Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:50
Behavioral task
behavioral1
Sample
System32.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
System32.exe
Resource
win10v2004-20241007-en
General
-
Target
System32.exe
-
Size
5.3MB
-
MD5
d4817ea043beaf35d19fa6a5adaa179c
-
SHA1
bf5c75100142731e737c04b55769c4479bef0c01
-
SHA256
da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d
-
SHA512
98d2f67523de2260cad45ce2b3f0e6edd5322ad4d2d78854983c3410398079f1a0dd3f8b3dc69d3e0f052c566de3eb89d1de9a086378f542b1a2096ce0730277
-
SSDEEP
98304:euP+GgrLRHeOxxsJFoQYVCkOTfOKfKQMZ8htPwCakmxrcTZcV+TQB:l+GgLRJghYckmmKfFMZqtMkicZcV2e
Malware Config
Extracted
redline
duc
159.223.34.114:1912
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000015686-10.dat family_redline behavioral1/memory/2740-13-0x0000000000AA0000-0x0000000000AF2000-memory.dmp family_redline -
Redline family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ System32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion System32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion System32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe -
Executes dropped EXE 6 IoCs
pid Process 2740 system32.exe 2824 icsys.icn.exe 2816 explorer.exe 2608 spoolsv.exe 2612 svchost.exe 2348 spoolsv.exe -
Loads dropped DLL 6 IoCs
pid Process 3016 System32.exe 3016 System32.exe 2824 icsys.icn.exe 2816 explorer.exe 2608 spoolsv.exe 2612 svchost.exe -
resource yara_rule behavioral1/memory/3016-0-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/3016-15-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/files/0x0018000000015682-18.dat themida behavioral1/memory/2824-24-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/files/0x00080000000156b5-31.dat themida behavioral1/memory/2816-36-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/files/0x0008000000015ccc-43.dat themida behavioral1/memory/2608-47-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/files/0x0009000000015cfa-54.dat themida behavioral1/memory/2348-68-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/2608-70-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/2824-74-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/3016-75-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/2816-76-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/2612-78-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/2816-89-0x0000000000400000-0x0000000000FE2000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 3016 System32.exe 2824 icsys.icn.exe 2816 explorer.exe 2608 spoolsv.exe 2612 svchost.exe 2348 spoolsv.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe System32.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language System32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2416 schtasks.exe 2924 schtasks.exe 1724 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 3016 System32.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2816 explorer.exe 2608 spoolsv.exe 2612 svchost.exe 2612 svchost.exe 2612 svchost.exe 2612 svchost.exe 2612 svchost.exe 2612 svchost.exe 2612 svchost.exe 2612 svchost.exe 2612 svchost.exe 2612 svchost.exe 2612 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2816 explorer.exe 2612 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3016 System32.exe 3016 System32.exe 2824 icsys.icn.exe 2824 icsys.icn.exe 2816 explorer.exe 2816 explorer.exe 2608 spoolsv.exe 2608 spoolsv.exe 2612 svchost.exe 2612 svchost.exe 2348 spoolsv.exe 2348 spoolsv.