Analysis
-
max time kernel
18s -
max time network
21s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-05-2024 21:43
Static task
static1
Behavioral task
behavioral1
Sample
Software_1.30.1/injector.exe
Resource
win11-20240426-en
General
-
Target
Software_1.30.1/injector.exe
-
Size
1.2MB
-
MD5
fcff049d54b0d16073547a031b4fe25a
-
SHA1
712cc8033203365ce06b1b2bc7c408d761b1528e
-
SHA256
a464a93a1fdcd72ad1233dfd3325883fd96059fc956d276a1b94beef98cda0ca
-
SHA512
66568449eadea1d3450eb3c5a5803100575d61fad969def8e0e071a0a27b5748497b09766df1aba5035f3a9d6613e7abdfbb750c1dcbb992d52b27dc0c50522a
-
SSDEEP
24576:t3limtrGsJkYYfvmpEkF182cijhZiMg7mLXNBm9p+hZ:t3lAsJtYfvmpNLcChzzXNBm9U
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2996-2-0x0000000000400000-0x000000000044A000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
injector.exedescription pid process target process PID 4904 set thread context of 2996 4904 injector.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3708 4904 WerFault.exe injector.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegAsm.exepid process 2996 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2996 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
injector.exedescription pid process target process PID 4904 wrote to memory of 2996 4904 injector.exe RegAsm.exe PID 4904 wrote to memory of 2996 4904 injector.exe RegAsm.exe PID 4904 wrote to memory of 2996 4904 injector.exe RegAsm.exe PID 4904 wrote to memory of 2996 4904 injector.exe RegAsm.exe PID 4904 wrote to memory of 2996 4904 injector.exe RegAsm.exe PID 4904 wrote to memory of 2996 4904 injector.exe RegAsm.exe PID 4904 wrote to memory of 2996 4904 injector.exe RegAsm.exe PID 4904 wrote to memory of 2996 4904 injector.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software_1.30.1\injector.exe"C:\Users\Admin\AppData\Local\Temp\Software_1.30.1\injector.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 2562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4904 -ip 49041⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2996-10-0x0000000006100000-0x000000000620A000-memory.dmpFilesize
1.0MB
-
memory/2996-17-0x0000000007D10000-0x0000000007ED2000-memory.dmpFilesize
1.8MB
-
memory/2996-2-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2996-8-0x0000000004F70000-0x0000000004F7A000-memory.dmpFilesize
40KB
-
memory/2996-4-0x000000007481E000-0x000000007481F000-memory.dmpFilesize
4KB
-
memory/2996-5-0x0000000005570000-0x0000000005B16000-memory.dmpFilesize
5.6MB
-
memory/2996-6-0x0000000004FC0000-0x0000000005052000-memory.dmpFilesize
584KB
-
memory/2996-18-0x0000000008410000-0x000000000893C000-memory.dmpFilesize
5.2MB
-
memory/2996-20-0x0000000074810000-0x0000000074FC1000-memory.dmpFilesize
7.7MB
-
memory/2996-9-0x00000000065C0000-0x0000000006BD8000-memory.dmpFilesize
6.1MB
-
memory/2996-7-0x0000000074810000-0x0000000074FC1000-memory.dmpFilesize
7.7MB
-
memory/2996-11-0x0000000006030000-0x0000000006042000-memory.dmpFilesize
72KB
-
memory/2996-12-0x0000000006090000-0x00000000060CC000-memory.dmpFilesize
240KB
-
memory/2996-13-0x0000000006210000-0x000000000625C000-memory.dmpFilesize
304KB
-
memory/2996-14-0x0000000006390000-0x00000000063F6000-memory.dmpFilesize
408KB
-
memory/2996-15-0x0000000006CE0000-0x0000000006D56000-memory.dmpFilesize
472KB
-
memory/2996-16-0x0000000006360000-0x000000000637E000-memory.dmpFilesize
120KB
-
memory/4904-1-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/4904-0-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/4904-3-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB