Analysis
-
max time kernel
145s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 08:56
Static task
static1
Behavioral task
behavioral1
Sample
d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe
Resource
win10v2004-20240508-en
General
-
Target
d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe
-
Size
444KB
-
MD5
0c34afe936fecc85fdfa87735bad598d
-
SHA1
9e24cc5cbac7c5667e57976d2536375ba25014e3
-
SHA256
d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463
-
SHA512
ddd81432a9e829c63dd57126926facb8b57b222632a97aef7b242eedcafb43b9d8f76491d588c6d3caefb2a4e5ea301f3b97be671b4e21aea3356b0a99ec96f7
-
SSDEEP
6144:u8INtdy8s24pEts2HnUmPjd3xg5J+J0FfJsd6fADKY0UjuY/PoSTiRVVRupR7vau:u8+s7pEe2HPVm50J0FfbAmbUXbpaRbi
Malware Config
Extracted
redline
@Shehqqq6
147.45.47.93:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/456-8-0x0000000000700000-0x0000000000752000-memory.dmp family_redline -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation conhost.exe -
Executes dropped EXE 5 IoCs
pid Process 208 conhost.exe 380 7z.exe 2876 7z.exe 4968 7z.exe 4732 svcshost.exe -
Loads dropped DLL 4 IoCs
pid Process 4880 d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe 380 7z.exe 2876 7z.exe 4968 7z.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 39 pastebin.com 40 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4880 set thread context of 456 4880 d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe 84 -
pid Process 4840 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1940 schtasks.exe 2752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 456 MSBuild.exe 456 MSBuild.exe 456 MSBuild.exe 456 MSBuild.exe 456 MSBuild.exe 4732 svcshost.exe 4840 powershell.exe 4840 powershell.exe 4732 svcshost.exe 4732 svcshost.exe 4732 svcshost.exe 4732 svcshost.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 456 MSBuild.exe Token: SeRestorePrivilege 380 7z.exe Token: 35 380 7z.exe Token: SeSecurityPrivilege 380 7z.exe Token: SeSecurityPrivilege 380 7z.exe Token: SeRestorePrivilege 2876 7z.exe Token: 35 2876 7z.exe Token: SeSecurityPrivilege 2876 7z.exe Token: SeSecurityPrivilege 2876 7z.exe Token: SeRestorePrivilege 4968 7z.exe Token: 35 4968 7z.exe Token: SeSecurityPrivilege 4968 7z.exe Token: SeSecurityPrivilege 4968 7z.exe Token: SeDebugPrivilege 4732 svcshost.exe Token: SeDebugPrivilege 4840 powershell.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 4880 wrote to memory of 456 4880 d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe 84 PID 4880 wrote to memory of 456 4880 d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe 84 PID 4880 wrote to memory of 456 4880 d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe 84 PID 4880 wrote to memory of 456 4880 d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe 84 PID 4880 wrote to memory of 456 4880 d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe 84 PID 4880 wrote to memory of 456 4880 d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe 84 PID 4880 wrote to memory of 456 4880 d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe 84 PID 4880 wrote to memory of 456 4880 d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe 84 PID 456 wrote to memory of 208 456 MSBuild.exe 100 PID 456 wrote to memory of 208 456 MSBuild.exe 100 PID 456 wrote to memory of 208 456 MSBuild.exe 100 PID 208 wrote to memory of 4932 208 conhost.exe 101 PID 208 wrote to memory of 4932 208 conhost.exe 101 PID 4932 wrote to memory of 3012 4932 cmd.exe 104 PID 4932 wrote to memory of 3012 4932 cmd.exe 104 PID 4932 wrote to memory of 380 4932 cmd.exe 105 PID 4932 wrote to memory of 380 4932 cmd.exe 105 PID 4932 wrote to memory of 2876 4932 cmd.exe 106 PID 4932 wrote to memory of 2876 4932 cmd.exe 106 PID 4932 wrote to memory of 4968 4932 cmd.exe 107 PID 4932 wrote to memory of 4968 4932 cmd.exe 107 PID 4932 wrote to memory of 1120 4932 cmd.exe 108 PID 4932 wrote to memory of 1120 4932 cmd.exe 108 PID 4932 wrote to memory of 4732 4932 cmd.exe 109 PID 4932 wrote to memory of 4732 4932 cmd.exe 109 PID 4932 wrote to memory of 4732 4932 cmd.exe 109 PID 4732 wrote to memory of 2092 4732 svcshost.exe 110 PID 4732 wrote to memory of 2092 4732 svcshost.exe 110 PID 4732 wrote to memory of 2092 4732 svcshost.exe 110 PID 2092 wrote to memory of 4840 2092 cmd.exe 112 PID 2092 wrote to memory of 4840 2092 cmd.exe 112 PID 2092 wrote to memory of 4840 2092 cmd.exe 112 PID 4732 wrote to memory of 1448 4732 svcshost.exe 113 PID 