Analysis

  • max time kernel
    120s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 09:12

General

  • Target

    086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe

  • Size

    868KB

  • MD5

    3f88d06db6d8266c54d0b69b44a6a690

  • SHA1

    9f568daf98d12cc54471e8bf73e0e9e49256283a

  • SHA256

    086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266

  • SHA512

    39de185dc8938ed67bdfc90d36b9e50ddb0db5d4358fae52f86b28602e9df46bb8f90427fee4436283cd94b67dc6a9112691b3cea0bb437c0fb56bea5f5a70f0

  • SSDEEP

    24576:RNCz6WVnhvvi9X2egunROnuytc1Hi8O3jx8eB4:/QJtch2elzsMC82m

Malware Config

Extracted

Family

redline

Botnet

1

C2

178.159.39.40:19667

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe
        "C:\Users\Admin\AppData\Local\Temp\086cadedfdf7ccdd1ff9405f8bed27d6613c109689fc179ad4aadf55b8b9d266.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Socks Socks.cmd && Socks.cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:3768
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:5092
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1088
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:4228
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 22662
                4⤵
                  PID:1124
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "SolutionWasBreachDrugs" Atlanta
                  4⤵
                    PID:384
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Back + Connect + Nutrition + Abandoned 22662\l
                    4⤵
                      PID:4812
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22662\Conclusion.pif
                      22662\Conclusion.pif 22662\l
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:4044
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:3652
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22662\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22662\RegAsm.exe
                  2⤵
                  • Executes dropped EXE
                  • Modifies system certificate store
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1396

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22662\Conclusion.pif

                Filesize

                872KB

                MD5

                6ee7ddebff0a2b78c7ac30f6e00d1d11

                SHA1

                f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

                SHA256

                865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

                SHA512

                57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22662\RegAsm.exe

                Filesize

                63KB

                MD5

                0d5df43af2916f47d00c1573797c1a13

                SHA1

                230ab5559e806574d26b4c20847c368ed55483b0

                SHA256

                c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

                SHA512

                f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22662\l

                Filesize

                410KB

                MD5

                f35e996409bd69b4dddd6a13be35d126

                SHA1

                fd67efe5d9b052924b675d96e4077d234e3e3b99

                SHA256

                0b4db3e46936c02d41346e595efdafbca74d569f0a32a57ff002ba95cb3ec8a7

                SHA512

                f24e1f795237f7c4c5b196ed60fa6e919319761f9ab3e426713486adab9f7b8fc15bb8744e8a4fb19b7065eb67feae1de9d3543a747a7d64386738e32297e2a2

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Abandoned

                Filesize

                24KB

                MD5

                e31dc4f87df1520bfc0a461f6d65fad9

                SHA1

                c9341321f8ab30bb44cc7a9b7d5dd4f449f5191e

                SHA256

                35b8b7d318ef9428a0d8593939581e0ed17c07d250006d93968a05e7528e2042

                SHA512

                6ed5bc01e4794a442de2ae242b0fe040550b89d7457f0556544946034cc35b84f16aacd6e79e3a37f7357c3700878638fe907d26a75a32d61bf37733b8e750ce

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Actors

                Filesize

                212KB

                MD5

                482c1454ad8fa95d2c07558bf2eb4ba8

                SHA1

                ad9123ab9d1507feec16773d8b35fbfe3f889c6a

                SHA256

                3d9b1989ba15fff1bb93aa9f5783145ae15c78281e239e5f362fe38b99e7faca

                SHA512

                ee570beda2038c6774fe0ea44fa210e46d52f940748b6edf75d5830d5d168af169efbcf452982d5c920199a17ce4505e21cf5515a5eef32d049ad8b73faa54c7

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Atlanta

                Filesize

                169B

                MD5

                eb85e90a86a7a339c53124b9c6075eff

                SHA1

                c37d45a755c1916069d67199ab5fdbc473291b70

                SHA256

                7910dbed202c716c0ec072ed413abc7858cf6407192dce5469998a21b717c2a4

                SHA512

                f4e351637ed067303c88a5d2c6e9b4e29e31d398e974e34670b17b4cf08c5fca2eee995ef149fd6071f9738d236aa7043876c56f12707998135055c31c3c9868

