Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 09:12

General

  • Target

    086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe

  • Size

    868KB

  • MD5

    3f88d06db6d8266c54d0b69b44a6a690

  • SHA1

    9f568daf98d12cc54471e8bf73e0e9e49256283a

  • SHA256

    086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266

  • SHA512

    39de185dc8938ed67bdfc90d36b9e50ddb0db5d4358fae52f86b28602e9df46bb8f90427fee4436283cd94b67dc6a9112691b3cea0bb437c0fb56bea5f5a70f0

  • SSDEEP

    24576:RNCz6WVnhvvi9X2egunROnuytc1Hi8O3jx8eB4:/QJtch2elzsMC82m

Malware Config

Extracted

Family

redline

Botnet

1

C2

178.159.39.40:19667

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe
        "C:\Users\Admin\AppData\Local\Temp\086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Socks Socks.cmd && Socks.cmd
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3040
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:3068
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:2588
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2572
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:2692
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 22632
                4⤵
                  PID:2672
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "SolutionWasBreachDrugs" Atlanta
                  4⤵
                    PID:2560
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Back + Connect + Nutrition + Abandoned 22632\l
                    4⤵
                      PID:2456
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22632\Conclusion.pif
                      22632\Conclusion.pif 22632\l
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:2564
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:2992
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22632\RegAsm.exe
                  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22632\RegAsm.exe"
                  2⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Modifies system certificate store
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2728

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22632\l

                Filesize

                410KB

                MD5

                f35e996409bd69b4dddd6a13be35d126

                SHA1

                fd67efe5d9b052924b675d96e4077d234e3e3b99

                SHA256

                0b4db3e46936c02d41346e595efdafbca74d569f0a32a57ff002ba95cb3ec8a7

                SHA512

                f24e1f795237f7c4c5b196ed60fa6e919319761f9ab3e426713486adab9f7b8fc15bb8744e8a4fb19b7065eb67feae1de9d3543a747a7d64386738e32297e2a2

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Abandoned

                Filesize

                24KB

                MD5

                e31dc4f87df1520bfc0a461f6d65fad9

                SHA1

                c9341321f8ab30bb44cc7a9b7d5dd4f449f5191e

                SHA256

                35b8b7d318ef9428a0d8593939581e0ed17c07d250006d93968a05e7528e2042

                SHA512

                6ed5bc01e4794a442de2ae242b0fe040550b89d7457f0556544946034cc35b84f16aacd6e79e3a37f7357c3700878638fe907d26a75a32d61bf37733b8e750ce

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Actors

                Filesize

                212KB

                MD5

                482c1454ad8fa95d2c07558bf2eb4ba8

                SHA1

                ad9123ab9d1507feec16773d8b35fbfe3f889c6a

                SHA256

                3d9b1989ba15fff1bb93aa9f5783145ae15c78281e239e5f362fe38b99e7faca

                SHA512

                ee570beda2038c6774fe0ea44fa210e46d52f940748b6edf75d5830d5d168af169efbcf452982d5c920199a17ce4505e21cf5515a5eef32d049ad8b73faa54c7

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Atlanta

                Filesize

                169B

                MD5

                eb85e90a86a7a339c53124b9c6075eff

                SHA1

                c37d45a755c1916069d67199ab5fdbc473291b70

                SHA256

                7910dbed202c716c0ec072ed413abc7858cf6407192dce5469998a21b717c2a4

                SHA512

                f4e351637ed067303c88a5d2c6e9b4e29e31d398e974e34670b17b4cf08c5fca2eee995ef149fd6071f9738d236aa7043876c56f12707998135055c31c3c9868

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Back

                Filesize

                167KB

                MD5

                d47c03c15d7627826f89be028064f6c7

                SHA1

                782d3046d994c0f9678297bce9392d05b2cf0216

                SHA256

                2551a21ab2802d8e7f9b1910c37bb3e7cba9233458d7dd45d16eac9c4a0484cd

                SHA512

                1c8956e32129b0aebfa777df0d224bddf1f65e3c9072dcb452b833ecf56210fe5f86a8e91078bfdf6ccbbc5e116832748a2bbb833f2c9a95c619b24a398a30f3

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Connect

                Filesize

                159KB

                MD5

                929e9b4da0e6142ca73ba44d26ecca09

                SHA1

                a883ec258f645eeaa1231118f2d36ea706d6f2ef

                SHA256

                e19d904b4b5f7a277d738f0fdbcc2ac4654e83673e697b0d52c858574c1f4880

                SHA512

                98f4f6a2f0101a89b1f04e5374ae77d8384670c90bf35139e1f6e7a3f963e585f6ceb922a103afc469001e83ac3ad23b14a1017c7f6f0b508c4f38ddf19e2f92

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Nutrition

                Filesize

                60KB

                MD5

                d3c966b6776eb4c836e8654b74a27029

                SHA1

                f92a7084a95e6d934d24bbd9b7e9b75264062b0e

                SHA256

                991bbdb2d5fe3db7b81fb195785b0152791eed6dbc2eda9f045c57bf41d5bc33

                SHA512

                0726e57e32be9e8432cddfb2dd10bc718fbfd291b372fe6af5dc119d06c2571c5085d5656f6b8cf53ed5bb5ba7beb74b80e8a2bb49d95b5b1342302bc31a7659

