Analysis
-
max time kernel
7s -
max time network
10s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 10:21
Static task
static1
Behavioral task
behavioral1
Sample
DisableFamiliesViewSteam.exe
Resource
win10v2004-20240426-en
General
-
Target
DisableFamiliesViewSteam.exe
-
Size
3.2MB
-
MD5
3e6e0cb7ad5cdd11edc7807ee21ff1fe
-
SHA1
22225afe5398bc24e3378ec6f1e9648db4292dd4
-
SHA256
86b094d8574c15bdb977bb052ec732c0855a6e144b0d6cf1cc900add03f8ce3f
-
SHA512
bf5aa4d77f4257c475c3430dddb3ec5d9976fd4cdf1abfd2698b7af71b6a597e886bb6ffc059c2313f7e3557ea39deaebd124c95ffae70cc4b0aeb98843456b3
-
SSDEEP
98304:aD5fP5tYUcR+thNDoJoNo0fbj3K1s3awAzH:+H5aUcR+bx5NdH3H6zH
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/2772-30-0x0000000000400000-0x00000000004C0000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation DisableFamiliesViewSteam.exe -
Executes dropped EXE 2 IoCs
pid Process 216 1223.exe 3512 mowgang.exe -
Loads dropped DLL 1 IoCs
pid Process 216 1223.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 216 set thread context of 2772 216 1223.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2772 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2772 MSBuild.exe Token: SeBackupPrivilege 2772 MSBuild.exe Token: SeSecurityPrivilege 2772 MSBuild.exe Token: SeSecurityPrivilege 2772 MSBuild.exe Token: SeSecurityPrivilege 2772 MSBuild.exe Token: SeSecurityPrivilege 2772 MSBuild.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4820 wrote to memory of 216 4820 DisableFamiliesViewSteam.exe 84 PID 4820 wrote to memory of 216 4820 DisableFamiliesViewSteam.exe 84 PID 4820 wrote to memory of 216 4820 DisableFamiliesViewSteam.exe 84 PID 4820 wrote to memory of 3512 4820 DisableFamiliesViewSteam.exe 87 PID 4820 wrote to memory of 3512 4820 DisableFamiliesViewSteam.exe 87 PID 4820 wrote to memory of 3512 4820 DisableFamiliesViewSteam.exe 87 PID 216 wrote to memory of 2772 216 1223.exe 91 PID 216 wrote to memory of 2772 216 1223.exe 91 PID 216 wrote to memory of 2772 216 1223.exe 91 PID 216 wrote to memory of 2772 216 1223.exe 91 PID 216 wrote to memory of 2772 216 1223.exe 91 PID 216 wrote to memory of 2772 216 1223.exe 91 PID 216 wrote to memory of 2772 216 1223.exe 91 PID 216 wrote to memory of 2772 216 1223.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe"C:\Users\Admin\AppData\Local\Temp\DisableFamiliesViewSteam.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\1223.exe"C:\Users\Admin\AppData\Local\Temp\1223.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
C:\Users\Admin\AppData\Local\Temp\mowgang.exe"C:\Users\Admin\AppData\Local\Temp\mowgang.exe"2⤵
- Executes dropped EXE
PID:3512
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD53aee694d5be41a350239eecd6efc8a96
SHA154a1e0c86ea5d97d4dd9916115b25a674d8e161e
SHA256443cab0cea8162a275ffae4e511afb653e1ae558f81d5d9401253b48c99a2052
SHA512aa6d71f3d92e42da0a32bc70514893938440f18d8ffa1773dff9aa594c81edc12bade432480ac3022666dc4a67f8f25884515fe9e2e668f20eade4f6870f9036
-
Filesize
114KB
MD570f5712af69e43e691a6adef7f971f6b
SHA1326dbcbd77dbe38fd938684f2a506b9bf8dcdfd7
SHA25664a25f655a4280eebfafb1df35fe8dcf19962438987a5cf6dfcfb444ab7b54af
SHA512b3eac71db8faddb98bb8138e6e351c799e168ecb7077f98b0ecfac8087e771b61a3fe631a1b0f451077160442ba6a46960c4aa4f3324c37e05ea29f7e13f113f
-
Filesize
845KB
MD5878014e9987f80f6c50801b67aaf040c
SHA103bfaab4f356a60e79c757bafac22738c0e6a95e
SHA2561af5766f944c2bc06ede847876a50190def6cb3959e6620162028badf122162b
SHA512b71e5e512cd57a9a3c12a8d006b05e611d7215de16f6994166469fd8a01349eaaa9924cf029d955db5d99a00522c21fab588e13e4ff9add702da8d411f187ff0