Overview
overview
10Static
static
1DotHelp.dll
windows7-x64
1DotHelp.dll
windows10-2004-x64
1Loader.exe
windows7-x64
1Loader.exe
windows10-2004-x64
10Settings/N...16.exe
windows7-x64
7Settings/N...16.exe
windows10-2004-x64
7libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1opengl32.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
DotHelp.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
DotHelp.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Loader.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Loader.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
Settings/Net_Framework_4.8.16.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
Settings/Net_Framework_4.8.16.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
opengl32.dll
Resource
win10v2004-20240508-en
General
-
Target
Loader.exe
-
Size
48.7MB
-
MD5
1273533423237d5e560b8399cbc25c06
-
SHA1
9a0a2edfe3ec73bf2053bea07731dfe7588ac432
-
SHA256
29e33bb4d148ae0341e9f7ea5ae40548172d3a66413d6f5cf78f461e8151d24e
-
SHA512
73f35cd410cee27968ca2b6396d75a23ce95066df8b10d3b0509cae2cd0a7f9703e3e878163b5f7957a8b7a43a75009eadbfb800f12b2967b390053af21b4a2c
-
SSDEEP
196608:Yg2gzmnzYgF8YFUi53gC+TVrJ6+5NHu8ge0oAUfMJXw9if:9VzmnDH53gC26+Hce0eH9if
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/3968-24-0x0000000000400000-0x000000000044A000-memory.dmp family_redline -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 1 IoCs
Processes:
driver1.exepid process 916 driver1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
driver1.exedescription pid process target process PID 916 set thread context of 3968 916 driver1.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 736 schtasks.exe 4472 schtasks.exe -
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 23 Go-http-client/1.1 HTTP User-Agent header 24 Go-http-client/1.1 HTTP User-Agent header 25 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeRegAsm.exepid process 4460 powershell.exe 4460 powershell.exe 3968 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
powershell.exewmic.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 4460 powershell.exe Token: SeIncreaseQuotaPrivilege 2504 wmic.exe Token: SeSecurityPrivilege 2504 wmic.exe Token: SeTakeOwnershipPrivilege 2504 wmic.exe Token: SeLoadDriverPrivilege 2504 wmic.exe Token: SeSystemProfilePrivilege 2504 wmic.exe Token: SeSystemtimePrivilege 2504 wmic.exe Token: SeProfSingleProcessPrivilege 2504 wmic.exe Token: SeIncBasePriorityPrivilege 2504 wmic.exe Token: SeCreatePagefilePrivilege 2504 wmic.exe Token: SeBackupPrivilege 2504 wmic.exe Token: SeRestorePrivilege 2504 wmic.exe Token: SeShutdownPrivilege 2504 wmic.exe Token: SeDebugPrivilege 2504 wmic.exe Token: SeSystemEnvironmentPrivilege 2504 wmic.exe Token: SeRemoteShutdownPrivilege 2504 wmic.exe Token: SeUndockPrivilege 2504 wmic.exe Token: SeManageVolumePrivilege 2504 wmic.exe Token: 33 2504 wmic.exe Token: 34 2504 wmic.exe Token: 35 2504 wmic.exe Token: 36 2504 wmic.exe Token: SeIncreaseQuotaPrivilege 2504 wmic.exe Token: SeSecurityPrivilege 2504 wmic.exe Token: SeTakeOwnershipPrivilege 2504 wmic.exe Token: SeLoadDriverPrivilege 2504 wmic.exe Token: SeSystemProfilePrivilege 2504 wmic.exe Token: SeSystemtimePrivilege 2504 wmic.exe Token: SeProfSingleProcessPrivilege 2504 wmic.exe Token: SeIncBasePriorityPrivilege 2504 wmic.exe Token: SeCreatePagefilePrivilege 2504 wmic.exe Token: SeBackupPrivilege 2504 wmic.exe Token: SeRestorePrivilege 2504 wmic.exe Token: SeShutdownPrivilege 2504 wmic.exe Token: SeDebugPrivilege 2504 wmic.exe Token: SeSystemEnvironmentPrivilege 2504 wmic.exe Token: SeRemoteShutdownPrivilege 2504 wmic.exe Token: SeUndockPrivilege 2504 wmic.exe Token: SeManageVolumePrivilege 2504 wmic.exe Token: 33 2504 wmic.exe Token: 34 2504 wmic.exe Token: 35 2504 wmic.exe Token: 36 2504 wmic.exe Token: SeDebugPrivilege 3968 RegAsm.