Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2024, 12:37
Static task
static1
Behavioral task
behavioral1
Sample
567b2021c7a3db81cfd1421d3d7d37a1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
567b2021c7a3db81cfd1421d3d7d37a1.exe
Resource
win10v2004-20231215-en
General
-
Target
567b2021c7a3db81cfd1421d3d7d37a1.exe
-
Size
978KB
-
MD5
567b2021c7a3db81cfd1421d3d7d37a1
-
SHA1
5b6e3b6c6840cc282f7458af24dc18ea03c44009
-
SHA256
4a0d83439be8a28152984b5800a6a1882d95e5ac361ad24131a688237bf403b7
-
SHA512
bcc4cf1230cd7f51a813c48b984dc152d19f53ad10f0621f36903a528d408d01e488021d8d8f5f392b95c82fa3236f2aa14db3d2ad4dd128cf2ccc028b460675
-
SSDEEP
24576:tr065nEVHc2YRQCWnwO5BqGff8NfMuYETj5mWGYlyy/2zw:trpnRwwAfwMG5mWGYlyM2
Malware Config
Extracted
redline
@Cryptex777
109.248.203.166:29888
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/memory/4780-13-0x0000000000400000-0x00000000004DB000-memory.dmp family_redline behavioral2/memory/4780-16-0x0000000000400000-0x00000000004DB000-memory.dmp family_redline behavioral2/memory/1576-143-0x0000000000620000-0x000000000063E000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
resource yara_rule behavioral2/memory/4780-13-0x0000000000400000-0x00000000004DB000-memory.dmp family_sectoprat behavioral2/memory/4780-16-0x0000000000400000-0x00000000004DB000-memory.dmp family_sectoprat behavioral2/memory/1576-143-0x0000000000620000-0x000000000063E000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 567b2021c7a3db81cfd1421d3d7d37a1.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 567b2021c7a3db81cfd1421d3d7d37a1.exe -
Executes dropped EXE 2 IoCs
pid Process 1576 ._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe 1116 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 567b2021c7a3db81cfd1421d3d7d37a1.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\ 567b2021c7a3db81cfd1421d3d7d37a1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2876 set thread context of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\windows\test.txt 567b2021c7a3db81cfd1421d3d7d37a1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 848 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 567b2021c7a3db81cfd1421d3d7d37a1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 1116 Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe Token: SeDebugPrivilege 1116 Synaptics.exe Token: SeDebugPrivilege 1116 Synaptics.exe Token: SeDebugPrivilege 1576 ._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2876 wrote to memory of 848 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 92 PID 2876 wrote to memory of 848 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 92 PID 2876 wrote to memory of 848 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 92 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 2876 wrote to memory of 4780 2876 567b2021c7a3db81cfd1421d3d7d37a1.exe 94 PID 4780 wrote to memory of 1576 4780 567b2021c7a3db81cfd1421d3d7d37a1.exe 97 PID 4780 wrote to memory of 1576 4780 567b2021c7a3db81cfd1421d3d7d37a1.exe 97 PID 4780 wrote to memory of 1576 4780 567b2021c7a3db81cfd1421d3d7d37a1.exe 97 PID 4780 wrote to memory of 1116 4780 567b2021c7a3db81cfd1421d3d7d37a1.exe 96 PID 4780 wrote to memory of 1116 4780 567b2021c7a3db81cfd1421d3d7d37a1.exe 96 PID 4780 wrote to memory of 1116 4780 567b2021c7a3db81cfd1421d3d7d37a1.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1221637971.xml"2⤵
- Creates scheduled task(s)
PID:848
-
-
C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe"C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD596d9b445e5ef478537dd07eb639374fa
SHA1f10f497562fd6aa3e9788b40254c146316784415
SHA25630513d1f58f1f4a23b66262710f670c92f493b571e862e9231ddf0181b91a186
SHA512b07668478ae645220a72641e7f56f5f0f6a719d289e1dc0d8f1499c2e6041d28fdae57c8679e12ea70ba7e13b486e4aeb0a9ca5c12e27a85ae1126d20232a772