Analysis
-
max time kernel
91s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe
Resource
win7-20240215-en
General
-
Target
086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe
-
Size
868KB
-
MD5
3f88d06db6d8266c54d0b69b44a6a690
-
SHA1
9f568daf98d12cc54471e8bf73e0e9e49256283a
-
SHA256
086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266
-
SHA512
39de185dc8938ed67bdfc90d36b9e50ddb0db5d4358fae52f86b28602e9df46bb8f90427fee4436283cd94b67dc6a9112691b3cea0bb437c0fb56bea5f5a70f0
-
SSDEEP
24576:RNCz6WVnhvvi9X2egunROnuytc1Hi8O3jx8eB4:/QJtch2elzsMC82m
Malware Config
Extracted
redline
1
178.159.39.40:19667
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4496-35-0x0000000001310000-0x0000000001362000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Conclusion.pifdescription pid process target process PID 3684 created 3436 3684 Conclusion.pif Explorer.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe -
Executes dropped EXE 2 IoCs
Processes:
Conclusion.pifRegAsm.exepid process 3684 Conclusion.pif 4496 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 4288 tasklist.exe 2228 tasklist.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
Conclusion.pifRegAsm.exepid process 3684 Conclusion.pif 3684 Conclusion.pif 3684 Conclusion.pif 3684 Conclusion.pif 3684 Conclusion.pif 3684 Conclusion.pif 3684 Conclusion.pif 3684 Conclusion.pif 4496 RegAsm.exe 4496 RegAsm.exe 4496 RegAsm.exe 4496 RegAsm.exe 4496 RegAsm.exe 4496 RegAsm.exe 4496 RegAsm.exe 4496 RegAsm.exe 4496 RegAsm.exe 4496 RegAsm.exe 4496 RegAsm.exe 4496 RegAsm.exe 4496 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tasklist.exetasklist.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 4288 tasklist.exe Token: SeDebugPrivilege 2228 tasklist.exe Token: SeDebugPrivilege 4496 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Conclusion.pifpid process 3684 Conclusion.pif 3684 Conclusion.pif 3684 Conclusion.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Conclusion.pifpid process 3684 Conclusion.pif 3684 Conclusion.pif 3684 Conclusion.pif -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.execmd.exeConclusion.pifdescription pid process target process PID 2060 wrote to memory of 5012 2060 086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe cmd.exe PID 2060 wrote to memory of 5012 2060 086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe cmd.exe PID 2060 wrote to memory of 5012 2060 086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe cmd.exe PID 5012 wrote to memory of 4288 5012 cmd.exe tasklist.exe PID 5012 wrote to memory of 4288 5012 cmd.exe tasklist.exe PID 5012 wrote to memory of 4288 5012 cmd.exe tasklist.exe PID 5012 wrote to memory of 2180 5012 cmd.exe findstr.exe PID 5012 wrote to memory of 2180 5012 cmd.exe findstr.exe PID 5012 wrote to memory of 2180 5012 cmd.exe findstr.exe PID 5012 wrote to memory of 2228 5012 cmd.exe tasklist.exe PID 5012 wrote to memory of 2228 5012 cmd.exe tasklist.exe PID 5012 wrote to memory of 2228 5012 cmd.exe tasklist.exe PID 5012 wrote to memory of 4000 5012 cmd.exe findstr.exe PID 5012 wrote to memory of 4000 5012 cmd.exe findstr.exe PID 5012 wrote to memory of 4000 5012 cmd.exe findstr.exe PID 5012 wrote to memory of 1704 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 