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Loader.exedriver1.exedescription pid process target process PID 3152 wrote to memory of 4460 3152 Loader.exe powershell.exe PID 3152 wrote to memory of 4460 3152 Loader.exe powershell.exe PID 3152 wrote to memory of 2504 3152 Loader.exe wmic.exe PID 3152 wrote to memory of 2504 3152 Loader.exe wmic.exe PID 3152 wrote to memory of 916 3152 Loader.exe driver1.exe PID 3152 wrote to memory of 916 3152 Loader.exe driver1.exe PID 3152 wrote to memory of 916 3152 Loader.exe driver1.exe PID 916 wrote to memory of 3968 916 driver1.exe RegAsm.exe PID 916 wrote to memory of 3968 916 driver1.exe RegAsm.exe PID 916 wrote to memory of 3968 916 driver1.exe RegAsm.exe PID 916 wrote to memory of 3968 916 driver1.exe RegAsm.exe PID 916 wrote to memory of 3968 916 driver1.exe RegAsm.exe PID 916 wrote to memory of 3968 916 driver1.exe RegAsm.exe PID 916 wrote to memory of 3968 916 driver1.exe RegAsm.exe PID 916 wrote to memory of 3968 916 driver1.exe RegAsm.exe PID 3152 wrote to memory of 736 3152 Loader.exe schtasks.exe PID 3152 wrote to memory of 736 3152 Loader.exe schtasks.exe PID 3152 wrote to memory of 4472 3152 Loader.exe schtasks.exe PID 3152 wrote to memory of 4472 3152 Loader.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\driver1.exeC:\ProgramData\driver1.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\driver1.exeFilesize
425KB
MD51b13f17ef37e85a3b8b0530df891cefc
SHA1b1e06f1d3bb411a440b7bfbffd7661582897753d
SHA2565fe0eaad80e9eb5463a2ce0189b34613d6df9aa56d9362fe98c47abfecfd5ecf
SHA512b8bdcd0f6453bb4df3ca0c517ab1c088f06343b7274fad5f5d45934893b7415337f71392804b74f632d9f096804a9d313169592cd189ff35844f2b1f2853b247
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kv1w5tpj.h0h.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/916-25-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/916-23-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/3968-31-0x0000000006360000-0x0000000006372000-memory.dmpFilesize
72KB
-
memory/3968-33-0x0000000006550000-0x000000000659C000-memory.dmpFilesize
304KB
-
memory/3968-38-0x0000000008AE0000-0x000000000900C000-memory.dmpFilesize
5.2MB
-
memory/3968-37-0x00000000083E0000-0x00000000085A2000-memory.dmpFilesize
1.8MB
-
memory/3968-24-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/3968-36-0x00000000068C0000-0x00000000068DE000-memory.dmpFilesize
120KB
-
memory/3968-26-0x0000000005850000-0x0000000005DF4000-memory.dmpFilesize
5.6MB
-
memory/3968-27-0x00000000052A0000-0x0000000005332000-memory.dmpFilesize
584KB
-
memory/3968-28-0x0000000005350000-0x000000000535A000-memory.dmpFilesize
40KB
-
memory/3968-29-0x00000000068E0000-0x0000000006EF8000-memory.dmpFilesize
6.1MB
-
memory/3968-30-0x0000000006440000-0x000000000654A000-memory.dmpFilesize
1.0MB
-
memory/3968-35-0x0000000007080000-0x00000000070F6000-memory.dmpFilesize
472KB
-
memory/3968-32-0x00000000063C0000-0x00000000063FC000-memory.dmpFilesize
240KB
-
memory/3968-34-0x00000000066C0000-0x0000000006726000-memory.dmpFilesize
408KB
-
memory/4460-15-0x00007FF8E4C20000-0x00007FF8E56E1000-memory.dmpFilesize
10.8MB
-
memory/4460-0-0x00007FF8E4C23000-0x00007FF8E4C25000-memory.dmpFilesize
8KB
-
memory/4460-10-0x0000020AF0E20000-0x0000020AF0E42000-memory.dmpFilesize
136KB
-
memory/4460-11-0x00007FF8E4C20000-0x00007FF8E56E1000-memory.dmpFilesize
10.8MB
-
memory/4460-12-0x00007FF8E4C20000-0x00007FF8E56E1000-memory.dmpFilesize
10.8MB