Resubmissions

20-05-2024 13:36

240520-qv95eacd59 10

Analysis

  • max time kernel
    16s
  • max time network
    19s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-05-2024 13:36

General

  • Target

    RedlineBuilder.exe

  • Size

    308KB

  • MD5

    128cbb0f113189a8af347f14cb223357

  • SHA1

    7472ff8bcf4b6ab90e30ec0352f0ecb44c655cf7

  • SHA256

    a392dc6ad27dbc999aef5db8efaa63a65e570ca3bff7a79c5053ce7b7ba41a0e

  • SHA512

    1bddf607e1e8ef32d39e16fcb9d9d87573f61ceee9a898c287ad236beaea818b223a28196395145a7b3eca5883e5da5b3a3dc0273fd66d64e103c24739868b35

  • SSDEEP

    3072:+gccZqf7D34up/0+mAxkynW2Qlg7g6B1fA0PuTVAtkxzr3RceqiOL2bBOAK:AcZqf7DIWnGN8B1fA0GTV8khkL

Score
10/10

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe
    "C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe"
    1⤵
      PID:4468
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 892
        2⤵
        • Program crash
        PID:2320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4468 -ip 4468
      1⤵
        PID:1768
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4828
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        1⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa7e4e3cb8,0x7ffa7e4e3cc8,0x7ffa7e4e3cd8
          2⤵
            PID:4016
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
            2⤵
              PID:2480
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4564
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
              2⤵
                PID:4156
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
                2⤵
                  PID:2936
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
                  2⤵
                    PID:4044
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
                    2⤵
                      PID:2700
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
                      2⤵
                        PID:4780
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:5040
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:2972

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                          Filesize

                          152B

                          MD5

                          d0f84c55517d34a91f12cccf1d3af583

                          SHA1

                          52bd01e6ab1037d31106f8bf6e2552617c201cea

                          SHA256

                          9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

                          SHA512

                          94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                          Filesize

                          152B

                          MD5

                          ade01a8cdbbf61f66497f88012a684d1

                          SHA1

                          9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

                          SHA256

                          f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

                          SHA512

                          fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                          Filesize

                          5KB

                          MD5

                          f8910666e378418e963429d0b095bbc7

                          SHA1

                          0fc56c8bc69b500600ba9434bc5be4f2bd1c1c56

                          SHA256

                          5573919ae9d5f87e52b599e485f636c20e3f4bb8f72fea2cbaa09e4d615e4ef2

                          SHA512

                          e6bac0f4f407ebc8f2a497b5115536af8cbd681fccd1178aa87070933c50f23efea8af5b9cb66b8027db1e3b985f918058ac61dc14a4d5e4cc73c3dddbe3c675

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                          Filesize

                          5KB

                          MD5

                          211ea47f71718a08f771ea451e188118

                          SHA1

                          131f05940fc61be766fe104837ea6afc4714460e

                          SHA256

                          4753007c9d8b6cc4acc1a672a90e06f4bdbec674dccf69646060863bd1d80825

                          SHA512

                          913d182bde31b6c5d75e25c369f1c1cf78deadfccee44d44b18e927d654bcf252ad45669fd95d24eb78c31f4d80e89ffbb4c1880f43f1b69a8e65930e8037eac

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                          Filesize

                          10KB

                          MD5

                          25e2b9e98e6985fbb279ab84d40e6aeb

                          SHA1

                          b4e9b677a19d5891cd753ff7666b1c79a6c47b83

                          SHA256

                          89cc78f9b1aaaadcf30bb71099098f7e6474a61efb938853251b79759f27115c

                          SHA512

                          9bf75f4479a553bc90c38a6a0259212171bc0957b7c94ae2b649456486c60e1467b3801f3cc69741e2911180e4fdda5e8133e9751035688799a75a030e23d635

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                          Filesize

                          264KB

                          MD5

                          f50f89a0a91564d0b8a211f8921aa7de

                          SHA1

                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                          SHA256

                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                          SHA512

                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                          Filesize

                          10KB

                          MD5

                          18951ad4190ed728ba23e932e0c6e0db

                          SHA1

                          fa2d16fcbc3defd07cb8f21d8ea4793a21f261f0

                          SHA256

                          66607b009c345a8e70fc1e58ab8a13bbea0e370c8d75f16d2cce5b876a748915

                          SHA512

                          a67237089efa8615747bdc6cfe0afc977dc54cfd624a8d2e5124a441c204f1ec58ee7cfbbc105ddc2c18d4f254b9e124d71630bcdba0253d41a96890104f2fff

                        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                          Filesize

                          10KB

                          MD5

                          ee87a5df2cec41353233851e9956d539

                          SHA1

                          cdd287b4be58f5ee3464c31c9f073daad13f2eb7

                          SHA256

                          2c25ce8141d1e6e601907a4d54f367ba7f6032c9596d24b30a245d94b719c880

                          SHA512

                          3afe8451239bbfa4c7cd6ad4e123d8558aba43a570998ef76834dd12b8b0266a4c9dc7bf57dd9a903208a029f3a0ae54822f1ba1d29414615bdcea963b062379

                        • memory/4468-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

                          Filesize

                          4KB

                        • memory/4468-1-0x0000000000230000-0x0000000000284000-memory.dmp

                          Filesize

                          336KB