Analysis
-
max time kernel
21s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30-06-2024 15:57
General
-
Target
LaucnhBHF.exe
-
Size
10.5MB
-
MD5
7ff316af4c42e8c8f863a7b0f1b49367
-
SHA1
afb05fa67dd8ce1c95161a18b336f36ba447813a
-
SHA256
c5c4cbdb1274364171277919e06558417737b041d163678713d9316fc70f4825
-
SHA512
957522ca84ec470d9f8f433253ce10ad7da51c4247560cefaf631281ac7a68e2c9adec8887d526fe71f5eee832e0a1442eaacc03563ea4f059ea219061ec3bc1
-
SSDEEP
24576:MNZQnEK4hZpx3mUDxBOIUin2RlZeXTQfEZwYbS9DEr:8cEK+px3hDxBOISBfEZvkc
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\LaucnhBHF.exe"C:\Users\Admin\AppData\Local\Temp\LaucnhBHF.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Evans Evans.cmd && Evans.cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 44327244⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V "computationlimitedserefforts" Tiffany4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Threaded + Engagement + Wars + Fabric + Presidential 4432724\K4⤵
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4432724\Gotta.pif4432724\Gotta.pif 4432724\K4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4432724\RegAsm.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4432724\RegAsm.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4276,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4432724\Gotta.pifFilesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4432724\KFilesize
729KB
MD5a2739a3a7a6da8c68f8b05372db967a4
SHA1fc93aa42a2463c6088786b60a05e88707cf37333
SHA2566d3a837d743f826147af5f7decc7600695a1a17dc23309adcee89fd0b78d06be
SHA51250400427ad5ca1cfd23481369c91883648a911f010568dd471ef55241d97e13640c68d6d35867278b0e558fadd6bb7bd65b239b0141850dbf8c31c0b1620cb08
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\4432724\RegAsm.exeFilesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ConnecticutFilesize
168KB
MD5b1bc99c26cf43d49e10727cc6004bafb
SHA1a21a8e2809affc8a425aab3411e8f85faa97dfd7
SHA25639e3d91fa51549ae369b5bdd109d153bcc6da466b3bcdf8255180c4644bed03c
SHA5127b34f487a2b5a1c2e2296d52fd3d3776ce29e9dba85a1ddac6249e3a36fa2d57346e052e355388f4fb0aaeff4d1ba64bde92ccad267cd8aafda318098a1d0183
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\EngagementFilesize
148KB
MD598586b88236852b10e411d7175168150
SHA1fcf2341d39b19281a98bec1d036ad13d096c4852
SHA256b45cec6e938da1a68a0490b3d630c102b18f369fcea3f07f5d50783707844a1d
SHA51281fe08ac11a0252f938e587f19da12b0cdcbafc957885a2b54070b504d08be15a4879bfb080c7a0b2d62c3cdf70cc2aca15761a3af061d18c29c5779949a562f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\EvansFilesize
22KB
MD50a81598d1f08c7921baad3b5c678f4bf
SHA1cc9df1109d1024ef90883a77db7e62004a685693
SHA256bbd8b21685d8f8a26eef00110f9bbd89579777176c727544ddc95deee723826c
SHA512b64b8144017edfb50dfc5e304712906270ba7215936c9b12264361527db7ad368de38518912d2cdebcb1f5779d8d603f50c7af9c30e680d1c1b6847b1167a6cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\FabricFilesize
99KB
MD528407acc0518fc9d38dd255ce0af8ae4
SHA1b22b1f718c00a47b6e8b0bea90f0832d981d0969
SHA256a9e39b9dfc614f225376ae484aed981273711280ce8ee865fc98fcd1e9b46fd8
SHA512e13222c52ec6fb495095f40ab3d808926195ce86d6230ab7cc48c0f111e2873cefc13ac06dd170c7635cc8881efd088c18ef8a031f01a61f3ca9c815d7b83ab2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\HelmetFilesize
220KB
MD51bdea1b407176a88c914f37503b254d7
SHA13d2d1d84fff3ebbbdde485a8fd2794d1adcfdc6f
SHA2561ef2372ff78f69b8616c9ebff1300a8c6d0438b9c59b860642deaea5d3e9ec57
SHA512ab54e8d3d0425e862d3efbe72d4aba82d53efda88d0000bac3510bd4143da426822a407cfd75e9134e91c652edb6c039c30f6fd7dec0c6d1b15b871f4d2a39b1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IntakeFilesize
27KB
MD5695a9d29952e1fefd812828177ceddd2
