Overview

overview

10

Static

static

3

b47f145575...16.exe

windows7-x64

10

b47f145575...16.exe

windows10-2004-x64

10

$TEMP/K3M6...22.exe

windows7-x64

10

$TEMP/K3M6...22.exe

windows10-2004-x64

10

$TEMP/Self...ed.exe

windows7-x64

8

$TEMP/Self...ed.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    110s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b47f14557520a91ca888aa122d5816a21762e25535e24adc62351baf7edd3916.exe

  • Size

    4.6MB

  • MD5

    35f1a7f185a05f2530238f7fb1f75206

  • SHA1

    c8beeb9a3a6272305c8d4a99f29fc0f30b45f662

  • SHA256

    b47f14557520a91ca888aa122d5816a21762e25535e24adc62351baf7edd3916

  • SHA512

    f2f91e61e24e7aa4c9130658151d5fa4a20d5bc999af0e425faf98a7d64b6c789f5a861177a2ef8c51fff6ce202ee9e0e0a4d66c866ac88deeda222c8f53f345

  • SSDEEP

    98304:Uq8eNY5p0ExtC6RpPwVsniC5u/BDLTABEp0moOjtchoKCq:Uqup0Ex8ArMdPABEp0pAKhfCq

Score
10/10
redline@zxckostyan4ikdiscoveryexecutioninfostealer

Malware Config

Extracted

Family

redline

Botnet

@zxckostyan4ik

C2

95.181.152.6:46927

Attributes
  • auth_value

    cdf3919a262c0d6ba99116b375d7551c

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • Redline family
    redline
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b47f14557520a91ca888aa122d5816a21762e25535e24adc62351baf7edd3916.exe
    "C:\Users\Admin\AppData\Local\Temp\b47f14557520a91ca888aa122d5816a21762e25535e24adc62351baf7edd3916.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\Selfconvened.exe
      C:\Users\Admin\AppData\Local\Temp\Selfconvened.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\system32\cmd.exe
        "cmd" #cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1424
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2920
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /f /sc minute /rl highest /mo 1 /tn "Bobsledding" /tr "C:\Windows\system32\WindowsPro\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2660
    • C:\Users\Admin\AppData\Local\Temp\K3M6Ljh9fd22.exe
      C:\Users\Admin\AppData\Local\Temp\K3M6Ljh9fd22.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:108
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {8486F7B8-D0D5-4FD0-AEBA-CB0AAE04AA4F} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Windows\system32\WindowsPro\svchost.exe
      C:\Windows\system32\WindowsPro\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C9R8B3WU6M5H4LUESFFK.temp
    Filesize

    7KB

    MD5

    1d5954d4fc726d2dfcc26fc89ea7bb0a

    SHA1

    60115d92c3327eafb8faec8fce0989e71fc40aa8

    SHA256

    0079d85ce3fed857449fc3cec5e964a664bf3ca8dcc442a4b087b0fef78d0646

    SHA512

    26b5e4f5c0542dbdb9ea4b6949f22583549b4d6f92d1777b44020397f08fc7f2a576ad00a46ce0e31130ab48521950933016664921f4d402dafa83803c2f5b62

    Download Submit

  • C:\Windows\System32\WindowsPro\svchost.exe
    Filesize

    10.8MB

    MD5

    569ed2552d087c278373f411893d21fa

    SHA1

    938fa8ccfb6734689ee1ebd9c9848e0621369e69

    SHA256

    ed1c88ce23bd8a0c6cc081d82f6c79431d1ab2b160d682b8a1788a4477b6ca7b

    SHA512

    30701820652d089d79d8be3fa68e5975dbd8cf0d0e99da1dbb880ef73a71bef779fc79cbd6ec459b7fcc8e93a4c14839b3e076ebb4b1f29c3df7be4ff53dc6be

    Download Submit

  • \Users\Admin\AppData\Local\Temp\K3M6Ljh9fd22.exe
    Filesize

    881KB

    MD5

    ce5a9ec35a54e669820589d15f1faa07

    SHA1

    68a5aaa46aa2ce2c3083486f8e265e050cd421ac

    SHA256

    a5317940f3f36d4c047ef70fcef5aedcdcdb0d9afae7ccfb3220190f09dab15b

    SHA512

    eb097778c480b9e1bd396895ef86727997cb1c0bd1c3d6863a3d711216c2ce64d1ff647987b57c0e67b9b9673526cd28bc83aaf7177e11a9b348e2960f535131

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Selfconvened.exe
    Filesize

    4.5MB

    MD5

    64b5e984fda860eedf19c29a124094fb

    SHA1

    760c195741989e17b48ad52c13bed35e8ea51692

    SHA256

    1f47c67d3baa635c4b7dd2bfed0a26a6bd499c3ab5a64d10b391a52e7d71ba39

    SHA512

    187dbbc7137db41da77dd5c3d1471f82b157d031653109632adb9c49ea519f452b661cfd1845512661dcdb3b00bf2a02b2c3504406fb19ad89b06fcd6afee4e4

    Download Submit

  • memory/108-12-0x0000000000390000-0x00000000003BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/108-19-0x0000000000390000-0x00000000003BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/108-20-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/108-21-0x0000000000890000-0x00000000008B0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/108-22-0x0000000074CB0000-0x000000007539E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/108-23-0x0000000074CB0000-0x000000007539E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/108-30-0x0000000000650000-0x0000000000733000-memory.dmp

    Filesize

    908KB

    Download

  • memory/108-27-0x0000000000390000-0x00000000003BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/108-28-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/108-29-0x0000000074CB0000-0x000000007539E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1424-40-0x000000001B7A0000-0x000000001BA82000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1424-45-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2208-26-0x000007FEF65E3000-0x000007FEF65E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-31-0x000000001C1B0000-0x000000001C230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2208-32-0x00000000215D0000-0x0000000021978000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2208-33-0x0000000021980000-0x0000000021C24000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2208-25-0x000000001C1B0000-0x000000001C230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2208-24-0x000000001C6E0000-0x000000001CA98000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2208-11-0x0000000000CF0000-0x000000000116A000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2208-10-0x000007FEF65E3000-0x000007FEF65E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2232-61-0x0000000000E80000-0x00000000012FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2920-51-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2920-52-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

    Download