe"C:\Users\Admin\AppData\Local\Temp\1000068001\BestSoftware.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
-
C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exeC:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3964
-
C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exeC:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3152
-
C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exeC:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
522B
MD58334a471a4b492ece225b471b8ad2fc8
SHA11cb24640f32d23e8f7800bd0511b7b9c3011d992
SHA2565612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169
SHA51256ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36
-
Filesize
2KB
MD54fd6b3a467056385abd8ed1f85da0fa2
SHA14c42cd69ac787622af8b0748cb72b76911f9ff76
SHA2565e9fcb024a6b188bad3226ea736d4b95df2a5cc6b493e0fab951c5bc051fbfec
SHA512525067ffa8c9ef372255eaf264114971590a64cd06302e33ef89d5465eded3a1579b8b79efa1b445e593fa2cd907ed3394b4f1193c0ed63157ed5f06d4889289
-
Filesize
708B
MD52382378378c002d88b9a507c712c3349
SHA12e894db3808b554abadc8b144338ad9e2ea937ba
SHA25637a4e56c497e170de6e152bc479624eb8d7ccb35bad5a190f2fdb17ac699cffa
SHA5122120f9ae9e5d63ee9aa5aa25e24081662059bdeb01afd8b21ddb8bdfff22832ea0c1dec51dbcbf714e1e82537d624f0ddf0b862ff218b9d2a38941fbe63c3258
-
Filesize
1.4MB
MD51c9cb19f72b337353fab5826b145b2f3
SHA12fe6ddb2fb7fc0082388904ffddb5902c520179b
SHA256f217f02bbbf1b37386d8611b2ef07dd562d33dc1b31d84a260e11decf082b66a
SHA51290a14e5be34e1f6b23c1ccbfb80b5f29d1ce6e1d58573de82abeb14b5a00f2bfbda4fc0d45058d6a5362274c08b0d280a4d280097f72ba3eb9b59db46acaf1bc
-
Filesize
1.4MB
MD51c9cb19f72b337353fab5826b145b2f3
SHA12fe6ddb2fb7fc0082388904ffddb5902c520179b
SHA256f217f02bbbf1b37386d8611b2ef07dd562d33dc1b31d84a260e11decf082b66a
SHA51290a14e5be34e1f6b23c1ccbfb80b5f29d1ce6e1d58573de82abeb14b5a00f2bfbda4fc0d45058d6a5362274c08b0d280a4d280097f72ba3eb9b59db46acaf1bc
-
Filesize
1.4MB
MD51c9cb19f72b337353fab5826b145b2f3
SHA12fe6ddb2fb7fc0082388904ffddb5902c520179b
SHA256f217f02bbbf1b37386d8611b2ef07dd562d33dc1b31d84a260e11decf082b66a
SHA51290a14e5be34e1f6b23c1ccbfb80b5f29d1ce6e1d58573de82abeb14b5a00f2bfbda4fc0d45058d6a5362274c08b0d280a4d280097f72ba3eb9b59db46acaf1bc
-
Filesize
1.4MB
MD51c9cb19f72b337353fab5826b145b2f3
SHA12fe6ddb2fb7fc0082388904ffddb5902c520179b
SHA256f217f02bbbf1b37386d8611b2ef07dd562d33dc1b31d84a260e11decf082b66a
SHA51290a14e5be34e1f6b23c1ccbfb80b5f29d1ce6e1d58573de82abeb14b5a00f2bfbda4fc0d45058d6a5362274c08b0d280a4d280097f72ba3eb9b59db46acaf1bc
-
Filesize
1.4MB
MD51c9cb19f72b337353fab5826b145b2f3
SHA12fe6ddb2fb7fc0082388904ffddb5902c520179b
SHA256f217f02bbbf1b37386d8611b2ef07dd562d33dc1b31d84a260e11decf082b66a
SHA51290a14e5be34e1f6b23c1ccbfb80b5f29d1ce6e1d58573de82abeb14b5a00f2bfbda4fc0d45058d6a5362274c08b0d280a4d280097f72ba3eb9b59db46acaf1bc
-
Filesize
1KB
MD5bf00c8de950425eb991277d0f6521954
SHA1b905849dac07a1893e14ce75b23d6e9170b4f972
SHA256a93b38ed77ad75dc0119f8787cbcc699cd17192b1bb06209460be92d156ffff4
SHA512dceb513f914cbd501c7ed94f623d3f6d9eb84f72bc1b8cd69ae141ead383dd04f0671a97a54002b7b4f2d55acb1f1c2b01f4b54511650f6ff8cca8322f31ce29