1704 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 1704 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 1712 5012 cmd.exe findstr.exe PID 5012 wrote to memory of 1712 5012 cmd.exe findstr.exe PID 5012 wrote to memory of 1712 5012 cmd.exe findstr.exe PID 5012 wrote to memory of 4296 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 4296 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 4296 5012 cmd.exe cmd.exe PID 5012 wrote to memory of 3684 5012 cmd.exe Conclusion.pif PID 5012 wrote to memory of 3684 5012 cmd.exe Conclusion.pif PID 5012 wrote to memory of 3684 5012 cmd.exe Conclusion.pif PID 5012 wrote to memory of 2160 5012 cmd.exe PING.EXE PID 5012 wrote to memory of 2160 5012 cmd.exe PING.EXE PID 5012 wrote to memory of 2160 5012 cmd.exe PING.EXE PID 3684 wrote to memory of 4496 3684 Conclusion.pif RegAsm.exe PID 3684 wrote to memory of 4496 3684 Conclusion.pif RegAsm.exe PID 3684 wrote to memory of 4496 3684 Conclusion.pif RegAsm.exe PID 3684 wrote to memory of 4496 3684 Conclusion.pif RegAsm.exe PID 3684 wrote to memory of 4496 3684 Conclusion.pif RegAsm.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe"C:\Users\Admin\AppData\Local\Temp\086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Socks Socks.cmd && Socks.cmd3⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4288 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:2180
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:4000
-
C:\Windows\SysWOW64\cmd.execmd /c md 228624⤵PID:1704
-
C:\Windows\SysWOW64\findstr.exefindstr /V "SolutionWasBreachDrugs" Atlanta4⤵PID:1712
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Back + Connect + Nutrition + Abandoned 22862\l4⤵PID:4296
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22862\Conclusion.pif22862\Conclusion.pif 22862\l4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:2160 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22862\RegAsm.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22862\RegAsm.exe2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2668,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3684 /prefetch:81⤵PID:1700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
410KB
MD5f35e996409bd69b4dddd6a13be35d126
SHA1fd67efe5d9b052924b675d96e4077d234e3e3b99
SHA2560b4db3e46936c02d41346e595efdafbca74d569f0a32a57ff002ba95cb3ec8a7
SHA512f24e1f795237f7c4c5b196ed60fa6e919319761f9ab3e426713486adab9f7b8fc15bb8744e8a4fb19b7065eb67feae1de9d3543a747a7d64386738e32297e2a2
-
Filesize
24KB
MD5e31dc4f87df1520bfc0a461f6d65fad9
SHA1c9341321f8ab30bb44cc7a9b7d5dd4f449f5191e
SHA25635b8b7d318ef9428a0d8593939581e0ed17c07d250006d93968a05e7528e2042
SHA5126ed5bc01e4794a442de2ae242b0fe040550b89d7457f0556544946034cc35b84f16aacd6e79e3a37f7357c3700878638fe907d26a75a32d61bf37733b8e750ce
-
Filesize
212KB
MD5482c1454ad8fa95d2c07558bf2eb4ba8
SHA1ad9123ab9d1507feec16773d8b35fbfe3f889c6a
SHA2563d9b1989ba15fff1bb93aa9f5783145ae15c78281e239e5f362fe38b99e7faca
SHA512ee570beda2038c6774fe0ea44fa210e46d52f940748b6edf75d5830d5d168af169efbcf452982d5c920199a17ce4505e21cf5515a5eef32d049ad8b73faa54c7
-
Filesize
169B
MD5eb85e90a86a7a339c53124b9c6075eff
SHA1c37d45a755c1916069d67199ab5fdbc473291b70
SHA2567910dbed202c716c0ec072ed413abc7858cf6407192dce5469998a21b717c2a4
