Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 01:45
Behavioral task
behavioral1
Sample
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
Resource
win7-20240508-en
General
-
Target
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
-
Size
424KB
-
MD5
13e5872e9b7c47090e035dc228c5589f
-
SHA1
c55a9708091f19b5fc5baf7c37beb99d8d3bf760
-
SHA256
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
-
SHA512
260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e
-
SSDEEP
6144:9O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHP:3xBuBTExX+AoLzTUKdvST/BoKupOjUz
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000003001\build.exe family_redline behavioral2/memory/4820-39-0x0000000000DA0000-0x0000000000E0E000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exeHkbsse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation Hkbsse.exe -
Executes dropped EXE 4 IoCs
Processes:
Hkbsse.exebuild.exeHkbsse.exeHkbsse.exepid process 4392 Hkbsse.exe 4820 build.exe 2916 Hkbsse.exe 1572 Hkbsse.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
Processes:
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exedescription ioc process File created C:\Windows\Tasks\Hkbsse.job d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
build.exepid process 4820 build.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
build.exedescription pid process Token: SeDebugPrivilege 4820 build.exe Token: SeBackupPrivilege 4820 build.exe Token: SeSecurityPrivilege 4820 build.exe Token: SeSecurityPrivilege 4820 build.exe Token: SeSecurityPrivilege 4820 build.exe Token: SeSecurityPrivilege 4820 build.exe Token: SeBackupPrivilege 4820 build.exe Token: SeSecurityPrivilege 4820 build.exe Token: SeSecurityPrivilege 4820 build.exe Token: SeSecurityPrivilege 4820 build.exe Token: SeSecurityPrivilege 4820 build.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exeHkbsse.exedescription pid process target process PID 1424 wrote to memory of 4392 1424 d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe Hkbsse.exe PID 1424 wrote to memory of 4392 1424 d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe Hkbsse.exe PID 1424 wrote to memory of 4392 1424 d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe Hkbsse.exe PID 4392 wrote to memory of 4820 4392 Hkbsse.exe build.exe PID 4392 wrote to memory of 4820 4392 Hkbsse.exe build.exe PID 4392 wrote to memory of 4820 4392 Hkbsse.exe build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe"C:\Users\Admin\AppData\Local\Temp\d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\1000003001\build.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\build.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe1⤵
- Executes dropped EXE
PID:2916
-
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe1⤵
- Executes dropped EXE
PID:1572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD51aa666a3b16b482107ebd63e1acc4adc
SHA1413f8798c367f421697a682e2afd97a96b02e061
SHA256058f09c994f8daee3cb2e0e07dc3eb9ba8f68723d24bea689553952dfded6851
SHA512d476069bf4e6abb00772ea632ba11d63401a1fb2f43ad403e9c8c99a2c472f2d9a55105049f26fc21117183a53850701fe32485a3b4d0be98182b98d3d81abb7
-
Filesize
420KB
MD5e59cb9f032187838b2be9823757bb85a
SHA1e42f9772116fe6bffccc64897654a87774bdd372
SHA25677d7ec4c54e6db91a4562c59472d659c3768dda653cf396443187087a3a61b1b
SHA512584ab75c10f71b77f3a69cb8bc412c8c5edc03cb195c70d2f3f9d32950c5a18d692e250dbc53af00125e860815815caba9776838b49a78b4fcd6a7f4447b666f
-
Filesize
424KB
MD513e5872e9b7c47090e035dc228c5589f
SHA1c55a9708091f19b5fc5baf7c37beb99d8d3bf760
SHA256d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
SHA512260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e