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Back

                Filesize

                167KB

                MD5

                d47c03c15d7627826f89be028064f6c7

                SHA1

                782d3046d994c0f9678297bce9392d05b2cf0216

                SHA256

                2551a21ab2802d8e7f9b1910c37bb3e7cba9233458d7dd45d16eac9c4a0484cd

                SHA512

                1c8956e32129b0aebfa777df0d224bddf1f65e3c9072dcb452b833ecf56210fe5f86a8e91078bfdf6ccbbc5e116832748a2bbb833f2c9a95c619b24a398a30f3

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Connect

                Filesize

                159KB

                MD5

                929e9b4da0e6142ca73ba44d26ecca09

                SHA1

                a883ec258f645eeaa1231118f2d36ea706d6f2ef

                SHA256

                e19d904b4b5f7a277d738f0fdbcc2ac4654e83673e697b0d52c858574c1f4880

                SHA512

                98f4f6a2f0101a89b1f04e5374ae77d8384670c90bf35139e1f6e7a3f963e585f6ceb922a103afc469001e83ac3ad23b14a1017c7f6f0b508c4f38ddf19e2f92

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Nutrition

                Filesize

                60KB

                MD5

                d3c966b6776eb4c836e8654b74a27029

                SHA1

                f92a7084a95e6d934d24bbd9b7e9b75264062b0e

                SHA256

                991bbdb2d5fe3db7b81fb195785b0152791eed6dbc2eda9f045c57bf41d5bc33

                SHA512

                0726e57e32be9e8432cddfb2dd10bc718fbfd291b372fe6af5dc119d06c2571c5085d5656f6b8cf53ed5bb5ba7beb74b80e8a2bb49d95b5b1342302bc31a7659

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\People

                Filesize

                161KB

                MD5

                cf6620c803fec9594538370e54a74062

                SHA1

                2299de429b67388bd26002e615b459354554a92a

                SHA256

                354e9a02688285befd01025529d6683da5b40a26eb082ea3bb94d3cebae7e426

                SHA512

                0770f5ff779e73aea123d4cae47c0b6c0efdd68d4840a7b190e7f453a5f511ec3efa94967ed560ac463bc9d8d5a0408c767ff1983e0982548f79b1b21486aa23

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Qc

                Filesize

                99KB

                MD5

                03c38d15b9abca9f49dee6cdbfab2a00

                SHA1

                5ffe017f92758650c58b7915e2429295d988a8d0

                SHA256

                6ed522841af3468d2b8181c6fe3d45f60c87daa0b7b26ff7813dc6ae8b6d70cc

                SHA512

                d22f3057792a4d030f4d1ddf296a254c1ec45c6d11c77045b537d966ade9eed53357664c0fd9f98ef51075537aff6982f4fd97adda4775328f6e6d43bd9bde9b

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sip

                Filesize

                77KB

                MD5

                8e437b7d17190771dd7dd72227ce165b

                SHA1

                9cf72c0a140d00605e9ab9b4217d697e0373ecec

                SHA256

                9730a4adaeeadafd4b6e0d7b30f5ff00783d9b5bb467409b7567d8ac7db838d2

                SHA512

                e2abb21406c3d9347844839f9d3673c462a887d365f4d820802bf95e2009209690e28bd4e537d32c073f941c47f75a9d3f69bc3dc9538419a6928f12d701e8c6

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sociology

                Filesize

                106KB

                MD5

                0c763f97b699ce2991b0676d578ae3eb

                SHA1

                2ef06553ecd13abd1d9d5c8abdaa976db9fe5243

                SHA256

                b208a0f0f606c22eafd7b42519799a5156da5b7cc3800d9ff51b24e8f4b90d56

                SHA512

                17b1b7980b2294c76382121ab27cdcf01bd42546e3feb24745850485b335ee836c1c578748b4c6ac9583a6c838f99ffc42e89c695802a7d7dd61995c087daa97