SHA512f4e351637ed067303c88a5d2c6e9b4e29e31d398e974e34670b17b4cf08c5fca2eee995ef149fd6071f9738d236aa7043876c56f12707998135055c31c3c9868
-
Filesize
167KB
MD5d47c03c15d7627826f89be028064f6c7
SHA1782d3046d994c0f9678297bce9392d05b2cf0216
SHA2562551a21ab2802d8e7f9b1910c37bb3e7cba9233458d7dd45d16eac9c4a0484cd
SHA5121c8956e32129b0aebfa777df0d224bddf1f65e3c9072dcb452b833ecf56210fe5f86a8e91078bfdf6ccbbc5e116832748a2bbb833f2c9a95c619b24a398a30f3
-
Filesize
159KB
MD5929e9b4da0e6142ca73ba44d26ecca09
SHA1a883ec258f645eeaa1231118f2d36ea706d6f2ef
SHA256e19d904b4b5f7a277d738f0fdbcc2ac4654e83673e697b0d52c858574c1f4880
SHA51298f4f6a2f0101a89b1f04e5374ae77d8384670c90bf35139e1f6e7a3f963e585f6ceb922a103afc469001e83ac3ad23b14a1017c7f6f0b508c4f38ddf19e2f92
-
Filesize
60KB
MD5d3c966b6776eb4c836e8654b74a27029
SHA1f92a7084a95e6d934d24bbd9b7e9b75264062b0e
SHA256991bbdb2d5fe3db7b81fb195785b0152791eed6dbc2eda9f045c57bf41d5bc33
SHA5120726e57e32be9e8432cddfb2dd10bc718fbfd291b372fe6af5dc119d06c2571c5085d5656f6b8cf53ed5bb5ba7beb74b80e8a2bb49d95b5b1342302bc31a7659
-
Filesize
161KB
MD5cf6620c803fec9594538370e54a74062
SHA12299de429b67388bd26002e615b459354554a92a
SHA256354e9a02688285befd01025529d6683da5b40a26eb082ea3bb94d3cebae7e426
SHA5120770f5ff779e73aea123d4cae47c0b6c0efdd68d4840a7b190e7f453a5f511ec3efa94967ed560ac463bc9d8d5a0408c767ff1983e0982548f79b1b21486aa23
-
Filesize
99KB
MD503c38d15b9abca9f49dee6cdbfab2a00
SHA15ffe017f92758650c58b7915e2429295d988a8d0
SHA2566ed522841af3468d2b8181c6fe3d45f60c87daa0b7b26ff7813dc6ae8b6d70cc
SHA512d22f3057792a4d030f4d1ddf296a254c1ec45c6d11c77045b537d966ade9eed53357664c0fd9f98ef51075537aff6982f4fd97adda4775328f6e6d43bd9bde9b
-
Filesize
77KB
MD58e437b7d17190771dd7dd72227ce165b
SHA19cf72c0a140d00605e9ab9b4217d697e0373ecec
SHA2569730a4adaeeadafd4b6e0d7b30f5ff00783d9b5bb467409b7567d8ac7db838d2
SHA512e2abb21406c3d9347844839f9d3673c462a887d365f4d820802bf95e2009209690e28bd4e537d32c073f941c47f75a9d3f69bc3dc9538419a6928f12d701e8c6
-
Filesize
106KB
MD50c763f97b699ce2991b0676d578ae3eb
SHA12ef06553ecd13abd1d9d5c8abdaa976db9fe5243
SHA256b208a0f0f606c22eafd7b42519799a5156da5b7cc3800d9ff51b24e8f4b90d56
SHA51217b1b7980b2294c76382121ab27cdcf01bd42546e3feb24745850485b335ee836c1c578748b4c6ac9583a6c838f99ffc42e89c695802a7d7dd61995c087daa97
-
Filesize
14KB
MD5ed8cd9de9ed7da89677507b9456baa69
SHA1e964ffc4e7b89c52602201da9921b840bfd0fd4b
SHA256e61cab04f886e74d37c9d7e815ab8b8d13d5e68c8bcc20454cccae73480eacb2
SHA5127315f547405e471d746a10faba1afa4aa9c156fce5179171988dfa61906563bf5d23143b4bd222d53facb119df2c76cf520e0e3b3f68bb5a0931164451060041
-
Filesize
47KB
MD5d104a436fa394e94ae6f1ad0a3d0d7c4
SHA177d121990c5f352916989ec229f129fbc37f7164
SHA2564c8f45e1ca349abc9040860f8db30de9213c6fc4d5ae4d98e44777385b386557
SHA51215763ba0bbfcb8596ad78a99aeaf9d0201aa72e12522a2bbc3276cc921c8cc1fdc67ecdf610c2ac77a5214c2ed65b437cb51d8568e14a9c962d93e72b0fd31b4
-
Filesize
170KB
MD5e4ad34ed3ba2c9f53cc0c606014f7f02
SHA18db8fb21065a0c0d828688494eff6a66179c45d4
SHA256684e9a4066acf0f825a649df96552e12920b3ac88eaccf1b15a29b5a03ab1418
SHA51209eca1491a76cca099c003b5c6a14f92cd3bddd4320d075332e69a58903e0c331b2a2761cf58508ae388dcaad57fa73d82e37590da28fd848e47c83fbd887381
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8