Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
29/10/2023, 11:43
General
-
Target
winPEASx64.exe
-
Size
2.3MB
-
MD5
4b63208d99641fbb72aa57e54886423c
-
SHA1
6db92837b1c60716bb2a84f91405c20b637b9c2d
-
SHA256
54717ae2ead16c76d36799347143b3de322ee07c0836b504b383bbf6eaebeaca
-
SHA512
bb0bc01e9fe5dc18543ccadab8391e1672fabfd790f994b472d98c10eef8d262147cb6ac76ad7a62b39fed76ac36d777ac2903bb3ab8f535d85fd3d43590e02c
-
SSDEEP
24576:aJjmTSVj3ZwZ/3AhysPoxBMF7Cpx6hBdNKkThXHf5geLPA:UmT0Wt34ysPxM0j4kBHf5g4
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\winPEASx64.exe"C:\Users\Admin\AppData\Local\Temp\winPEASx64.exe"1⤵
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exe"systeminfo.exe"2⤵
- Gathers system information
-
-
C:\Windows\system32\netsh.exe"netsh" wlan show profiles2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" # Check if appcmd.exe exists if (Test-Path ('C:\Windows\system32\inetsrv\appcmd.exe')) { # Create data table to house results $DataTable = New-Object System.Data.DataTable # Create and name columns in the data table $Null = $DataTable.Columns.Add('user') $Null = $DataTable.Columns.Add('pass') $Null = $DataTable.Columns.Add('type') $Null = $DataTable.Columns.Add('vdir') $Null = $DataTable.Columns.Add('apppool') # Get list of application pools Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list apppools /text:name' | ForEach-Object { # Get application pool name $PoolName = $_ # Get username $PoolUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.username' $PoolUser = Invoke-Expression $PoolUserCmd # Get password $PoolPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.password' $PoolPassword = Invoke-Expression $PoolPasswordCmd # Check if credentials exists if (($PoolPassword -ne '') -and ($PoolPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName) } } # Get list of virtual directories Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list vdir /text:vdir.name' | ForEach-Object { # Get Virtual Directory Name $VdirName = $_ # Get username $VdirUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:userName' $VdirUser = Invoke-Expression $VdirUserCmd # Get password $VdirPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:password' $VdirPassword = Invoke-Expression $VdirPasswordCmd # Check if credentials exists if (($VdirPassword -ne '') -and ($VdirPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA') } } # Check if any passwords were found if( $DataTable.rows.Count -gt 0 ) { # Display results in list view that can feed into the pipeline #$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique $DataTable | Select-Object user,pass,type,vdir,apppool } else { # Status user Write-host 'No application pool or virtual directory passwords were found.' } }2⤵
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
5.9MB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
292KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
376KB
-
Filesize
768KB
-
Filesize
376KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
36KB
-
Filesize
52KB
-
Filesize
84KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
168KB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
44KB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
376KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
376KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
168KB
-
Filesize
36KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
68KB
-
Filesize
384KB
-
Filesize
172KB
-
Filesize
2.0MB
-
Filesize
172KB
-
Filesize
384KB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
36KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
52KB
-
Filesize
204KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
36KB
-
Filesize
348KB
-
Filesize
60KB
-
Filesize
60KB