Overview

overview

10

Static

static

3

3756d25659...53.exe

windows7-x64

10

3756d25659...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 01:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3756d25659af8e8326899a3b2ab8b018bd167cd09302f846775544088a65cd53.exe

  • Size

    1.1MB

  • MD5

    4b0f5b53264c56125bd5c889e063bbca

  • SHA1

    af67f0e3380e79157505e9372922e372ca28fdeb

  • SHA256

    3756d25659af8e8326899a3b2ab8b018bd167cd09302f846775544088a65cd53

  • SHA512

    39ac9635eda068f758ff2ece2997100e9cabb254c02e4abb374b99fa415554369273a957ef51209fd0df624db1792bbb30a7f7da96015a7e98df73d290dae0ac

  • SSDEEP

    24576:xQYmBqkDPByJzhAfD7MjzlR7BvVsqYrJc7f752/HnK2:xQ1DZ0z0MjHNvGqWJcB

Score
10/10
redlinedefense_evasiondiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

C2

yellowbag.top:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Manipulates Digital Signatures 1 TTPs 3 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Deobfuscate/Decode Files or Information 1 TTPs 2 IoCs

    Payload decoded via CertUtil.

    defense_evasion
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3756d25659af8e8326899a3b2ab8b018bd167cd09302f846775544088a65cd53.exe
    "C:\Users\Admin\AppData\Local\Temp\3756d25659af8e8326899a3b2ab8b018bd167cd09302f846775544088a65cd53.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c <nul set /p ="M" > fontdrvhost.com & type ZKEKFq.com >> fontdrvhost.com & del ZKEKFq.com & certutil -decode YmJse.com A & fontdrvhost.com A & ping 127.0.0.1 -n 3
      2⤵
      • Deobfuscate/Decode Files or Information
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode YmJse.com A
        3⤵
        • Manipulates Digital Signatures
        • Deobfuscate/Decode Files or Information
        • System Location Discovery: System Language Discovery
        PID:3188
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fontdrvhost.com
        fontdrvhost.com A
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3932
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fontdrvhost.com
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fontdrvhost.com A
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4696
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3580
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C taskkill /F /PID 3580 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2788
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /PID 3580
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4240
              • C:\Windows\SysWOW64\choice.exe
                choice /C Y /N /D Y /T 3
                7⤵
                • System Location Discovery: System Language Discovery
                PID:316
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1836
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command $mgwa = (Get-WmiObject win32_process -Filter "processid=$pid").parentprocessid; $feqynbs = (Get-WmiObject win32_process -Filter "processid=$mgwa").executablepath; Stop-Process -ID $mgwa -Force; Start-Sleep -s 1; Remove-Item -path $feqynbs
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:808

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A
          Filesize

          358KB

          MD5

          293918878c0ce8cffbd344b16eac656e

          SHA1

          35b476831f6aea74b3455809b35119204b9971d4

          SHA256

          da606e3891954918706a34e5f85e203ecc3e81b4c5f791ff8281255fcbe2ba49

          SHA512

          5e4215bf1a3098ceeb3d9ab90ad9c88be5f0db4cf31ce3fad201f3a76cb39e927487158f79e2dbb84f1479aeabd7473e54aeef553ae890af96b460580b4fcabc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EJgvN.com
          Filesize

          165KB

          MD5

          67bb52ecfe627a96076afafd2dde32c7

          SHA1

          80427ac274ecce18b2436e1cf0bd12623562ce96

          SHA256

          c0793851a648fbc2fb02f59225895d9da673106733d4c62c145ffc57a771907a

          SHA512

          09ef9408848fef543fa665b9fa50889b0f25f8bf61188d8a4e3b45319b54c01712c4c4b8a02fc89065ade1682cd5ab97c3eaa70cdbbc7921049c4716bf9768a0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YmJse.com
          Filesize

          492KB

          MD5

          c96bf5ceca92a5362f342a7ee19fdc88

          SHA1

          6d31b0eebd75cef42bc8935260320d6b13666ddd

          SHA256

          5b57292ae991d305d450d659a54710eb4ae53a0b8eb67e0cdd2eaa88980348c1

          SHA512

          05bd0d4a3a33ddc3b3208e26f9b215f4627f6738ae8759df9222dad068f7a5b14905434ce04b376942aaab02ad1ff81afedd8303db756c38057591f6bfd0096c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZKEKFq.com
          Filesize

          872KB

          MD5

          d86ab2aeeac2553c7857ece4492eda5d

          SHA1

          0828db56b556f3f0486a9de9d2c728216035e8e6

          SHA256

          8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

          SHA512

          8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fontdrvhost.com
          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_neziwrth.yhk.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/808-32-0x0000000006160000-0x000000000617E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/808-35-0x0000000006650000-0x000000000666A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/808-20-0x0000000005AB0000-0x0000000005B16000-memory.dmp

          Filesize

          408KB

          Download

        • memory/808-21-0x0000000005B20000-0x0000000005B86000-memory.dmp

          Filesize

          408KB

          Download

        • memory/808-18-0x0000000005410000-0x0000000005A38000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/808-31-0x0000000005B90000-0x0000000005EE4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/808-17-0x0000000002B80000-0x0000000002BB6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/808-33-0x00000000061B0000-0x00000000061FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/808-34-0x0000000007410000-0x00000000074A6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/808-19-0x00000000051C0000-0x00000000051E2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/808-36-0x00000000066C0000-0x00000000066E2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/808-37-0x0000000007A60000-0x0000000008004000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/808-38-0x0000000008690000-0x0000000008D0A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3580-41-0x0000000000190000-0x00000000001C0000-memory.dmp

          Filesize

          192KB

          Download

        • memory/3580-43-0x0000000016D80000-0x0000000017398000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3580-44-0x00000000167B0000-0x00000000167C2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3580-45-0x0000000016810000-0x000000001684C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3580-46-0x0000000016850000-0x000000001689C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3580-47-0x0000000016AC0000-0x0000000016BCA000-memory.dmp

          Filesize

          1.0MB

          Download