Analysis
-
max time kernel
141s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2024 14:01
Behavioral task
behavioral1
Sample
ce39f5a2f4240d596a4131c1875ef2b7.exe
Resource
win7-20240215-en
General
-
Target
ce39f5a2f4240d596a4131c1875ef2b7.exe
-
Size
306KB
-
MD5
ce39f5a2f4240d596a4131c1875ef2b7
-
SHA1
f7f13daecac2ca68f92e910d9a661556cdf58859
-
SHA256
5afafb07f36ae38b071a7f1be9e675f29f15472a2c9cd4963bfa6f01ba728932
-
SHA512
24b768a36f49ce9624274eb12f43370ceb27e90dcf79836f5926c387aa949de087b8abb62914f12c8e02063107886fc3356f7c0913fd3174790596d51d55100a
-
SSDEEP
6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
Malware Config
Extracted
redline
spoo
103.113.70.99:2630
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4404-1-0x0000000000CA0000-0x0000000000CF2000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
ce39f5a2f4240d596a4131c1875ef2b7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 ce39f5a2f4240d596a4131c1875ef2b7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 ce39f5a2f4240d596a4131c1875ef2b7.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
ce39f5a2f4240d596a4131c1875ef2b7.exepid process 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ce39f5a2f4240d596a4131c1875ef2b7.exedescription pid process Token: SeDebugPrivilege 4404 ce39f5a2f4240d596a4131c1875ef2b7.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Tmp3709.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
memory/4404-27-0x0000000006F10000-0x000000000701A000-memory.dmpFilesize
1.0MB
-
memory/4404-35-0x0000000009350000-0x000000000987C000-memory.dmpFilesize
5.2MB
-
memory/4404-3-0x0000000005720000-0x00000000057B2000-memory.dmpFilesize
584KB
-
memory/4404-4-0x0000000005950000-0x0000000005960000-memory.dmpFilesize
64KB
-
memory/4404-5-0x0000000005700000-0x000000000570A000-memory.dmpFilesize
40KB
-
memory/4404-1-0x0000000000CA0000-0x0000000000CF2000-memory.dmpFilesize
328KB
-
memory/4404-22-0x0000000006380000-0x00000000063F6000-memory.dmpFilesize
472KB
-
memory/4404-28-0x0000000006E50000-0x0000000006E62000-memory.dmpFilesize
72KB
-
memory/4404-40-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB
-
memory/4404-2-0x0000000005CD0000-0x0000000006274000-memory.dmpFilesize
5.6MB
-
memory/4404-23-0x0000000006C80000-0x0000000006C9E000-memory.dmpFilesize
120KB
-
memory/4404-29-0x0000000006EB0000-0x0000000006EEC000-memory.dmpFilesize
240KB
-
memory/4404-30-0x0000000007020000-0x000000000706C000-memory.dmpFilesize
304KB
-
memory/4404-31-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB
-
memory/4404-32-0x0000000007160000-0x00000000071C6000-memory.dmpFilesize
408KB
-
memory/4404-33-0x0000000005950000-0x0000000005960000-memory.dmpFilesize
64KB
-
memory/4404-34-0x0000000008C50000-0x0000000008E12000-memory.dmpFilesize
1.8MB
-
memory/4404-0-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB
-
memory/4404-36-0x0000000008E70000-0x0000000008EC0000-memory.dmpFilesize
320KB
-
memory/4404-26-0x00000000073C0000-0x00000000079D8000-memory.dmpFilesize
6.1MB