Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 13:32
Static task
static1
Behavioral task
behavioral1
Sample
679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe
Resource
win7-20240221-en
General
-
Target
679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe
-
Size
1.9MB
-
MD5
1a933b075452db624a756f76662a0614
-
SHA1
264bedf3867851461ea52b75650f414fcebb61ef
-
SHA256
679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d
-
SHA512
8f84c2c548d5774c5e942cef1dc5e0eb6e82a79d22a30b636bf0a98fad535cfab5e77a380c1c167ea33caca1ee397e64490eff0672cc915d1c8e797eb63e1071
-
SSDEEP
24576:GubsnafAPyjSzuubsnafAPyjZrilCQZCC3kmnrAa1rmqUeIiVfox2oTVZHeBFpUH:YI4wI1iln73XnrA0dqiFoHcpfi/Znqh0
Malware Config
Extracted
redline
1
77.221.156.45:18734
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
Processes:
work.exedwrtg.exepid process 2540 work.exe 2528 dwrtg.exe -
Loads dropped DLL 5 IoCs
Processes:
cmd.exework.exepid process 2612 cmd.exe 2540 work.exe 2540 work.exe 2540 work.exe 2540 work.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
dwrtg.exepid process 2528 dwrtg.exe 2528 dwrtg.exe 2528 dwrtg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
dwrtg.exepid process 2528 dwrtg.exe 2528 dwrtg.exe 2528 dwrtg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dwrtg.exedescription pid process Token: SeDebugPrivilege 2528 dwrtg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dwrtg.exepid process 2528 dwrtg.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.execmd.exework.exedescription pid process target process PID 3036 wrote to memory of 2612 3036 679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe cmd.exe PID 3036 wrote to memory of 2612 3036 679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe cmd.exe PID 3036 wrote to memory of 2612 3036 679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe cmd.exe PID 3036 wrote to memory of 2612 3036 679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe cmd.exe PID 2612 wrote to memory of 2540 2612 cmd.exe work.exe PID 2612 wrote to memory of 2540 2612 cmd.exe work.exe PID 2612 wrote to memory of 2540 2612 cmd.exe work.exe PID 2612 wrote to memory of 2540 2612 cmd.exe work.exe PID 2540 wrote to memory of 2528 2540 work.exe dwrtg.exe PID 2540 wrote to memory of 2528 2540 work.exe dwrtg.exe PID 2540 wrote to memory of 2528 2540 work.exe dwrtg.exe PID 2540 wrote to memory of 2528 2540 work.exe dwrtg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe"C:\Users\Admin\AppData\Local\Temp\679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwrtg.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwrtg.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.batFilesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exeFilesize
1.6MB
MD58a4879228a1be7f3607b3e273eed0a4b
SHA1f3e0e38342319067c69960421535d5350961617b
SHA25659a114ce6fb1eecdb755d07bff991d2463a313e5726f97bd1fe17dd42f83a869
SHA512c8aa9fcfef49346564111ae8d8e0bae9aa5a9bc5a4bb01db658967de0adcd0d07a20c158b6d4dfa2b591ca7b14235590f8ba23af4f86367edba15383c847d5fd
-
\Users\Admin\AppData\Local\Temp\RarSFX1\dwrtg.exeFilesize
1.3MB
MD554a764920f77d7fa6e0362c87fef1a00
SHA1bf50ce0c1086fe415dea79aecc1f484922a3a723
SHA2565e9bcca94777fe32ffbf38991c2d7123b26bc0e7bc7a347683f66d19d298fa57
SHA5123839b7344a2ca58bc9bc0bd89cc05325aa009f013865728c237f2d26a56c430a07b71aa5a36e503393e48ba592f3a3d245d5df117f117735406e2a9c157da4fb
-
memory/2528-38-0x0000000001120000-0x00000000014F4000-memory.dmpFilesize
3.8MB
-
memory/2528-40-0x0000000001120000-0x00000000014F4000-memory.dmpFilesize
3.8MB
-
memory/2528-41-0x00000000742B0000-0x000000007499E000-memory.dmpFilesize
6.9MB
-
memory/2528-42-0x0000000005190000-0x00000000051D0000-memory.dmpFilesize
256KB
-
memory/2528-45-0x0000000001120000-0x00000000014F4000-memory.dmpFilesize
3.8MB
-
memory/2528-46-0x00000000742B0000-0x000000007499E000-memory.dmpFilesize
6.9MB
-
memory/2540-35-0x0000000003880000-0x0000000003C54000-memory.dmpFilesize
3.8MB
-
memory/2540-36-0x0000000003880000-0x0000000003C54000-memory.dmpFilesize
3.8MB