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\People

                Filesize

                161KB

                MD5

                cf6620c803fec9594538370e54a74062

                SHA1

                2299de429b67388bd26002e615b459354554a92a

                SHA256

                354e9a02688285befd01025529d6683da5b40a26eb082ea3bb94d3cebae7e426

                SHA512

                0770f5ff779e73aea123d4cae47c0b6c0efdd68d4840a7b190e7f453a5f511ec3efa94967ed560ac463bc9d8d5a0408c767ff1983e0982548f79b1b21486aa23

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Qc

                Filesize

                99KB

                MD5

                03c38d15b9abca9f49dee6cdbfab2a00

                SHA1

                5ffe017f92758650c58b7915e2429295d988a8d0

                SHA256

                6ed522841af3468d2b8181c6fe3d45f60c87daa0b7b26ff7813dc6ae8b6d70cc

                SHA512

                d22f3057792a4d030f4d1ddf296a254c1ec45c6d11c77045b537d966ade9eed53357664c0fd9f98ef51075537aff6982f4fd97adda4775328f6e6d43bd9bde9b

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sip

                Filesize

                77KB

                MD5

                8e437b7d17190771dd7dd72227ce165b

                SHA1

                9cf72c0a140d00605e9ab9b4217d697e0373ecec

                SHA256

                9730a4adaeeadafd4b6e0d7b30f5ff00783d9b5bb467409b7567d8ac7db838d2

                SHA512

                e2abb21406c3d9347844839f9d3673c462a887d365f4d820802bf95e2009209690e28bd4e537d32c073f941c47f75a9d3f69bc3dc9538419a6928f12d701e8c6

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sociology

                Filesize

                106KB

                MD5

                0c763f97b699ce2991b0676d578ae3eb

                SHA1

                2ef06553ecd13abd1d9d5c8abdaa976db9fe5243

                SHA256

                b208a0f0f606c22eafd7b42519799a5156da5b7cc3800d9ff51b24e8f4b90d56

                SHA512

                17b1b7980b2294c76382121ab27cdcf01bd42546e3feb24745850485b335ee836c1c578748b4c6ac9583a6c838f99ffc42e89c695802a7d7dd61995c087daa97

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Socks

                Filesize

                14KB

                MD5

                ed8cd9de9ed7da89677507b9456baa69

                SHA1

                e964ffc4e7b89c52602201da9921b840bfd0fd4b

                SHA256

                e61cab04f886e74d37c9d7e815ab8b8d13d5e68c8bcc20454cccae73480eacb2

                SHA512

                7315f547405e471d746a10faba1afa4aa9c156fce5179171988dfa61906563bf5d23143b4bd222d53facb119df2c76cf520e0e3b3f68bb5a0931164451060041

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Transexual

                Filesize

                47KB

                MD5

                d104a436fa394e94ae6f1ad0a3d0d7c4

                SHA1

                77d121990c5f352916989ec229f129fbc37f7164

                SHA256

                4c8f45e1ca349abc9040860f8db30de9213c6fc4d5ae4d98e44777385b386557

                SHA512

                15763ba0bbfcb8596ad78a99aeaf9d0201aa72e12522a2bbc3276cc921c8cc1fdc67ecdf610c2ac77a5214c2ed65b437cb51d8568e14a9c962d93e72b0fd31b4

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Tuesday

                Filesize

                170KB

                MD5

                e4ad34ed3ba2c9f53cc0c606014f7f02

                SHA1

                8db8fb21065a0c0d828688494eff6a66179c45d4

                SHA256

                684e9a4066acf0f825a649df96552e12920b3ac88eaccf1b15a29b5a03ab1418

                SHA512

                09eca1491a76cca099c003b5c6a14f92cd3bddd4320d075332e69a58903e0c331b2a2761cf58508ae388dcaad57fa73d82e37590da28fd848e47c83fbd887381

              • C:\Users\Admin\AppData\Local\Temp\Tmp7A11.tmp

                Filesize

                2KB

                MD5

                1420d30f964eac2c85b2ccfe968eebce

                SHA1

                bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                SHA256

                f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                SHA512

                6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

              • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22632\Conclusion.pif

                Filesize

                872KB

                MD5

                6ee7ddebff0a2b78c7ac30f6e00d1d11

                SHA1

                f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

                SHA256

                865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

                SHA512

                57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

              • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22632\RegAsm.exe

                Filesize

                63KB

                MD5

                b58b926c3574d28d5b7fdd2ca3ec30d5

                SHA1

                d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

                SHA256

                6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

                SHA512

                b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

              • memory/2728-39-0x00000000000F0000-0x0000000000142000-memory.dmp

                Filesize

                328KB

              • memory/2728-42-0x00000000000F0000-0x0000000000142000-memory.dmp

                Filesize

                328KB

              • memory/2728-41-0x00000000000F0000-0x0000000000142000-memory.dmp

                Filesize

                328KB