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2740 3016 System32.exe 30 PID 3016 wrote to memory of 2740 3016 System32.exe 30 PID 3016 wrote to memory of 2740 3016 System32.exe 30 PID 3016 wrote to memory of 2740 3016 System32.exe 30 PID 3016 wrote to memory of 2824 3016 System32.exe 31 PID 3016 wrote to memory of 2824 3016 System32.exe 31 PID 3016 wrote to memory of 2824 3016 System32.exe 31 PID 3016 wrote to memory of 2824 3016 System32.exe 31 PID 2824 wrote to memory of 2816 2824 icsys.icn.exe 32 PID 2824 wrote to memory of 2816 2824 icsys.icn.exe 32 PID 2824 wrote to memory of 2816 2824 icsys.icn.exe 32 PID 2824 wrote to memory of 2816 2824 icsys.icn.exe 32 PID 2816 wrote to memory of 2608 2816 explorer.exe 33 PID 2816 wrote to memory of 2608 2816 explorer.exe 33 PID 2816 wrote to memory of 2608 2816 explorer.exe 33 PID 2816 wrote to memory of 2608 2816 explorer.exe 33 PID 2608 wrote to memory of 2612 2608 spoolsv.exe 34 PID 2608 wrote to memory of 2612 2608 spoolsv.exe 34 PID 2608 wrote to memory of 2612 2608 spoolsv.exe 34 PID 2608 wrote to memory of 2612 2608 spoolsv.exe 34 PID 2612 wrote to memory of 2348 2612 svchost.exe 35 PID 2612 wrote to memory of 2348 2612 svchost.exe 35 PID 2612 wrote to memory of 2348 2612 svchost.exe 35 PID 2612 wrote to memory of 2348 2612 svchost.exe 35 PID 2816 wrote to memory of 2008 2816 explorer.exe 36 PID 2816 wrote to memory of 2008 2816 explorer.exe 36 PID 2816 wrote to memory of 2008 2816 explorer.exe 36 PID 2816 wrote to memory of 2008 2816 explorer.exe 36 PID 2612 wrote to memory of 2416 2612 svchost.exe 37 PID 2612 wrote to memory of 2416 2612 svchost.exe 37 PID 2612 wrote to memory of 2416 2612 svchost.exe 37 PID 2612 wrote to memory of 2416 2612 svchost.exe 37 PID 2612 wrote to memory of 2924 2612 svchost.exe 41 PID 2612 wrote to memory of 2924 2612 svchost.exe 41 PID 2612 wrote to memory of 2924 2612 svchost.exe 41 PID 2612 wrote to memory of 2924 2612 svchost.exe 41 PID 2612 wrote to memory of 1724 2612 svchost.exe 43 PID 2612 wrote to memory of 1724 2612 svchost.exe 43 PID 2612 wrote to memory of 1724 2612 svchost.exe 43 PID 2612 wrote to memory of 1724 2612 svchost.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\System32.exe"C:\Users\Admin\AppData\Local\Temp\System32.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\users\admin\appdata\local\temp\system32.exec:\users\admin\appdata\local\temp\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2740
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2348
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:52 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2416
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:53 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2924
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:54 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1724
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2008
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300KB
MD5c368cb0e4cc65cbdc012e449de37d973
SHA1ae04d634ff3078e1912dc71d44c893c1dd47c399
SHA25657a8157689acab60874b086408091b4369f3f5f9d62bcc306c9e77ff9f3c5b7e
SHA512e823a91ee1f8901ebc844d16ed1c585bd78fcf6fa143433649c1295f3724ddd29679949ec7b97485505b259e4ce7d012948f971451f0bde6b525cc915e3ed18a
-
Filesize
5.6MB
MD5c025600c06d6db3b037bb5b8fb2d337b
SHA10dcc1e7ccc55f47412cf05ccb542ad5f5c14df58
SHA2561daef21898ec8dbe9307bd23908c9fa28160ff1ba58598f90bea06a90f6244bc
SHA512b31de89ddad12d185425a771a9578fe213f5720331ed45473f3c9c1d8997260ed2dd2c0fc8677ed5523a8caec39f18f3d088cf7465d0a2a231c4bce1a2804387
-
Filesize
5.0MB
MD56a696257bd624ea0cdde713ff447b134
SHA1fa17806195d1fb5a2077a7d43827f58832d57c35
SHA256c2234864d3687f6eb397fc0fe4c81d2c54dbcf74161ab38b48a1150df753c573
SHA512b49ac9b20ab4f1c8b7793f1c007ee7985f9c11c0c5c67cf99436f22275efca504a20480a0d6cf52c793060eb78f090a66d33a5f37bffe678591b16a55d7d94ae
-
Filesize
5.6MB
MD502a09923cbb5ff23620ccf1399f32a1a
SHA18806d3fef41988ee6f9782e9495f64b39dc3900c
SHA25641bca131bee28475658d2e4b24e94e161d22bf45cc647b0d5f9822208fff63f7
SHA51243c54332cfee628d5fdeeb3bc162315f285173c0cbb24a7a16640e0e4e46912fa12f016b767906efefaee0c000b63b447e436a7b28ce8e6056174500efe2496a
-
Filesize
5.6MB
MD5fc0403e506d339c3a2ba2cb667d8282d
SHA1a44a5a33e02ec4c1825484f47c38c8c0cee1f6ba
SHA256e70ca86d6cf92c09c711b0a13befa85b9d63bf7adc037ea852b22801fa459479
SHA51253fd4cf8bd1e02e8176ddcec47909559281fae370e0e06867befaa497a8e116527fab3b439f15a0db6e7583bf9f9d2e0920e58e6a809733e4029d753b15208e0