Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 06:50

General

  • Target

    System32.exe

  • Size

    5.3MB

  • MD5

    d4817ea043beaf35d19fa6a5adaa179c

  • SHA1

    bf5c75100142731e737c04b55769c4479bef0c01

  • SHA256

    da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d

  • SHA512

    98d2f67523de2260cad45ce2b3f0e6edd5322ad4d2d78854983c3410398079f1a0dd3f8b3dc69d3e0f052c566de3eb89d1de9a086378f542b1a2096ce0730277

  • SSDEEP

    98304:euP+GgrLRHeOxxsJFoQYVCkOTfOKfKQMZ8htPwCakmxrcTZcV+TQB:l+GgLRJghYckmmKfFMZqtMkicZcV2e

Malware Config

Extracted

Family

redline

Botnet

duc

C2

159.223.34.114:1912

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Themida packer 15 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\System32.exe
    "C:\Users\Admin\AppData\Local\Temp\System32.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4272
    • \??\c:\users\admin\appdata\local\temp\system32.exe 
      c:\users\admin\appdata\local\temp\system32.exe 
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3808
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4888
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2496
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4608
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1480
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\system32.exe 

    Filesize

    300KB

    MD5

    c368cb0e4cc65cbdc012e449de37d973

    SHA1

    ae04d634ff3078e1912dc71d44c893c1dd47c399

    SHA256

    57a8157689acab60874b086408091b4369f3f5f9d62bcc306c9e77ff9f3c5b7e

    SHA512

    e823a91ee1f8901ebc844d16ed1c585bd78fcf6fa143433649c1295f3724ddd29679949ec7b97485505b259e4ce7d012948f971451f0bde6b525cc915e3ed18a

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    5.6MB

    MD5

    46808b1fcca435b63578694ab8e66ead

    SHA1

    769d52411fe81c32270dbec0491bcdf86e27df25

    SHA256

    668b99635c4c3fbc5e6d9036029a1533adbecc35841bab5afa9a132a4a5c4e1f

    SHA512

    682ba5fe0f7d8cb44da757e03244f06b823bfb0de0b128d7432999c5d41f5bd57145a76400edbe0ff6585883b4c34a5f5c7b7e23b44091b03b34fc0e9143205e

  • C:\Windows\Resources\Themes\icsys.icn.exe

    Filesize

    5.0MB

    MD5

    6a696257bd624ea0cdde713ff447b134

    SHA1

    fa17806195d1fb5a2077a7d43827f58832d57c35

    SHA256

    c2234864d3687f6eb397fc0fe4c81d2c54dbcf74161ab38b48a1150df753c573

    SHA512

    b49ac9b20ab4f1c8b7793f1c007ee7985f9c11c0c5c67cf99436f22275efca504a20480a0d6cf52c793060eb78f090a66d33a5f37bffe678591b16a55d7d94ae

  • \??\c:\windows\resources\spoolsv.exe

    Filesize

    5.6MB

    MD5

    a49c0d304c9b5dd72335ed00a3f99927

    SHA1

    f7f52e5443dc18e046e45b34e4ecaee9815fcc87

    SHA256

    19b1d93fb4cd2663a36d12b4fb1124a0daa2618f71f76880225b751668788dd1

    SHA512

    01293a5ad4c61bf63e787717a53d53afa86dc33ad9ebae6dfd34926754ee5985e9b247d9ebc277b530122a2537fa22076d59e6d1800a7e48eabb4dcaf11b7902

  • \??\c:\windows\resources\svchost.exe

    Filesize

    5.6MB

    MD5

    dc429d0a05d319e5cb551f94349b69e7

    SHA1

    ad6b1c050f72a4a6074e9c6b11a94c8da2dabc02

    SHA256

    877a9bf5159e1c0b5b049d5fa41177a902a65a0b3e46da538ff61d4ac4df55ec

    SHA512

    a8daead8f1b25f86288eb5dcd2a404847d61999d5d72cf01381b3154169130378761a6644db06952c772d18515b0d5b6c0486883b65dc17fde7df11f949f3144

  • memory/1480-70-0x0000000000400000-0x0000000000FE2000-memory.dmp

    Filesize

    11.9MB

  • memory/2496-82-0x0000000000400000-0x0000000000FE2000-memory.dmp

    Filesize

    11.9MB

  • memory/2496-68-0x0000000000400000-0x0000000000FE2000-memory.dmp

    Filesize

    11.9MB

  • memory/2496-36-0x0000000000400000-0x0000000000FE2000-memory.dmp

    Filesize

    11.9MB

  • memory/3808-14-0x0000000005780000-0x000000000578A000-memory.dmp

    Filesize

    40KB

  • memory/3808-13-0x00000000056D0000-0x0000000005762000-memory.dmp

    Filesize

    584KB

  • memory/3808-18-0x0000000005950000-0x0000000005962000-memory.dmp

    Filesize

    72KB

  • memory/3808-19-0x00000000059B0000-0x00000000059EC000-memory.dmp

    Filesize

    240KB

  • memory/3808-20-0x0000000005A10000-0x0000000005A5C000-memory.dmp

    Filesize

    304KB

  • memory/3808-10-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

    Filesize

    4KB

  • memory/3808-23-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

    Filesize

    4KB

  • memory/3808-16-0x00000000069B0000-0x0000000006FC8000-memory.dmp

    Filesize

    6.1MB

  • memory/3808-26-0x0000000074C90000-0x0000000075440000-memory.dmp

    Filesize

    7.7MB

  • memory/3808-15-0x0000000074C90000-0x0000000075440000-memory.dmp

    Filesize

    7.7MB

  • memory/3808-11-0x0000000000C80000-0x0000000000CD2000-memory.dmp

    Filesize

    328KB

  • memory/3808-17-0x0000000005C10000-0x0000000005D1A000-memory.dmp

    Filesize

    1.0MB

  • memory/3808-12-0x0000000005DE0000-0x0000000006384000-memory.dmp

    Filesize

    5.6MB

  • memory/4176-57-0x0000000000400000-0x0000000000FE2000-memory.dmp

    Filesize

    11.9MB

  • memory/4176-62-0x0000000000400000-0x0000000000FE2000-memory.dmp

    Filesize

    11.9MB

  • memory/4272-67-0x0000000000400000-0x0000000000FE2000-memory.dmp

    Filesize

    11.9MB

  • memory/4272-0-0x0000000000400000-0x0000000000FE2000-memory.dmp

    Filesize

    11.9MB

  • memory/4272-21-0x0000000000400000-0x0000000000FE2000-memory.dmp

    Filesize

    11.9MB

  • memory/4272-1-0x0000000077C24000-0x0000000077C26000-memory.dmp

    Filesize

    8KB

  • memory/4608-63-0x0000000000400000-0x0000000000FE2000-memory.dmp

    Filesize

    11.9MB

  • memory/4888-65-0x0000000000400000-0x0000000000FE2000-memory.dmp

    Filesize

    11.9MB