Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:50
Behavioral task
behavioral1
Sample
System32.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
System32.exe
Resource
win10v2004-20241007-en
General
-
Target
System32.exe
-
Size
5.3MB
-
MD5
d4817ea043beaf35d19fa6a5adaa179c
-
SHA1
bf5c75100142731e737c04b55769c4479bef0c01
-
SHA256
da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d
-
SHA512
98d2f67523de2260cad45ce2b3f0e6edd5322ad4d2d78854983c3410398079f1a0dd3f8b3dc69d3e0f052c566de3eb89d1de9a086378f542b1a2096ce0730277
-
SSDEEP
98304:euP+GgrLRHeOxxsJFoQYVCkOTfOKfKQMZ8htPwCakmxrcTZcV+TQB:l+GgLRJghYckmmKfFMZqtMkicZcV2e
Malware Config
Extracted
redline
duc
159.223.34.114:1912
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023ca9-8.dat family_redline behavioral2/memory/3808-11-0x0000000000C80000-0x0000000000CD2000-memory.dmp family_redline -
Redline family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ System32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion System32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion System32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe -
Executes dropped EXE 6 IoCs
pid Process 3808 system32.exe 4888 icsys.icn.exe 2496 explorer.exe 4608 spoolsv.exe 1480 svchost.exe 4176 spoolsv.exe -
resource yara_rule behavioral2/memory/4272-0-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral2/memory/4272-21-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral2/files/0x0007000000023ca8-25.dat themida behavioral2/files/0x0008000000023cac-33.dat themida behavioral2/memory/2496-36-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral2/files/0x0008000000023cb1-44.dat themida behavioral2/files/0x0008000000023cb3-52.dat themida behavioral2/memory/4176-57-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral2/memory/4608-63-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral2/memory/4888-65-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral2/memory/4272-67-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral2/memory/4176-62-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral2/memory/2496-68-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral2/memory/1480-70-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral2/memory/2496-82-0x0000000000400000-0x0000000000FE2000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 4272 System32.exe 4888 icsys.icn.exe 2496 explorer.exe 4608 spoolsv.exe 1480 svchost.exe 4176 spoolsv.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe System32.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language System32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4272 System32.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 4888 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2496 explorer.exe 1480 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4272 System32.exe 4272 System32.exe 4888 icsys.icn.exe 4888 icsys.icn.exe 2496 explorer.exe 2496 explorer.exe 4608 spoolsv.exe 4608 spoolsv.exe 1480 svchost.exe 1480 svchost.exe 4176 spoolsv.exe 4176 spoolsv.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4272 wrote to memory of 3808 4272 System32.exe 83 PID 4272 wrote to memory of 3808 4272 System32.exe 83 PID 4272 wrote to memory of 3808 4272 System32.exe 83 PID 4272 wrote to memory of 4888 4272 System32.exe 93 PID 4272 wrote to memory of 4888 4272 System32.exe 93 PID 4272 wrote to memory of 4888 4272 System32.exe 93 PID 4888 wrote to memory of 2496 4888 icsys.icn.exe 97 PID 4888 wrote to memory of 2496 4888 icsys.icn.exe 97 PID 4888 wrote to memory of 2496 4888 icsys.icn.exe 97 PID 2496 wrote to memory of 4608 2496 explorer.exe 99 PID 2496 wrote to memory of 4608 2496 explorer.exe 99 PID 2496 wrote to memory of 4608 2496 explorer.exe 99 PID 4608 wrote to memory of 1480 4608 spoolsv.exe 100 PID 4608 wrote to memory of 1480 4608 spoolsv.exe 100 PID 4608 wrote to memory of 1480 4608 spoolsv.exe 100 PID 1480 wrote to memory of 4176 1480 svchost.exe 101 PID 1480 wrote to memory of 4176 1480 svchost.exe 101 PID 1480 wrote to memory of 4176 1480 svchost.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\System32.exe"C:\Users\Admin\AppData\Local\Temp\System32.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\users\admin\appdata\local\temp\system32.exec:\users\admin\appdata\local\temp\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3808
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4176
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300KB
MD5c368cb0e4cc65cbdc012e449de37d973
SHA1ae04d634ff3078e1912dc71d44c893c1dd47c399
SHA25657a8157689acab60874b086408091b4369f3f5f9d62bcc306c9e77ff9f3c5b7e
SHA512e823a91ee1f8901ebc844d16ed1c585bd78fcf6fa143433649c1295f3724ddd29679949ec7b97485505b259e4ce7d012948f971451f0bde6b525cc915e3ed18a
-
Filesize
5.6MB
MD546808b1fcca435b63578694ab8e66ead
SHA1769d52411fe81c32270dbec0491bcdf86e27df25
SHA256668b99635c4c3fbc5e6d9036029a1533adbecc35841bab5afa9a132a4a5c4e1f
SHA512682ba5fe0f7d8cb44da757e03244f06b823bfb0de0b128d7432999c5d41f5bd57145a76400edbe0ff6585883b4c34a5f5c7b7e23b44091b03b34fc0e9143205e
-
Filesize
5.0MB
MD56a696257bd624ea0cdde713ff447b134
SHA1fa17806195d1fb5a2077a7d43827f58832d57c35
SHA256c2234864d3687f6eb397fc0fe4c81d2c54dbcf74161ab38b48a1150df753c573
SHA512b49ac9b20ab4f1c8b7793f1c007ee7985f9c11c0c5c67cf99436f22275efca504a20480a0d6cf52c793060eb78f090a66d33a5f37bffe678591b16a55d7d94ae
-
Filesize
5.6MB
MD5a49c0d304c9b5dd72335ed00a3f99927
SHA1f7f52e5443dc18e046e45b34e4ecaee9815fcc87
SHA25619b1d93fb4cd2663a36d12b4fb1124a0daa2618f71f76880225b751668788dd1
SHA51201293a5ad4c61bf63e787717a53d53afa86dc33ad9ebae6dfd34926754ee5985e9b247d9ebc277b530122a2537fa22076d59e6d1800a7e48eabb4dcaf11b7902
-
Filesize
5.6MB
MD5dc429d0a05d319e5cb551f94349b69e7
SHA1ad6b1c050f72a4a6074e9c6b11a94c8da2dabc02
SHA256877a9bf5159e1c0b5b049d5fa41177a902a65a0b3e46da538ff61d4ac4df55ec
SHA512a8daead8f1b25f86288eb5dcd2a404847d61999d5d72cf01381b3154169130378761a6644db06952c772d18515b0d5b6c0486883b65dc17fde7df11f949f3144