Analysis
-
max time kernel
2s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-03-2024 14:58
Static task
static1
Behavioral task
behavioral1
Sample
582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe
Resource
win10v2004-20240226-en
General
-
Target
582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe
-
Size
20.9MB
-
MD5
2e501240ec8b9aab46d76a6504e44882
-
SHA1
1a97d7662e66502faa5a7718565bb362eb6f27bd
-
SHA256
582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00
-
SHA512
eae4aacbfcee43ad8f9b2acbddb1b3b71c2aec0064bc6605107eb8b254614361c77984d09e7eabb91fc26634822ac448d8be884dd8f174021c52979690c2f97b
-
SSDEEP
98304:Kj1ZAxOCU3yUetDvB6ti3FOU8jRdqY9d2omTt20+NVZ:mAxOCU3yUetDvB6ti1aOTtlcVZ
Malware Config
Extracted
redline
gg
67.203.7.148:2909
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\ProgramData\WinNet\gg.exe family_redline C:\ProgramData\WinNet\gg.exe family_redline behavioral1/memory/2144-51-0x00000000000E0000-0x0000000000130000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
embedded.exegg.exeAnyDesk.exepid process 2700 embedded.exe 2144 gg.exe 2620 AnyDesk.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2964 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
REG.exeREG.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Repository = "C:\\ProgramData\\WinNet\\gg.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Repository = "C:\\ProgramData\\WinNet\\gg.exe" REG.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
AnyDesk.exepid process 2620 AnyDesk.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.execmd.execmd.exeembedded.exeWScript.execmd.exedescription pid process target process PID 2476 wrote to memory of 1648 2476 582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe REG.exe PID 2476 wrote to memory of 1648 2476 582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe REG.exe PID 2476 wrote to memory of 1648 2476 582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe REG.exe PID 2476 wrote to memory of 2964 2476 582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe cmd.exe PID 2476 wrote to memory of 2964 2476 582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe cmd.exe PID 2476 wrote to memory of 2964 2476 582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe cmd.exe PID 2476 wrote to memory of 2528 2476 582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe cmd.exe PID 2476 wrote to memory of 2528 2476 582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe cmd.exe PID 2476 wrote to memory of 2528 2476 582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe cmd.exe PID 2964 wrote to memory of 2700 2964 cmd.exe embedded.exe PID 2964 wrote to memory of 2700 2964 cmd.exe embedded.exe PID 2964 wrote to memory of 2700 2964 cmd.exe embedded.exe PID 2528 wrote to memory of 2768 2528 cmd.exe WScript.exe PID 2528 wrote to memory of 2768 2528 cmd.exe WScript.exe PID 2528 wrote to memory of 2768 2528 cmd.exe WScript.exe PID 2700 wrote to memory of 2388 2700 embedded.exe REG.exe PID 2700 wrote to memory of 2388 2700 embedded.exe REG.exe PID 2700 wrote to memory of 2388 2700 embedded.exe REG.exe PID 2700 wrote to memory of 2152 2700 embedded.exe cmd.exe PID 2700 wrote to memory of 2152 2700 embedded.exe cmd.exe PID 2700 wrote to memory of 2152 2700 embedded.exe cmd.exe PID 2700 wrote to memory of 2904 2700 embedded.exe cmd.exe PID 2700 wrote to memory of 2904 2700 embedded.exe cmd.exe PID 2700 wrote to memory of 2904 2700 embedded.exe cmd.exe PID 2768 wrote to memory of 2144 2768 WScript.exe gg.exe PID 2768 wrote to memory of 2144 2768 WScript.exe gg.exe PID 2768 wrote to memory of 2144 2768 WScript.exe gg.exe PID 2768 wrote to memory of 2144 2768 WScript.exe gg.exe PID 2152 wrote to memory of 2620 2152 cmd.exe AnyDesk.exe PID 2152 wrote to memory of 2620 2152 cmd.exe AnyDesk.exe PID 2152 wrote to memory of 2620 2152 cmd.exe AnyDesk.exe PID 2152 wrote to memory of 2620 2152 cmd.exe AnyDesk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe"C:\Users\Admin\AppData\Local\Temp\582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\REG.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Repository /t REG_SZ /F /D C:\ProgramData\WinNet\gg.exe2⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\WinNet\embedded.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\WinNet\embedded.exeC:\ProgramData\WinNet\embedded.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\REG.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Repository /t REG_SZ /F /D C:\ProgramData\WinNet\gg.exe4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\WinNet\AnyDesk.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\WinNet\AnyDesk.exeC:\ProgramData\WinNet\AnyDesk.exe5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\ProgramData\WinNet\AnyDesk.exe"C:\ProgramData\WinNet\AnyDesk.exe" --local-service6⤵
-
C:\ProgramData\WinNet\AnyDesk.exe"C:\ProgramData\WinNet\AnyDesk.exe" --local-control6⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\WinNet\p.vbs4⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\WinNet\p.vbs2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\WinNet\p.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\WinNet\gg.exe"C:\ProgramData\WinNet\gg.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WinNet\AnyDesk.exeFilesize
5.0MB
MD5a21768190f3b9feae33aaef660cb7a83
SHA124780657328783ef50ae0964b23288e68841a421
SHA25655e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
-
C:\ProgramData\WinNet\AnyDesk.exeFilesize
1.7MB
MD596732f4887e69445fef7def898144909
SHA1e454ba9dbab9ada3b2f415219e5a5d9b8c36c3dd
SHA256f01e56bdf79a541d4f4a2d27d4d879b2bb48bb31aefa89a8c80e04fd90c11856
SHA5121491bf44f36e1c7b10a5a526195edbce9332f3afa6d1b133ee5a4a7b8c40b6ee95f00dcc2eb8cabc3ac1a0237789dba291fbfe10176902b598d8fdf77985425d
-
C:\ProgramData\WinNet\AnyDesk.exeFilesize
2.2MB
MD56acec2c366db8de6e70c2815ee3ff16f
SHA1969fe2249d95fea769a01445190cb280e2b8e0a9
SHA25646bcc354ac574804bb7490c56b9fdef0334840344928813715db9b0430bd1f43
SHA51297fe824ed2af002c9f377e74fcf36fd2cf9867eead6e50dd17ce42228848ab5bef78172e7b8d84d1b3775671c1c31fbb7155d46a161bccc1e6fc085a502ef9de
-
C:\ProgramData\WinNet\embedded.exeFilesize
1.9MB
MD5a7100bd42a9f183af51cf569ab8d2834
SHA1ef25a1336d2c1853af965c27308ce410511e78c5
SHA256c7398d4c823f3466c870e5157a6ee44ce662daa07592ed3bc262e50166584eed
SHA5123eda8c39101b0f08eae8152fef87c8435b055417d3ff70a187d91e59f3be864e7f7ac13dcb89ebe9f1c20b2f0a25dc3caecd5374d6d0db100d00eba89cbc5cbc
-
C:\ProgramData\WinNet\gg.exeFilesize
297KB
MD520ab063f206eb8115fde1479e05c245e
SHA12088f3c51a5ad9e11da999a7114623274cc69692
SHA2565ec4818da47f24ac8762bf73d0395662639142f86b930db138e586c2eb91b29e
SHA5122dc3181d57ee616c1bb5860d0007d06c04ba1a693064fe7044d9f07939e99e54e8b2864ebbb7268118784a691037dad6756532bd149c74aeedc993d0d0e4a0c5
-
C:\ProgramData\WinNet\gg.exeFilesize
263KB
MD531081cce3c034582c1b261f5d8546f34
SHA1e20ac11266b5627a875066c4355e5150677e2b66
SHA2569f4a344557809031bdcffca2578ab21850c53fab6229d6287b08979dce8a49a1
SHA51287fe2803d7ddce440db7675012352a28ce9481dc805c7d63685634b9b94242e116792a2b7993bf29302dc809102456a1562157ab53319d32a8a157f9cc32a0f5
-
C:\ProgramData\WinNet\p.vbsFilesize
170B
MD53ba4cebb444685d48f8b0dfd67c8390d
SHA18b84e1821c39ec8658e603e498b07e08dda2e6d1
SHA2567f2bb84f63b47f35ee7eb70a35d35b81b63a7bcd39029cfb918fb6839f45a70c
SHA51242b8271cd6343f7d75f4d5398370ed7d614c2250ea43531a9f19e80e5f0a339f6cc5ec565326cc6911b33bf872cef9b860d72d8887573d92d5c7661c580a232e
