Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 11:24
Static task
static1
Behavioral task
behavioral1
Sample
679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe
Resource
win7-20240221-en
General
-
Target
679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe
-
Size
1.9MB
-
MD5
1a933b075452db624a756f76662a0614
-
SHA1
264bedf3867851461ea52b75650f414fcebb61ef
-
SHA256
679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d
-
SHA512
8f84c2c548d5774c5e942cef1dc5e0eb6e82a79d22a30b636bf0a98fad535cfab5e77a380c1c167ea33caca1ee397e64490eff0672cc915d1c8e797eb63e1071
-
SSDEEP
24576:GubsnafAPyjSzuubsnafAPyjZrilCQZCC3kmnrAa1rmqUeIiVfox2oTVZHeBFpUH:YI4wI1iln73XnrA0dqiFoHcpfi/Znqh0
Malware Config
Extracted
redline
1
77.221.156.45:18734
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exework.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation work.exe -
Executes dropped EXE 2 IoCs
Processes:
work.exedwrtg.exepid process 4924 work.exe 3956 dwrtg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
dwrtg.exepid process 3956 dwrtg.exe 3956 dwrtg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
dwrtg.exepid process 3956 dwrtg.exe 3956 dwrtg.exe 3956 dwrtg.exe 3956 dwrtg.exe 3956 dwrtg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dwrtg.exedescription pid process Token: SeDebugPrivilege 3956 dwrtg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dwrtg.exepid process 3956 dwrtg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.execmd.exework.exedescription pid process target process PID 2396 wrote to memory of 4368 2396 679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe cmd.exe PID 2396 wrote to memory of 4368 2396 679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe cmd.exe PID 2396 wrote to memory of 4368 2396 679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe cmd.exe PID 4368 wrote to memory of 4924 4368 cmd.exe work.exe PID 4368 wrote to memory of 4924 4368 cmd.exe work.exe PID 4368 wrote to memory of 4924 4368 cmd.exe work.exe PID 4924 wrote to memory of 3956 4924 work.exe dwrtg.exe PID 4924 wrote to memory of 3956 4924 work.exe dwrtg.exe PID 4924 wrote to memory of 3956 4924 work.exe dwrtg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe"C:\Users\Admin\AppData\Local\Temp\679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwrtg.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwrtg.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.batFilesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exeFilesize
1.6MB
MD58a4879228a1be7f3607b3e273eed0a4b
SHA1f3e0e38342319067c69960421535d5350961617b
SHA25659a114ce6fb1eecdb755d07bff991d2463a313e5726f97bd1fe17dd42f83a869
SHA512c8aa9fcfef49346564111ae8d8e0bae9aa5a9bc5a4bb01db658967de0adcd0d07a20c158b6d4dfa2b591ca7b14235590f8ba23af4f86367edba15383c847d5fd
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwrtg.exeFilesize
1.3MB
MD554a764920f77d7fa6e0362c87fef1a00
SHA1bf50ce0c1086fe415dea79aecc1f484922a3a723
SHA2565e9bcca94777fe32ffbf38991c2d7123b26bc0e7bc7a347683f66d19d298fa57
SHA5123839b7344a2ca58bc9bc0bd89cc05325aa009f013865728c237f2d26a56c430a07b71aa5a36e503393e48ba592f3a3d245d5df117f117735406e2a9c157da4fb
-
memory/3956-22-0x0000000000920000-0x0000000000CF4000-memory.dmpFilesize
3.8MB
-
memory/3956-23-0x0000000000920000-0x0000000000CF4000-memory.dmpFilesize
3.8MB
-
memory/3956-24-0x0000000073320000-0x0000000073AD0000-memory.dmpFilesize
7.7MB
-
memory/3956-25-0x0000000005B80000-0x0000000006124000-memory.dmpFilesize
5.6MB
-
memory/3956-26-0x0000000005670000-0x0000000005702000-memory.dmpFilesize
584KB
-
memory/3956-27-0x00000000058F0000-0x0000000005900000-memory.dmpFilesize
64KB
-
memory/3956-28-0x00000000055F0000-0x00000000055FA000-memory.dmpFilesize
40KB
-
memory/3956-29-0x00000000069D0000-0x0000000006FE8000-memory.dmpFilesize
6.1MB
-
memory/3956-30-0x0000000006840000-0x000000000694A000-memory.dmpFilesize
1.0MB
-
memory/3956-31-0x0000000006560000-0x0000000006572000-memory.dmpFilesize
72KB
-
memory/3956-32-0x00000000065C0000-0x00000000065FC000-memory.dmpFilesize
240KB
-
memory/3956-33-0x0000000006610000-0x000000000665C000-memory.dmpFilesize
304KB
-
memory/3956-34-0x0000000008CC0000-0x0000000008D26000-memory.dmpFilesize
408KB
-
memory/3956-36-0x00000000092E0000-0x0000000009330000-memory.dmpFilesize
320KB
-
memory/3956-37-0x0000000009700000-0x00000000098C2000-memory.dmpFilesize
1.8MB
-
memory/3956-38-0x000000000A490000-0x000000000A9BC000-memory.dmpFilesize
5.2MB
-
memory/3956-41-0x0000000000920000-0x0000000000CF4000-memory.dmpFilesize
3.8MB
-
memory/3956-42-0x0000000073320000-0x0000000073AD0000-memory.dmpFilesize
7.7MB