Overview

overview

10

Static

static

1

Microsoft....ll.exe

windows7-x64

3

Microsoft....ll.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/01/2024, 05:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Microsoft.VisualStudio.Web.Publish.Contracts.dll.exe

  • Size

    413KB

  • MD5

    8b549dd5d9bd265f5c2f660128ca0416

  • SHA1

    e30b5ff421c81114fc5f4e6d9fe52d201b4486a5

  • SHA256

    468b604307b567958f106df5a1503da9ce04390eda7c83f67bc38d08a09156f0

  • SHA512

    3441562ee73483eccc1f4eba9449f49a0248b5908b0f1b817bd166c78dcafe6235c4fee7989a8b0e4f9ceece52c92cd48c2df11d3bd418b32648b613f7658f25

  • SSDEEP

    6144:3l6C3WQk+iM53X+FduVXUCB5EU7hbBNrVO+DSLbyVnygTClugS+EI:3p9iMtX+6TLEUNb3rI+DSInTTC0gS+EI

Score
10/10
redlinew118evasioninfostealertrojan

Malware Config

Extracted

Family

redline

Botnet

W118

C2

77.73.134.2:4427

Attributes
  • auth_value

    709a90bfc5899237ba049ee1a7dec425

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Nirsoft 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 5 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Microsoft.VisualStudio.Web.Publish.Contracts.dll.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft.VisualStudio.Web.Publish.Contracts.dll.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4476
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:512
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Microsoft.VisualStudio.Web.Publish.Contracts.dll.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4252
    • C:\Users\Admin\AppData\Local\Temp\01072950-83c0-4449-8845-d6552589f811\3b181df5-de77-4ead-af5a-55f0525950ef.exe
      "C:\Users\Admin\AppData\Local\Temp\01072950-83c0-4449-8845-d6552589f811\3b181df5-de77-4ead-af5a-55f0525950ef.exe" /o /c "Windows-Defender" /r
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Users\Admin\AppData\Local\Temp\01072950-83c0-4449-8845-d6552589f811\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\01072950-83c0-4449-8845-d6552589f811\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\01072950-83c0-4449-8845-d6552589f811\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Users\Admin\AppData\Local\Temp\01072950-83c0-4449-8845-d6552589f811\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\01072950-83c0-4449-8845-d6552589f811\AdvancedRun.exe" /SpecialRun 4101d8 3944
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1852
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Microsoft.VisualStudio.Web.Publish.Contracts.dll.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3656
    • C:\Users\Admin\AppData\Local\Temp\Microsoft.VisualStudio.Web.Publish.Contracts.dll.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft.VisualStudio.Web.Publish.Contracts.dll.exe"
      2⤵
        PID:1812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\01072950-83c0-4449-8845-d6552589f811\3b181df5-de77-4ead-af5a-55f0525950ef.exe
      Filesize

      25KB

      MD5

      5951b52c9b4d11ca7f4f33e5a3fb2c31

      SHA1

      0bc54fd699fff7b93e5c447a141c0d904924ab0d

      SHA256

      70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082

      SHA512

      30b3b1eed05ba724d9a19d0d301b6ffb45222a47cc5476cc7f61ae565ddea4deea669f6fc3f38a1c5f24396eb4d3d6a7a8b58992fdfe2fac57dbcc2fa5b9b1d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\01072950-83c0-4449-8845-d6552589f811\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit

    • memory/512-134-0x0000000074C20000-0x00000000753D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/512-87-0x0000000006FB0000-0x0000000006FE2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/512-102-0x00000000065B0000-0x00000000065CE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/512-129-0x0000000007640000-0x000000000765A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/512-89-0x000000006D340000-0x000000006D38C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/512-84-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/512-35-0x0000000074C20000-0x00000000753D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/512-25-0x00000000026B0000-0x00000000026E6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/512-38-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/512-127-0x0000000007530000-0x000000000753E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/512-86-0x000000007F2C0000-0x000000007F2D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/512-126-0x0000000007500000-0x0000000007511000-memory.dmp

      Filesize

      68KB

      Download

    • memory/512-54-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1812-53-0x00000000053B0000-0x00000000053EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1812-40-0x0000000005480000-0x000000000558A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1812-139-0x0000000074C20000-0x00000000753D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1812-51-0x0000000074C20000-0x00000000753D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1812-27-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1812-33-0x00000000058C0000-0x0000000005ED8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1812-64-0x00000000053F0000-0x000000000543C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1812-36-0x0000000005350000-0x0000000005362000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2584-26-0x000001D68E340000-0x000001D68E34C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2584-29-0x00007FF993160000-0x00007FF993C21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2584-79-0x00007FF993160000-0x00007FF993C21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3656-61-0x0000000002270000-0x0000000002280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3656-88-0x000000007FB60000-0x000000007FB70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3656-124-0x0000000006F60000-0x0000000006F6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3656-91-0x000000006D340000-0x000000006D38C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3656-121-0x0000000006BE0000-0x0000000006C83000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3656-77-0x0000000074C20000-0x00000000753D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3656-123-0x0000000006EF0000-0x0000000006F0A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3656-55-0x0000000002270000-0x0000000002280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3656-130-0x0000000007210000-0x0000000007218000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3656-133-0x0000000074C20000-0x00000000753D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3656-122-0x0000000007530000-0x0000000007BAA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3656-85-0x0000000002270000-0x0000000002280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4252-32-0x00000000053A0000-0x00000000053C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4252-52-0x0000000005D90000-0x00000000060E4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4252-138-0x0000000074C20000-0x00000000753D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4252-37-0x0000000005D20000-0x0000000005D86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4252-92-0x000000006D340000-0x000000006D38C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4252-80-0x0000000006390000-0x00000000063AE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4252-90-0x000000007F8C0000-0x000000007F8D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4252-128-0x00000000078E0000-0x00000000078F4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4252-63-0x0000000004F00000-0x0000000004F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4252-39-0x0000000004F00000-0x0000000004F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4252-34-0x0000000005440000-0x00000000054A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4252-83-0x0000000004F00000-0x0000000004F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4252-125-0x0000000007920000-0x00000000079B6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4252-31-0x0000000074C20000-0x00000000753D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4252-28-0x0000000005540000-0x0000000005B68000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4476-0-0x0000000000A10000-0x0000000000A7C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/4476-8-0x0000000008680000-0x0000000008C24000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4476-4-0x0000000003240000-0x00000000032A8000-memory.dmp

      Filesize

      416KB

      Download

    • memory/4476-3-0x0000000005900000-0x0000000005910000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4476-2-0x0000000005750000-0x00000000057EC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4476-82-0x0000000074C20000-0x00000000753D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4476-1-0x0000000074C20000-0x00000000753D0000-memory.dmp

      Filesize

      7.7MB

      Download