Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$TEMP/F1gaSebe_crypted.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$TEMP/F1gaSebe_crypted.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$TEMP/Shortfalls.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$TEMP/Shortfalls.exe
Resource
win10v2004-20241007-en
General
-
Target
688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe
-
Size
3.8MB
-
MD5
61cdf7e4eca424c763178c94c7ef760f
-
SHA1
f2096fd54988dbf5a8a9dab58bbd2f919661c5ab
-
SHA256
688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86
-
SHA512
6eb87a0bc294d6e4920fc82e9ae2ec397f2a3e31fde8a03644f21216e91aa27148b99e5ae8c92ef9a930ec20c9306a97b33e316fb8b8b981cde9a5df10920812
-
SSDEEP
98304:nyBQbqAIBax9N1kCvwYxgAmZtd6xcN2QBYMYhRkbp97:nyIioXwYOAgd6KX9Y/y3
Malware Config
Extracted
redline
91.243.32.73:7171
-
auth_value
f0eaa7ad30bc41521e3d61c8504e5715
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1116-18-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1020 F1gaSebe_crypted.exe 4676 Shortfalls.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1020 set thread context of 1116 1020 F1gaSebe_crypted.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Modifies registry class 20 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Shortfalls.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Shortfalls.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Shortfalls.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Shortfalls.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Shortfalls.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe 1116 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1116 RegAsm.exe Token: SeDebugPrivilege 4676 Shortfalls.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4676 Shortfalls.exe 4676 Shortfalls.exe 4676 Shortfalls.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4204 wrote to memory of 1020 4204 688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe 83 PID 4204 wrote to memory of 1020 4204 688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe 83 PID 4204 wrote to memory of 4676 4204 688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe 84 PID 4204 wrote to memory of 4676 4204 688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe 84 PID 1020 wrote to memory of 1116 1020 F1gaSebe_crypted.exe 85 PID 1020 wrote to memory of 1116 1020 F1gaSebe_crypted.exe 85 PID 1020 wrote to memory of 1116 1020 F1gaSebe_crypted.exe 85 PID 1020 wrote to memory of 1116 1020 F1gaSebe_crypted.exe 85 PID 1020 wrote to memory of 1116 1020 F1gaSebe_crypted.exe 85 PID 1020 wrote to memory of 1116 1020 F1gaSebe_crypted.exe 85 PID 1020 wrote to memory of 1116 1020 F1gaSebe_crypted.exe 85 PID 1020 wrote to memory of 1116 1020 F1gaSebe_crypted.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe"C:\Users\Admin\AppData\Local\Temp\688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\F1gaSebe_crypted.exeC:\Users\Admin\AppData\Local\Temp\F1gaSebe_crypted.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
-
C:\Users\Admin\AppData\Local\Temp\Shortfalls.exeC:\Users\Admin\AppData\Local\Temp\Shortfalls.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
807KB
MD55f6b473388665e4c29cf86b97acd05f0
SHA16cc67923b21ef5df391b211243e9bca3f47851dc
SHA256616ceb62d1c53a9837635e51abd73b8c717a9d20b1cc882d1420a46c385d8304
SHA512de3253a8714558da0621dbfcf72e4bceeed563785158f2830061f54d6b14b6a1eeb5d7abf349b9566ebcbb38afc4a0f8757ef94eae58e4eea578a98b4633fd66
-
Filesize
3.6MB
MD51b8ae5c577608b9f780b3ad704679e0a
SHA14402007d8e5ca59fe704d543a417c77e39dce762
SHA256039a6fd68c38bd081e9bca0181187df2653e501b5795d24ad6f895cf81c50bdf
SHA5129cc97013331ef3d4fbce1d1656ee5a28c193a50eabbf8fd75f2f1a8c57c00d2b32f82bdb35896209e3d7e24babfed607656b6e4a11a910fa099fbc25340587b3