Analysis
-
max time kernel
31s -
max time network
41s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-07-2024 09:59
Static task
static1
Behavioral task
behavioral1
Sample
UpdateSSSS.exe
Resource
win11-20240704-en
General
-
Target
UpdateSSSS.exe
-
Size
575KB
-
MD5
ad2867dc002af2cca594f0b8202a1843
-
SHA1
73b3ea99db621b71e7a4a13720c53ebe3a815521
-
SHA256
2c0e4b4e5535c97fbf45309cbe7ff05006f06db1f3bf31983c7b0e7a7753900d
-
SHA512
cfb6c5f1333187e0e807a3b2beb72cb50805fac403b900242afce017ccde5a677d7b8c6be86fb9933db64103cb78b17c57fdec4c764f14c89793a5ec3e309108
-
SSDEEP
12288:f3BBr+brWXKteOPMQcVoCpLDvI1qAyY5A7BN9Optiyk/bk/kGhUA8890i/S/Cx2r:fbiDtFEi
Malware Config
Extracted
redline
185.196.9.26:6302
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/4144-11-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Loads dropped DLL 1 IoCs
pid Process 3368 UpdateSSSS.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3368 set thread context of 4144 3368 UpdateSSSS.exe 81 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4144 MSBuild.exe 4144 MSBuild.exe 4144 MSBuild.exe 4144 MSBuild.exe 4144 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4144 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3368 wrote to memory of 4144 3368 UpdateSSSS.exe 81 PID 3368 wrote to memory of 4144 3368 UpdateSSSS.exe 81 PID 3368 wrote to memory of 4144 3368 UpdateSSSS.exe 81 PID 3368 wrote to memory of 4144 3368 UpdateSSSS.exe 81 PID 3368 wrote to memory of 4144 3368 UpdateSSSS.exe 81 PID 3368 wrote to memory of 4144 3368 UpdateSSSS.exe 81 PID 3368 wrote to memory of 4144 3368 UpdateSSSS.exe 81 PID 3368 wrote to memory of 4144 3368 UpdateSSSS.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\UpdateSSSS.exe"C:\Users\Admin\AppData\Local\Temp\UpdateSSSS.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
437KB
MD5106fe1980dbcb4fa2fe0c00b6d6fa7c2
SHA15cb7eb7be8f3d1641cb458024d868363658a2955
SHA256c0716389100b55b09f46fafef37bb7d120453df3bfb1097dcd30e14bb97c09bc
SHA512c9d48c5f5ecf83012f1cc16581b7bb283265a3808847af46195987c7b0721116fe7241185d67b5d7636080881da5f18df04e57e309ff5a133046dd87ca8d06ce