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
5KB
MD54a64f99b0cd510a9217baa839cda332d
SHA1f0c3ca63fd7df2f0dcb43399387a0484ed13a550
SHA25608da0ab7e3b059bf940cc9e27a73fde2fba98b676d913bfabe02b82953913978
SHA512a74e2f51cf4dc5044b7a18237a6aec30a4f03905e30a69d62b92ebd5be3ae6b3f660f279dc350d1f005fdae4f5cbcdc333bf27db5f03c38e0f04aa493e38fd45
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
6KB
MD55db4016586af0d09097ac43012a63ac6
SHA152a3492f90936d982178e0c606170eb0e4a009c6
SHA256dbd913741ffb04148d76932415a66974e7a5540b60dc532a7d85aa37af23d2fc
SHA5128fd14ec400d3ab1bce985ce950afd1cb60fcbec71d54b8aa1ea5dbe9e310e26ff21793026fc4c37418e4e046f5aea6c251df23e8b3046ab49eea321213c230d8
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
367B
MD54bb99c81557361654addc59a4bab1cc4
SHA1a85bf6cb42b184f9a3cbfde1e5167baaf337454e
SHA25667fbe1d88eb2057c1b93fb6fc2701f3d5c7463201939635548e2edb62f701ef7
SHA5127c89482dff2aeaeb52290c994e99824a8c6f4e1251671bbbeed831e4e174387e9c512e9358d406cd9435fa963eaf9516e1478bb93aa7c5f6acb17247b73d4154
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD5336979002dfccea2706ed67d13995416
SHA1bc8f295a6e5b20df14caaacdf5d0a901efe9e8ad
SHA256038a4d28a0d124ce69a1ba3677053e4a2a70202ed000fa92430c223b3555be13
SHA5128c73cc473e2c4d7d82bf661e5bedf4f74fee6c18944b94674efe129d1f77b36b3d40e166b8df886f61fa4beadeda0fa107b3dd45a1f7558a14cfdb75f2bfadda
-
\ProgramData\WinNet\embedded.exeFilesize
2.2MB
MD5c396f16fbe803fc3ed28fb1cc279ae96
SHA1e7bdb333a279d8b45062e2392aa39fc4716abcb4
SHA25682f5dec1f6ae6058f14ceb9e192b53a458d22cc7a55161fa5ca67af76c6d2bed
SHA51232f5d3cb27516e70eb93f89d42b466133f30ad0c89b8955a7d96db58db67dd7a8de7d350129da1f7e52539cb14da372d9462100ec2fcccaa01cd571ea80442aa
-
memory/1460-70-0x00000000009D0000-0x0000000002107000-memory.dmpFilesize
23.2MB
-
memory/1460-71-0x00000000009D0000-0x0000000002107000-memory.dmpFilesize
23.2MB
-
memory/1660-68-0x00000000009D0000-0x0000000002107000-memory.dmpFilesize
23.2MB
-
memory/1660-67-0x00000000009D0000-0x0000000002107000-memory.dmpFilesize
23.2MB
-
memory/1660-86-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1660-96-0x00000000009D0000-0x0000000002107000-memory.dmpFilesize
23.2MB
-
memory/2144-51-0x00000000000E0000-0x0000000000130000-memory.dmpFilesize
320KB
-
memory/2144-58-0x0000000004F90000-0x0000000004FD0000-memory.dmpFilesize
256KB
-
memory/2144-55-0x0000000074B60000-0x000000007524E000-memory.dmpFilesize
6.9MB
-
memory/2476-4-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/2476-5-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/2476-1-0x00000000032E0000-0x00000000043B5000-memory.dmpFilesize
16.8MB
-
memory/2476-0-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/2476-2-0x00000000032E0000-0x00000000043B5000-memory.dmpFilesize
16.8MB
-
memory/2476-3-0x00000000032E0000-0x00000000043B5000-memory.dmpFilesize
16.8MB
-
memory/2620-52-0x00000000009D0000-0x0000000002107000-memory.dmpFilesize
23.2MB
-
memory/2620-78-0x0000000003C50000-0x0000000003C51000-memory.dmpFilesize
4KB
-
memory/2620-80-0x0000000003D40000-0x0000000003D41000-memory.dmpFilesize
4KB
-
memory/2620-57-0x00000000009D0000-0x0000000002107000-memory.dmpFilesize
23.2MB
-
memory/2620-87-0x00000000009D0000-0x0000000002107000-memory.dmpFilesize
23.2MB
-
memory/2620-56-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2700-27-0x0000000002BC0000-0x000000000337D000-memory.dmpFilesize
7.7MB
-
memory/2700-25-0x0000000002BC0000-0x000000000337D000-memory.dmpFilesize
7.7MB
-
memory/2700-24-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2700-33-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2700-31-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2700-29-0x0000000002BC0000-0x000000000337D000-memory.dmpFilesize
7.7MB