4732 wrote to memory of 1448 4732 svcshost.exe 113 PID 4732 wrote to memory of 1448 4732 svcshost.exe 113 PID 4732 wrote to memory of 3760 4732 svcshost.exe 114 PID 4732 wrote to memory of 3760 4732 svcshost.exe 114 PID 4732 wrote to memory of 3760 4732 svcshost.exe 114 PID 1448 wrote to memory of 1940 1448 cmd.exe 117 PID 1448 wrote to memory of 1940 1448 cmd.exe 117 PID 1448 wrote to memory of 1940 1448 cmd.exe 117 PID 3760 wrote to memory of 2752 3760 cmd.exe 118 PID 3760 wrote to memory of 2752 3760 cmd.exe 118 PID 3760 wrote to memory of 2752 3760 cmd.exe 118 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1120 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe"C:\Users\Admin\AppData\Local\Temp\d15d1e547612552d7b946c802b8445fb0c603968c4353be354fe1a2a65683463.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\system32\mode.commode 65,105⤵PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p563741341569714296105326100 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Windows\system32\attrib.exeattrib +H "svcshost.exe"5⤵
- Views/modifies file attributes
PID:1120
-
-
C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe"svcshost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjADAARQBmAEQAbABBACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABwADEARQBXAFQAbQBZACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAbgBNAE4AVgA4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEoAdwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off6⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjADAARQBmAEQAbABBACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABwADEARQBXAFQAbQBZACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAbgBNAE4AVgA4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEoAdwAjAD4A"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk3654" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk3654" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
PID:2752
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.5MB
MD5be320b59ef29060678bcb78d6c8fa059
SHA1eb76091dc908c5bcf1ddd24900f53b6d9119bf53
SHA2569fdadcad0d51590fd9b604d464cdac18c9b34d43b4194c7d54110b299a841145
SHA5128015324abb929d2ff22c1ba96bf79fe2393a16ad9daa93caef756ab41122b9e582fca68aaf8b625934aad3140223db6928a105633bb5ca209a2a3980383383fc
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD57fc02b51dd8ee71d01cf01ec2faa8cc6
SHA152d16d36ea5719177ac56d1420281587b84268e5
SHA25687920f35f5b119fa851cc3e1be8d26669a86636d25fb5a1fc71d8e49c20426b1
SHA512f7c98a71882f8517b9c942222de7f5ef8b75a3b5699530f194ff1c670c1e4c4ab1622d2dbf5e9145df28d67491a96fd5c2e6b2ebf8aa9fa07415e4e7466bde5c
-
Filesize
9KB
MD5ed96024f86a8d005a58c85056c939b57
SHA1304349dddbc2be0b786188aeb9f3e774b3eee000
SHA256191472c620709b27aaf22d77531ad320de820f4470911d12ca947835b11985a3
SHA512d8b40cd1a478daeb50aaf641b5dca98f483b7164f06a0c7bc9ff73f3ae75197542518b1fa867622600f3b589756e493bba6baa88c98a284751f2a4abd710e07d
-
Filesize
1.6MB
MD51dea9b52d271181663e8490fb0cfb259
SHA1ecb5431dd5f2195fa006f6b122fbada1ee7814fa
SHA2564d06d0ef87f79d86c05b505d6bb1726e76e032514de129b1421d660fd31b7934
SHA512fff4c592f7947f29fc3c1209f13d9c2b19a052e88cab59e1f18f0d30eb53b734601d8292dbfb2004d6ab13b72f36d3ef600808c83625aa32f5a152af6acc1812
-
Filesize
21KB
MD53157f43bcc6254d4dd2b18ed3748cc0e
SHA1e9268a22049763ada485c7ab61538767f1e5693e
SHA2568abd4b8b64f0594bd1295a458d5f157fe6d3af3000318025273645c753ec18aa
SHA5120ea5d6a6e12bc7fea0f1129aed97eb15801d9003033d96758810598bee9d8dc1a49626e655527cb7c758856e2c471e4801460abffdaeb2d8c4b7faebdb91d74e
-
Filesize
1.6MB
MD56f4dc951bbb91da352f1b1736b9551dc
SHA1c94c3fbb3a830f8a3f98963eef485ecbf7f8487b
SHA256ffeeaa61d3e4e3aeedbd1303757049b46e30bad6445e6d78f02efce265071404
SHA512da41d47ce5f4599bb7acbf71cfd22980f2f0f2cd74aecf1dc9664f349815a44389f13c0c2c70a89812ab665fb4b932f64f0a48664d63206e22db655f223406ea
-
Filesize
468B
MD51005b0d4f17c3e5c9a8c0e89f3943c63
SHA15d5e9a7ad0c21cb256f7381cb1fd414aff83d102
SHA256db61ff7a98d6279ae8db81c9713407f42f673da134d2b12d31d0bae0a3eb00e7
SHA512845c09bded690af0563c6f94357d591425604b4d34404c46caba5295c192dd7eb66b620d2656b4de6a26f90657e08f591b9b46bb3d821d5344329727f37d5540
-
Filesize
403KB
MD59f84c9689115005f1cb61b36a2c7c67e
SHA176891a7d8c2ea143cb9dab05864fb04aea8a7153
SHA256f732dbad6982c48205dbb20d7cb644ddfddcd26ca1b35700a2e81f5002130bf8
SHA51268b0fe1961328d9003b5918e62d0c3c9da0e79f9285771e99cc2a67f4f84739fed14c4e6343339c7f6578c3a9494e9da54a8f817cf30a6db39a87e407ee84538