Analysis

  • max time kernel
    7s
  • max time network
    10s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 10:21

General

  • Target

    DisableFamiliesViewSteam.exe

  • Size

    3.2MB

  • MD5

    3e6e0cb7ad5cdd11edc7807ee21ff1fe

  • SHA1

    22225afe5398bc24e3378ec6f1e9648db4292dd4

  • SHA256

    86b094d8574c15bdb977bb052ec732c0855a6e144b0d6cf1cc900add03f8ce3f

  • SHA512

    bf5aa4d77f4257c475c3430dddb3ec5d9976fd4cdf1abfd2698b7af71b6a597e886bb6ffc059c2313f7e3557ea39deaebd124c95ffae70cc4b0aeb98843456b3

  • SSDEEP

    98304:aD5fP5tYUcR+thNDoJoNo0fbj3K1s3awAzH:+H5aUcR+bx5NdH3H6zH

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe
    "C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Users\Admin\AppData\Local\Temp\1223.exe
      "C:\Users\Admin\AppData\Local\Temp\1223.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
    • C:\Users\Admin\AppData\Local\Temp\mowgang.exe
      "C:\Users\Admin\AppData\Local\Temp\mowgang.exe"
      2⤵
      • Executes dropped EXE
      PID:3512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1223.exe

    Filesize

    4.8MB

    MD5

    3aee694d5be41a350239eecd6efc8a96

    SHA1

    54a1e0c86ea5d97d4dd9916115b25a674d8e161e

    SHA256

    443cab0cea8162a275ffae4e511afb653e1ae558f81d5d9401253b48c99a2052

    SHA512

    aa6d71f3d92e42da0a32bc70514893938440f18d8ffa1773dff9aa594c81edc12bade432480ac3022666dc4a67f8f25884515fe9e2e668f20eade4f6870f9036

  • C:\Users\Admin\AppData\Local\Temp\mowgang.exe

    Filesize

    114KB

    MD5

    70f5712af69e43e691a6adef7f971f6b

    SHA1

    326dbcbd77dbe38fd938684f2a506b9bf8dcdfd7

    SHA256

    64a25f655a4280eebfafb1df35fe8dcf19962438987a5cf6dfcfb444ab7b54af

    SHA512

    b3eac71db8faddb98bb8138e6e351c799e168ecb7077f98b0ecfac8087e771b61a3fe631a1b0f451077160442ba6a46960c4aa4f3324c37e05ea29f7e13f113f

  • C:\Users\Admin\AppData\Roaming\d3d9.dll

    Filesize

    845KB

    MD5

    878014e9987f80f6c50801b67aaf040c

    SHA1

    03bfaab4f356a60e79c757bafac22738c0e6a95e

    SHA256

    1af5766f944c2bc06ede847876a50190def6cb3959e6620162028badf122162b

    SHA512

    b71e5e512cd57a9a3c12a8d006b05e611d7215de16f6994166469fd8a01349eaaa9924cf029d955db5d99a00522c21fab588e13e4ff9add702da8d411f187ff0

  • memory/216-20-0x0000000072E5E000-0x0000000072E5F000-memory.dmp

    Filesize

    4KB

  • memory/216-23-0x0000000000C20000-0x0000000001340000-memory.dmp

    Filesize

    7.1MB

  • memory/216-24-0x00000000055C0000-0x00000000055C1000-memory.dmp

    Filesize

    4KB

  • memory/2772-34-0x0000000005840000-0x00000000058D2000-memory.dmp

    Filesize

    584KB

  • memory/2772-39-0x0000000008650000-0x0000000008662000-memory.dmp

    Filesize

    72KB

  • memory/2772-32-0x0000000072E50000-0x0000000073600000-memory.dmp

    Filesize

    7.7MB

  • memory/2772-33-0x0000000005F10000-0x00000000064B4000-memory.dmp

    Filesize

    5.6MB

  • memory/2772-46-0x000000000A8B0000-0x000000000ADDC000-memory.dmp

    Filesize

    5.2MB

  • memory/2772-35-0x0000000072E50000-0x0000000073600000-memory.dmp

    Filesize

    7.7MB

  • memory/2772-36-0x00000000034E0000-0x00000000034EA000-memory.dmp

    Filesize

    40KB

  • memory/2772-37-0x0000000008A80000-0x0000000009098000-memory.dmp

    Filesize

    6.1MB

  • memory/2772-38-0x0000000008700000-0x000000000880A000-memory.dmp

    Filesize

    1.0MB

  • memory/2772-30-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

  • memory/2772-40-0x00000000086B0000-0x00000000086EC000-memory.dmp

    Filesize

    240KB

  • memory/2772-41-0x0000000008810000-0x000000000885C000-memory.dmp

    Filesize

    304KB

  • memory/2772-42-0x00000000089B0000-0x0000000008A16000-memory.dmp

    Filesize

    408KB

  • memory/2772-43-0x0000000009320000-0x0000000009396000-memory.dmp

    Filesize

    472KB

  • memory/2772-44-0x00000000092A0000-0x00000000092BE000-memory.dmp

    Filesize

    120KB

  • memory/2772-45-0x0000000009A00000-0x0000000009BC2000-memory.dmp

    Filesize

    1.8MB

  • memory/3512-22-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB