Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 20:33
General
-
Target
Launcher.bat
-
Size
722B
-
MD5
d3536bea5d026490a43f81ce81f8af36
-
SHA1
9dfae9303c3cc6059dde651de143d692bd250715
-
SHA256
e5ac9e35df655c6014503b3f3c0cf7beca2839798f973e031b353d8f58679bea
-
SHA512
1fcd1685d10adb21011a7125dc75e8e1c39652bd04a13d511a8c4b7bea6fb8e1df7fd6c4289b6c754e658cd30d765952b8a2b985c66f58255f16ba59406df5a5
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Blocklisted process makes network request 7 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵
-
C:\Users\Admin\AppData\Local\Temp\luajit.exeluajit.exe log2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc daily /st 14:29 /f /tn WindowsSetup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Users\Admin\AppData\Roaming\Lua\bin\lua.dll", init3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 "C:\Users\Admin\AppData\Roaming\Lua\bin\lua.dll", init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Register-ScheduledTask -TaskName 'Um9ibG94ODAw' -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exeC:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5CFilesize
281B
MD59ffbd977ef296f7332ba12076d9a2623
SHA1c087ba1bf1e288136cf5baf62935079bbac5c947
SHA256976df051972ae59fd1c92d3032be7fdbd4fc1660f61c83079044fdc6cae2970a
SHA512e0581030aab12526181fc2aa6eb53335466be0cdf88eb378503fc25f57818d109976145ab1c575fd1dbe900608c0490f8264683ed26528b29532d255dd477e87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25Filesize
1KB
MD572d4880bc5c5e75d2c69ea85932f6015
SHA1ac33593f45a034fef778aa22b0b93dd29a6c7366
SHA2567e576ce866607f8e6802355e09db9431853bd6568fc239ff4e3308b4edc06b6d
SHA512ba0976e2b8652d3dc71558e669ab450b793c49a61aa01a1b0b4dfe9a6c8bf0ab065548a314bad955104be5d5ef6948d959569433c40c69b01dd8b3ac09fa36e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90Filesize
979B
MD5bc90511177a4597118c0cd5572567295
SHA1ab38408b2f638d16ee748aae07dea098071f7aed
SHA256eacd1a0ba09bb02dc47fa6e150be8a7d27ac8d082f33a3549e12be8161765784
SHA512126d34d1095e69c89fff418e21cb72ed71d63977cc30a1202d7c5ebd80b6c4d960db4964ef7d1972a370f561205def244e33628632c44226ad1cb30f6c0dd1f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419Filesize
471B
MD5adb32fc7631f42dab39ff3cd55456115
SHA13276092ffe9d1f17f5a85f9d1235fb1c2010ba2e
SHA256ad6f1a7a4489c88cea6c04a00ae31d4d3934da59ae14591c6e5422d53920aeef
SHA51246b559fe93b3c11bde1247f4069f398044098e143184880735c6790debc1281c77d9d35c3dfe37aa4492b2f3ce46587e9631534268adb5a380f2c74600b2df13
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Filesize
471B
MD55659e00dbd7bda4411457eaa703ef4c8
SHA1f3e9bd022e6a611570dcd8542b20888bb9cfa689
SHA2560d3525fe7d49ebfbc82605b9263a2324d313751ffa007761b6931d2e0d9c15e3
SHA51275f1cb03e382d75f1ab339c594d6aeacfa0704871ed19d055a735a5a9dff96632ba3224bb0130830eeeadce4b41f4246768adfca57a8c9f70eb7d434902f1622
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5CFilesize
480B
MD5debef9866ef3c21e65110681d0b2d68b
SHA1126114037d1608b0ed5c7019c1c52f59340c3699
SHA25654aaa6854ae1f5b4271544562c7c6b6f9e6a4c92dd5fd28df5da232994b430f4
SHA512a14f4103b50b5020ef21081a8041059c0abe947ba91c4977bf002b35c19d1768b2e99a371e70dcb7df7b9b8c931b2ccfa502a315a76dbd98fa951a69a185d521
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25Filesize
482B
MD584feb1550f25c92e5178d6d964ab6664
SHA12823655dbb0673d685f8a526b44d5ef0e5332961
SHA256e53154d7bc2ff3ca37e27278cf9099c38f4ae343b1ea017e3d3b91a7e6a2a57a
SHA51293de223f2e1d6f88e90f34d6cfe8ea65e1d170c43c0b994b8cff86ea3fa710b6db4dbbbd4e30f5b4d086911f19c23cfda176dcb7ada9949dcb2f124780926f50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90Filesize
480B
MD5688715a905d7e3302819e8d6e320045f
SHA1582606b9246cb3e73ae2a15cae3ee48d1f395475
SHA25632b4e6ad953a3ce70f97a1e8230e65849f188178ecbff26fdadaf7795a21ae36
SHA512ea741f4c5fc8ddf3926709304716b095673a296cc09a4a6b9d1142a6ebd2686c9243ce8668fe2e93d76ecd863c9210c853370e466cd188ba53e3b10392f344e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419Filesize
412B
MD58ddd9f0f49ac4d0086d2df4125a8e379
SHA185ce6ca51c9d5d3e9d4343b1f9ae1d956403579f
SHA256facccb721fd1588f75796d435a375e049ccc532936cea98c79178d328bf961d2
SHA512e52369e6b04c41cd7ec933178abcdd7f06e85c6f3c0aa2f232844950425413dbffac19df3f303ef6bd3cff07786521a5f92d8f8816cf92b4555e6eb350308fd0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Filesize
412B
MD5c9d3f4227d7aef9a5d0b020786176c91
SHA19f35105c37d0cd6e941aefd444b8090f8b7b38c0
SHA2562ca8c20a88fa3048c1b0e633d5db2992edf074e1477c4687a40d33e00580201d
SHA5120918a21ec7bf3d5b3bb6ee1570fb8b13a5d1f3eab59099f371abd5091c783d93954a2fd69d41b16e8cfdcdc9e3eefc488a896ed79397edeef091268df4af423f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7KQBJSM0\packet[1].logFilesize
4.1MB
MD50ffd3bd05a9281981db2330e5a7291c1
SHA1fabbfea6c072f68692b81571d38e8eab72de1362
SHA256286dca4423a65cbd5d23e9bf002e584ec16a88c0a5edf4cfdc6b639d982593ad
SHA51254ff1df237207e4fe70808583b96a07d0366887ed7e3389527eaadb6c3e045c19c4ba1621a47e24fa661f52b504274b46af91acd1b562bc15b1e51518846c333
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\json[1].jsonFilesize
297B
MD5bd0c2d8e6b0fe0de4a3869c02ee43a85
SHA121d8cca90ea489f88c2953156e6c3dec6945388b
SHA2563a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533
SHA512496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnvowwun.p4c.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Pictures\6833EB7B8D4B4CDD95029BBF7FC1CF9FFilesize
3KB
MD580a7e52b78b57162634e3ea11d00eb53
SHA12a0ff51f6a55dd93d9098611d5052d05d1d0f5e2
SHA256cbe2044bec52de028b1086e73278fcb09d05c1f0812a307834ad80be2f530f78
SHA51278f592382324f7ec0899838532b2f70807406cab6f5a2fd50eb6ee2abd86304de7831984e72f9c7e4d1316da9a6249132802e22e7d73d612c4a0249ccfa85bbc
-
memory/2604-37-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-53-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-47-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-33-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-44-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-43-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-42-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-41-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-40-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-39-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-38-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-18-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-36-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-35-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-34-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-32-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-31-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-30-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-29-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-28-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-26-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-27-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-25-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-24-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-77-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/2604-76-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/2604-23-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-17-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-16-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-15-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-14-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-13-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-12-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-11-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-10-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-9-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-8-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-7-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-6-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-5-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-4-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-2-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-1-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-0-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-55-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-48-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-45-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-22-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-21-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-20-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-19-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-3-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-87-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/2604-85-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/2604-86-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/2604-176-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/2604-63-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-62-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-61-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-60-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-49-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-50-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-46-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-51-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-52-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-54-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-56-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-57-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-58-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/2604-59-0x000000007FA20000-0x000000007FA30000-memory.dmpFilesize
64KB
-
memory/3360-386-0x000001F3E8880000-0x000001F3E88A2000-memory.dmpFilesize
136KB
-
memory/4748-416-0x00000000064E0000-0x000000000651C000-memory.dmpFilesize
240KB
-
memory/4748-418-0x00000000067E0000-0x0000000006846000-memory.dmpFilesize
408KB
-
memory/4748-414-0x0000000006550000-0x000000000665A000-memory.dmpFilesize
1.0MB
-
memory/4748-415-0x0000000006480000-0x0000000006492000-memory.dmpFilesize
72KB
-
memory/4748-409-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4748-410-0x00000000059C0000-0x0000000005F64000-memory.dmpFilesize
5.6MB
-
memory/4748-411-0x0000000005410000-0x00000000054A2000-memory.dmpFilesize
584KB
-
memory/4748-412-0x00000000053C0000-0x00000000053CA000-memory.dmpFilesize
40KB
-
memory/4748-422-0x0000000008E40000-0x000000000936C000-memory.dmpFilesize
5.2MB
-
memory/4748-413-0x0000000006A20000-0x0000000007038000-memory.dmpFilesize
6.1MB
-
memory/4748-421-0x0000000007F50000-0x0000000008112000-memory.dmpFilesize
1.8MB
-
memory/4748-420-0x00000000069B0000-0x00000000069CE000-memory.dmpFilesize
120KB
-
memory/4748-417-0x0000000006660000-0x00000000066AC000-memory.dmpFilesize
304KB
-
memory/4748-419-0x0000000007140000-0x00000000071B6000-memory.dmpFilesize
472KB
-
memory/5112-262-0x000001B4890B0000-0x000001B4890B1000-memory.dmpFilesize
4KB
-
memory/5112-260-0x000001B4890B0000-0x000001B4890B1000-memory.dmpFilesize
4KB
-
memory/5112-263-0x000001B4890B0000-0x000001B4890B1000-memory.dmpFilesize
4KB
-
memory/5112-261-0x000001B4890B0000-0x000001B4890B1000-memory.dmpFilesize
4KB