Analysis
-
max time kernel
144s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12/01/2024, 12:37
Static task
static1
Behavioral task
behavioral1
Sample
567b2021c7a3db81cfd1421d3d7d37a1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
567b2021c7a3db81cfd1421d3d7d37a1.exe
Resource
win10v2004-20231215-en
General
-
Target
567b2021c7a3db81cfd1421d3d7d37a1.exe
-
Size
978KB
-
MD5
567b2021c7a3db81cfd1421d3d7d37a1
-
SHA1
5b6e3b6c6840cc282f7458af24dc18ea03c44009
-
SHA256
4a0d83439be8a28152984b5800a6a1882d95e5ac361ad24131a688237bf403b7
-
SHA512
bcc4cf1230cd7f51a813c48b984dc152d19f53ad10f0621f36903a528d408d01e488021d8d8f5f392b95c82fa3236f2aa14db3d2ad4dd128cf2ccc028b460675
-
SSDEEP
24576:tr065nEVHc2YRQCWnwO5BqGff8NfMuYETj5mWGYlyy/2zw:trpnRwwAfwMG5mWGYlyM2
Malware Config
Extracted
redline
@Cryptex777
109.248.203.166:29888
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2084-29-0x0000000000400000-0x00000000004DB000-memory.dmp family_redline behavioral1/memory/2084-25-0x0000000000400000-0x00000000004DB000-memory.dmp family_redline behavioral1/memory/2084-31-0x0000000000400000-0x00000000004DB000-memory.dmp family_redline behavioral1/files/0x0009000000016047-45.dat family_redline behavioral1/memory/2724-55-0x00000000000E0000-0x00000000000FE000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
resource yara_rule behavioral1/memory/2084-29-0x0000000000400000-0x00000000004DB000-memory.dmp family_sectoprat behavioral1/memory/2084-25-0x0000000000400000-0x00000000004DB000-memory.dmp family_sectoprat behavioral1/memory/2084-31-0x0000000000400000-0x00000000004DB000-memory.dmp family_sectoprat behavioral1/files/0x0009000000016047-45.dat family_sectoprat behavioral1/memory/2724-55-0x00000000000E0000-0x00000000000FE000-memory.dmp family_sectoprat -
Executes dropped EXE 2 IoCs
pid Process 2724 ._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe 1672 Synaptics.exe -
Loads dropped DLL 3 IoCs
pid Process 2084 567b2021c7a3db81cfd1421d3d7d37a1.exe 2084 567b2021c7a3db81cfd1421d3d7d37a1.exe 2084 567b2021c7a3db81cfd1421d3d7d37a1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 567b2021c7a3db81cfd1421d3d7d37a1.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\ 567b2021c7a3db81cfd1421d3d7d37a1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2052 set thread context of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\windows\test.txt 567b2021c7a3db81cfd1421d3d7d37a1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2196 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 1672 Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe Token: SeDebugPrivilege 1672 Synaptics.exe Token: SeDebugPrivilege 1672 Synaptics.exe Token: SeDebugPrivilege 2724 ._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2196 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 29 PID 2052 wrote to memory of 2196 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 29 PID 2052 wrote to memory of 2196 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 29 PID 2052 wrote to memory of 2196 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 29 PID 2052 wrote to memory of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 PID 2052 wrote to memory of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 PID 2052 wrote to memory of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 PID 2052 wrote to memory of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 PID 2052 wrote to memory of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 PID 2052 wrote