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Socks

                Filesize

                14KB

                MD5

                ed8cd9de9ed7da89677507b9456baa69

                SHA1

                e964ffc4e7b89c52602201da9921b840bfd0fd4b

                SHA256

                e61cab04f886e74d37c9d7e815ab8b8d13d5e68c8bcc20454cccae73480eacb2

                SHA512

                7315f547405e471d746a10faba1afa4aa9c156fce5179171988dfa61906563bf5d23143b4bd222d53facb119df2c76cf520e0e3b3f68bb5a0931164451060041

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Transexual

                Filesize

                47KB

                MD5

                d104a436fa394e94ae6f1ad0a3d0d7c4

                SHA1

                77d121990c5f352916989ec229f129fbc37f7164

                SHA256

                4c8f45e1ca349abc9040860f8db30de9213c6fc4d5ae4d98e44777385b386557

                SHA512

                15763ba0bbfcb8596ad78a99aeaf9d0201aa72e12522a2bbc3276cc921c8cc1fdc67ecdf610c2ac77a5214c2ed65b437cb51d8568e14a9c962d93e72b0fd31b4

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tuesday

                Filesize

                170KB

                MD5

                e4ad34ed3ba2c9f53cc0c606014f7f02

                SHA1

                8db8fb21065a0c0d828688494eff6a66179c45d4

                SHA256

                684e9a4066acf0f825a649df96552e12920b3ac88eaccf1b15a29b5a03ab1418

                SHA512

                09eca1491a76cca099c003b5c6a14f92cd3bddd4320d075332e69a58903e0c331b2a2761cf58508ae388dcaad57fa73d82e37590da28fd848e47c83fbd887381

              • C:\Users\Admin\AppData\Local\Temp\TmpADD4.tmp

                Filesize

                2KB

                MD5

                1420d30f964eac2c85b2ccfe968eebce

                SHA1

                bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                SHA256

                f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                SHA512

                6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

              • memory/1396-57-0x00000000064B0000-0x0000000006526000-memory.dmp

                Filesize

                472KB

              • memory/1396-62-0x0000000006E10000-0x0000000006F1A000-memory.dmp

                Filesize

                1.0MB

              • memory/1396-40-0x0000000005920000-0x000000000592A000-memory.dmp

                Filesize

                40KB

              • memory/1396-38-0x0000000005F00000-0x00000000064A4000-memory.dmp

                Filesize

                5.6MB

              • memory/1396-35-0x0000000001200000-0x0000000001252000-memory.dmp

                Filesize

                328KB

              • memory/1396-58-0x0000000006B80000-0x0000000006B9E000-memory.dmp

                Filesize

                120KB

              • memory/1396-61-0x00000000072C0000-0x00000000078D8000-memory.dmp

                Filesize

                6.1MB

              • memory/1396-39-0x0000000005870000-0x0000000005902000-memory.dmp

                Filesize

                584KB

              • memory/1396-63-0x0000000006D50000-0x0000000006D62000-memory.dmp

                Filesize

                72KB

              • memory/1396-64-0x0000000006DB0000-0x0000000006DEC000-memory.dmp

                Filesize

                240KB

              • memory/1396-65-0x0000000006F20000-0x0000000006F6C000-memory.dmp

                Filesize

                304KB

              • memory/1396-66-0x0000000007060000-0x00000000070C6000-memory.dmp

                Filesize

                408KB

              • memory/1396-69-0x0000000007CB0000-0x0000000007E72000-memory.dmp

                Filesize

                1.8MB

              • memory/1396-70-0x00000000083B0000-0x00000000088DC000-memory.dmp

                Filesize

                5.2MB

              • memory/1396-71-0x00000000082D0000-0x0000000008320000-memory.dmp

                Filesize

                320KB