Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2024 13:45
Behavioral task
behavioral1
Sample
0244c540d99d3c8507bdc73d5b4646a3.exe
Resource
win7-20231129-en
General
-
Target
0244c540d99d3c8507bdc73d5b4646a3.exe
-
Size
306KB
-
MD5
0244c540d99d3c8507bdc73d5b4646a3
-
SHA1
acb63423f9883dc72c3beab21d711d1c5a0eceed
-
SHA256
ce8c0c6f213445d5bc40441e171cb112c92bd4192783c06cdd17ba4d851565f8
-
SHA512
a8260125025e64d473197373f804b7ad025ed4ac7e77482b011ff394d5cfe217a81bae53516e46e1026b0f3207e2967e2d7c3ea4b106b1a4d99090bb66184492
-
SSDEEP
6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
Malware Config
Extracted
redline
spoo
103.113.70.99:2630
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1904-1-0x0000000000360000-0x00000000003B2000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
0244c540d99d3c8507bdc73d5b4646a3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 0244c540d99d3c8507bdc73d5b4646a3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 0244c540d99d3c8507bdc73d5b4646a3.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
0244c540d99d3c8507bdc73d5b4646a3.exepid process 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe 1904 0244c540d99d3c8507bdc73d5b4646a3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0244c540d99d3c8507bdc73d5b4646a3.exedescription pid process Token: SeDebugPrivilege 1904 0244c540d99d3c8507bdc73d5b4646a3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0244c540d99d3c8507bdc73d5b4646a3.exe"C:\Users\Admin\AppData\Local\Temp\0244c540d99d3c8507bdc73d5b4646a3.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3536 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Tmp3236.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
memory/1904-27-0x00000000066D0000-0x00000000067DA000-memory.dmpFilesize
1.0MB
-
memory/1904-35-0x0000000008300000-0x00000000084C2000-memory.dmpFilesize
1.8MB
-
memory/1904-3-0x0000000004E30000-0x0000000004EC2000-memory.dmpFilesize
584KB
-
memory/1904-4-0x0000000004E00000-0x0000000004E10000-memory.dmpFilesize
64KB
-
memory/1904-5-0x0000000004DD0000-0x0000000004DDA000-memory.dmpFilesize
40KB
-
memory/1904-1-0x0000000000360000-0x00000000003B2000-memory.dmpFilesize
328KB
-
memory/1904-22-0x0000000005A70000-0x0000000005AE6000-memory.dmpFilesize
472KB
-
memory/1904-28-0x0000000006610000-0x0000000006622000-memory.dmpFilesize
72KB
-
memory/1904-40-0x0000000075120000-0x00000000758D0000-memory.dmpFilesize
7.7MB
-
memory/1904-2-0x0000000005340000-0x00000000058E4000-memory.dmpFilesize
5.6MB
-
memory/1904-23-0x0000000006440000-0x000000000645E000-memory.dmpFilesize
120KB
-
memory/1904-29-0x0000000006670000-0x00000000066AC000-memory.dmpFilesize
240KB
-
memory/1904-30-0x00000000067E0000-0x000000000682C000-memory.dmpFilesize
304KB
-
memory/1904-31-0x0000000006920000-0x0000000006986000-memory.dmpFilesize
408KB
-
memory/1904-32-0x0000000075120000-0x00000000758D0000-memory.dmpFilesize
7.7MB
-
memory/1904-33-0x0000000004E00000-0x0000000004E10000-memory.dmpFilesize
64KB
-
memory/1904-34-0x00000000073F0000-0x0000000007440000-memory.dmpFilesize
320KB
-
memory/1904-0-0x0000000075120000-0x00000000758D0000-memory.dmpFilesize
7.7MB
-
memory/1904-36-0x0000000008A00000-0x0000000008F2C000-memory.dmpFilesize
5.2MB
-
memory/1904-26-0x0000000006B80000-0x0000000007198000-memory.dmpFilesize
6.1MB