Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
06-09-2024 14:16
Static task
static1
Behavioral task
behavioral1
Sample
66d9de22f231f_crypted.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
66d9de22f231f_crypted.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
66d9de22f231f_crypted.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
66d9de22f231f_crypted.exe
Resource
win11-20240802-en
General
-
Target
66d9de22f231f_crypted.exe
-
Size
324KB
-
MD5
e600b6015b0312b52214f459fcc6f3c2
-
SHA1
0e763e33524e467b46d27e5f0603cd2165c47fed
-
SHA256
65bb6281d63ad091f8b6b4d0c460d9d6c1631fe141fe15b23dc6d23a41e094ad
-
SHA512
b1c1a68128c2cd75df9cb1d890358fd6bb85d9a62288468a19db3295cc25e6cb97c05fa0b5bc3b1dd2b88bd39b343ce5cd1494ca8ab56352c1e375e88fe7e464
-
SSDEEP
6144:sPP5QJyXEJZq77hQ8ed1oBj32nQumiUdfg+CYnDNMhXYGenCnaW1qMJyky:cGJyX2EdQ8ed1K+Yfg+DDGYn4aW1TJyD
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
147.45.47.36:30035
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/804-3-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
filename.exePath.exePath.exepid process 4124 filename.exe 4644 Path.exe 4256 Path.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
66d9de22f231f_crypted.exedescription pid process target process PID 4740 set thread context of 804 4740 66d9de22f231f_crypted.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
66d9de22f231f_crypted.exeRegAsm.exefilename.exePath.execmd.exetimeout.exeschtasks.exePath.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66d9de22f231f_crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language filename.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Path.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Path.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1824 timeout.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Path.exepid process 4644 Path.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegAsm.exepid process 804 RegAsm.exe 804 RegAsm.exe 804 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RegAsm.exefilename.exePath.exePath.exedescription pid process Token: SeDebugPrivilege 804 RegAsm.exe Token: SeDebugPrivilege 4124 filename.exe Token: SeDebugPrivilege 4644 Path.exe Token: SeDebugPrivilege 4256 Path.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
66d9de22f231f_crypted.exeRegAsm.exefilename.execmd.exePath.exedescription pid process target process PID 4740 wrote to memory of 804 4740 66d9de22f231f_crypted.exe RegAsm.exe PID 4740 wrote to memory of 804 4740 66d9de22f231f_crypted.exe RegAsm.exe PID 4740 wrote to memory of 804 4740 66d9de22f231f_crypted.exe RegAsm.exe PID 4740 wrote to memory of 804 4740 66d9de22f231f_crypted.exe RegAsm.exe PID 4740 wrote to memory of 804 4740 66d9de22f231f_crypted.exe RegAsm.exe PID 4740 wrote to memory of 804 4740 66d9de22f231f_crypted.exe RegAsm.exe PID 4740 wrote to memory of 804 4740 66d9de22f231f_crypted.exe RegAsm.exe PID 4740 wrote to memory of 804 4740 66d9de22f231f_crypted.exe RegAsm.exe PID 804 wrote to memory of 4124 804 RegAsm.exe filename.exe PID 804 wrote to memory of 4124 804 RegAsm.exe filename.exe PID 804 wrote to memory of 4124 804 RegAsm.exe filename.exe PID 4124 wrote to memory of 4644 4124 filename.exe Path.exe PID 4124 wrote to memory of 4644 4124 filename.exe Path.exe PID 4124 wrote to memory of 4644 4124 filename.exe Path.exe PID 4124 wrote to memory of 4704 4124 filename.exe cmd.exe PID 4124 wrote to memory of 4704 4124 filename.exe cmd.exe PID 4124 wrote to memory of 4704 4124 filename.exe cmd.exe PID 4704 wrote to memory of 1824 4704 cmd.exe timeout.exe PID 4704 wrote to memory of 1824 4704 cmd.exe timeout.exe PID 4704 wrote to memory of 1824 4704 cmd.exe timeout.exe PID 4644 wrote to memory of 4868 4644 Path.exe schtasks.exe PID 4644 wrote to memory of 4868 4644 Path.exe schtasks.exe PID 4644 wrote to memory of 4868 4644 Path.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66d9de22f231f_crypted.exe"C:\Users\Admin\AppData\Local\Temp\66d9de22f231f_crypted.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\filename.exe"C:\Users\Admin\AppData\Local\Temp\filename.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\ProgramData\Path\Path.exe"C:\ProgramData\Path\Path.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn Path /tr "C:\ProgramData\Path\Path.exe" /st 14:20 /du 23:59 /sc daily /ri 1 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp249A.tmp.cmd""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\timeout.exetimeout 65⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1824
-
C:\ProgramData\Path\Path.exeC:\ProgramData\Path\Path.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4256
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
426KB
MD5556a8b2afef96f81acde6ca1a525650e
SHA1262909e4686aba13de7ca5a2bf187871fc4fe63b
SHA256b867d368d4597334a036b46816473be270d6779db2428aae75053af8cacf1e85
SHA51252a954cf545b6bfc2057a09b858074bd1dcedd75a3983dff14bc9e72b2da47c375f30568a9310e2751e57291e9186b39d5b8d228f855102631ab95f9743b33d9
-
Filesize
160B
MD5085535ff33f50e3794d1551da5121b33
SHA1a86d1bec2bfc98d5c68c067fd740aa17fb23302f
SHA256b1e0f259fb31bcb9dbcad708c81d4a394cadbd361f344cc60ed48007b5a3fb00
SHA51203ede65d425ef369c66a28bef339c2dde7fe09a26b9e1efbaaba258ef84bd5699adcf6cf73c0344a856561767146afab54f3a696dc246458ead02c41f50a1bdd