to memory of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 PID 2052 wrote to memory of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 PID 2052 wrote to memory of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 PID 2052 wrote to memory of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 PID 2052 wrote to memory of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 PID 2052 wrote to memory of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 PID 2052 wrote to memory of 2084 2052 567b2021c7a3db81cfd1421d3d7d37a1.exe 30 PID 2084 wrote to memory of 2724 2084 567b2021c7a3db81cfd1421d3d7d37a1.exe 32 PID 2084 wrote to memory of 2724 2084 567b2021c7a3db81cfd1421d3d7d37a1.exe 32 PID 2084 wrote to memory of 2724 2084 567b2021c7a3db81cfd1421d3d7d37a1.exe 32 PID 2084 wrote to memory of 2724 2084 567b2021c7a3db81cfd1421d3d7d37a1.exe 32 PID 2084 wrote to memory of 1672 2084 567b2021c7a3db81cfd1421d3d7d37a1.exe 33 PID 2084 wrote to memory of 1672 2084 567b2021c7a3db81cfd1421d3d7d37a1.exe 33 PID 2084 wrote to memory of 1672 2084 567b2021c7a3db81cfd1421d3d7d37a1.exe 33 PID 2084 wrote to memory of 1672 2084 567b2021c7a3db81cfd1421d3d7d37a1.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1134416911.xml"2⤵
- Creates scheduled task(s)
PID:2196
-
-
C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe"C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD5bba7f37febe5a32aaf106efbdb9dae31
SHA17f6131c49b06e8629922cb36079eb0582ce2ec62
SHA25617d2c6e4da5ca57a442399df9c36c433c04a1a96b9ba953bb22ec484cc09e32e
SHA512fabed325c5434411abc3f68c8184b8a4aad8784c36722d40a32c68b48e9d5b240da454c3caa0d1bc3fe56f6dd4b9664bd7aa4278b70aac64e69b75f3153e99d2
-
Filesize
117KB
MD59e7c30e83596786a6c051c4343bc92b4
SHA1f440ccc6f8c955f088cae9c7e5f50c081ddd100a
SHA256a07011034caa74c2ba00b86a5727f4ce0cc53f3b6a3c15ceb5f840f5971479bc
SHA512c53b8d45bd359f98b8778e7f17341e063d9c56928626367509e0267d0c3a93ee63dd8008ecc1ac4555895ec3c35e82c7860978028881e1fac319f646801fafea
-
Filesize
122KB
MD560883e6613e3e8717b94bba6373cd9d4
SHA1c44eae8177af2f60c71b3449da3d98ce5e974172
SHA2564e52eeb1609be6fc149c1afb5dce015a4dcc34c71016b12cd5c23921e543203c
SHA512d7ce933fbce4024b027201a7a8af622e276db57468773d933a5162bfb8b74a82e00455091ef7ac8b92de8153b9312831425819cc394db7d070d4d5683e5e5054
-
Filesize
98KB
MD5baa3ebcb1877d2bbafae1c9114d1b0de
SHA11279eade8092f4b6c401013e1355581e282ec748
SHA2560859cbf8dab2379d2f4a0ef118a5075188a26b1233887e54ae696ba0293667a1
SHA5128218474b2c64078a20421b62a0c8c9df8395aaab71b70ca77b2921bfbabaf8439c8c4fb63edc4f1a250922b58bf8c8797d91c2018c0dcc18449fae7bb6a238ea
-
Filesize
1KB
MD5e01551dd4eaae7daac1a481b968bd322
SHA11eedd233a4f81ac79aae4c1688ef7dcb93a963d4
SHA2566ec51bd8855a8bced5cd045a80eaebf660d294446efa969b78bdf3ca568f4080
SHA512464cdef19a28e8c99ac7b84e9befecf87c147120f035c985af1b366881407d40a48066f8172d0683bcca9e722594f281d17d4b096dfcd2e4719132842e6c46f2
-
Filesize
123KB
MD5e747cc0dd9903ef4eaff64d928a81194
SHA1c5b07e187ddd1ace0c7eccdd97f20ea8550e1150
SHA256ca4270b67ff57964634116c6cae14c13809dd96cc47c7b73c95c07ddf69d70c4
SHA512bc4d2f2c892964d72c589aa42006de24f74e95182430fd86f1e1db61456ebc7f5cfcfb5eca0effa875597182424b221cccb513cae043c09f37aa389cfae0808c
-
Filesize
166KB
MD50b1e4e922febc20e6d493dd7796c899f
SHA1b8f52ae241dc4b2ceda5d288c27157f489d826b7
SHA256820673c6d11604e0777a6a205cbf7f46dc8f63795abe5bbf678b8f6a851516f1
SHA512c857de75fb34645117c72046985ae9df54f0dd8dcb0707664f9eb3d89488e0d9d690ebb7aa695ea051d2162613cc9a371e6187da5ed198a3c557430544fdc44d