Analysis
-
max time kernel
55s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 17:13
Behavioral task
behavioral1
Sample
Build.exe
Resource
win7-20231129-en
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
Build.exe
Resource
win10v2004-20240419-en
5 signatures
150 seconds
General
-
Target
Build.exe
-
Size
141KB
-
MD5
4793635d89c00e6f9fc0b6953530a4c0
-
SHA1
dc168256f1b27093c7b6699fcf8ac9d4393adbe2
-
SHA256
9adbdf6077ac14b7dd2a4e37f15881bbf2fa25b56690bc5000fcfb93ed3cfbe2
-
SHA512
14aa1035d4343e898b42c70e075df65bdaa3265149806becf3e88b056f64486ac9219d137ed51af74edb0398cdab445741aa9b1a19c3e6db3e4ee260a2b04427
-
SSDEEP
3072:BK1JZOpTvVQZ+rcIeRYs6YmszJqoD277BpGGoMTb3R35dINX9r5Pxk:QOpu0rjeRbVJqoDm1pGGoMTb3RDINN
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/552-0-0x00000000007F0000-0x000000000081A000-memory.dmp family_redline -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4880 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Build.exetaskkill.exedescription pid process Token: SeDebugPrivilege 552 Build.exe Token: SeDebugPrivilege 4880 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Build.execmd.exedescription pid process target process PID 552 wrote to memory of 2044 552 Build.exe cmd.exe PID 552 wrote to memory of 2044 552 Build.exe cmd.exe PID 552 wrote to memory of 2044 552 Build.exe cmd.exe PID 2044 wrote to memory of 4880 2044 cmd.exe taskkill.exe PID 2044 wrote to memory of 4880 2044 cmd.exe taskkill.exe PID 2044 wrote to memory of 4880 2044 cmd.exe taskkill.exe PID 2044 wrote to memory of 796 2044 cmd.exe choice.exe PID 2044 wrote to memory of 796 2044 cmd.exe choice.exe PID 2044 wrote to memory of 796 2044 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Build.exe"C:\Users\Admin\AppData\Local\Temp\Build.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 552 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Build.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 5523⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/552-0-0x00000000007F0000-0x000000000081A000-memory.dmpFilesize
168KB
-
memory/552-1-0x0000000075130000-0x00000000758E0000-memory.dmpFilesize
7.7MB
-
memory/552-2-0x00000000052D0000-0x00000000052E0000-memory.dmpFilesize
64KB
-
memory/552-3-0x0000000005900000-0x0000000005F18000-memory.dmpFilesize
6.1MB
-
memory/552-4-0x00000000051D0000-0x00000000051E2000-memory.dmpFilesize
72KB
-
memory/552-5-0x0000000005230000-0x000000000526C000-memory.dmpFilesize
240KB
-
memory/552-6-0x0000000005270000-0x00000000052BC000-memory.dmpFilesize
304KB
-
memory/552-7-0x00000000054F0000-0x00000000055FA000-memory.dmpFilesize
1.0MB
-
memory/552-8-0x0000000075130000-0x00000000758E0000-memory.dmpFilesize
7.7MB
-
memory/552-9-0x0000000075130000-0x00000000758E0000-memory.dmpFilesize
7.7MB