SHA13bedb86ce5cabe1e31a7660e49f91f12dc914621
SHA25688d93acf427615ad2855252891966b646a405a429272460dcf3d168476076a33
SHA512d00e9523caa86851d587265d8623339dc5a2bac9be654a7ee9d76ba0dce1e9b7daab951b250ad2f8c14fb3d9229bf4999d2b31557507e3c9a29f139eb1ff4ebb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\KilometersFilesize
78KB
MD52c5818737758327668341de20ecd683b
SHA1f2a4182e80068dc2ca80f731c01bde7a625eaecd
SHA256a331d36564dbac7f0dd51a28f713081c6e4b679eb4dfecda16f147ed1dd309ec
SHA5120b63a8a0fddb8f2af0da26c1ae722d679d0a343d1541f8322186fe14beaebf7d316629f9d946d5a4b646f97d816eeb668020a07f5cc8329b7b2400dcb35bb743
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\KissingFilesize
146KB
MD5f81f74f99142062f13cb0ef1f368408b
SHA151ba0025f3a8f34a222699886a9e8ddc2eeb29fc
SHA256f9ca5dd55d6b150829a8e41ee82435a1e0a2fc4fd08625839b6d522f617b1771
SHA5123bf396c386aa9f2d3c40ab3f7d4fd6374a1bd687e1fc6bce4ed3d908fb0dac0db2918b4df194e2b41886f5f8af0b9bf6f44350f6ad826a8dc766daf30445657e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\MediumFilesize
214KB
MD510c3bf6e1f9e821f534cdb4485eb091f
SHA157f16e17de740ff4e06dc959752d72163792f3cf
SHA256ff6ad602aa3f21523b565eb0ad31a298b7bd2e86657864e638e5e95c02b8126a
SHA5120f939b78344da6c9a7c26b582acf7b4fce17f3062b88ce27f761e9eed34e5594d616b8677da6f222a3131446a7ec3c31d9b80e1ee38aa5843d67cd74cebc93cb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\PresidentialFilesize
91KB
MD59ba638b352b58f59e219e835eb8a1062
SHA1736fa92d9d4edccbd39c665066f7418a75cceb60
SHA256b478d854e00ebdb1aff29bec1e3f072349a09ae7b365d98a6bbe14074e848880
SHA51283b1a09125ca314e6bc55ce359ec91be991c04bf914a78ff1f897d0adf3a150dda13b26c7a87453c139c78a8aa7f0e39e77b49ef8edcc3b18c914ad41760b42e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\RecorderFilesize
14KB
MD50f04f8e9453db09c0db8392ce3eab842
SHA10cc503604f23d4b1df43320b7f65469b07fe2a0b
SHA25673379eef6a9ebf8dca9c410f9ba6f5a1e84d84a78ca0a951b8d8e734fac7881e
SHA5122bf5e90edaf17d4f81ce82f8e28d34decbbd29fb5be17e3b1cb3c2fe065c3a9cb0547baf6da1dbeea659f2e3308508ea3b9dddc1230e67ce90c0223104d7ae6c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ScsiFilesize
5KB
MD515cdd1807a64075fc9970e04926c5e50
SHA1a1defbb37479d5a7accf15da2c606266f7f20e10
SHA25607d4b0da61bfdbaf61670451d4ed49d3da2c3f51affb501e12619a311a5ab93b
SHA512f2b6f8e00954fc3ebbe5777f7b39582613b4f2c965b4c7d5a73389bac4eb9beacf809cd2a93b1b77d20a4492139a2adc702dfd9d3be0951da46aa853cc12e94b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ThreadedFilesize
195KB
MD5bc6738a1050f252321d208f572164a37
SHA1a5596c5efef3731d8357f3ac270d178fbf277e12
SHA256d9f253baf9e3dde2fe18c3d698a7f1b90ed12254d504e3a1831396ef82682a87
SHA512c59c4a10011c67918ea0ba42c5863ebdbc7ca30bf5e242130b1488ff40a487e51a22765d8a671cb0b4bf05fe41ac3e8c64c6a7ded7655daf5e9ce8abbd6e597b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TiffanyFilesize
185B
MD5fa7c20d5955d75391d2c0a9e3daa3993
SHA14b35586e23e6812ab89c6a30be7804c8228a801e
SHA2563db9f68b7abf544f469e3d85d1c14d335582ac91abf389514b3d9e96d406f545
SHA5123623074619ede883c6615d3189bdcefaf0f0ed291981f04d850bb78df72b26bb455c2f02eb9f6cd83be1252950063272eb79004bcce80ffdc04053f414ce4f91
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\WarsFilesize
196KB
MD5332f042501fab33240e74bdf0ec0de81
SHA1321c8b0861b78714fefca0042375e32ee98f4736
SHA256f3cc084793f032cedf4a88d1c9778ae44363668a5fc03d57e5829f1b0b951abd
SHA512b69cb3502d3396e1fdebe4e39f884ad4f3d247ef55621d013040bf45531f127545f1376d4bc04e2ae37e8a961e2a1abe1c8fac3bf26c92d27490f76e4ccc0cf2
-
memory/4012-42-0x00000000050C0000-0x0000000005664000-memory.dmpFilesize
5.6MB
-
memory/4012-39-0x0000000000630000-0x00000000006F0000-memory.dmpFilesize
768KB
-
memory/4012-43-0x0000000004BF0000-0x0000000004C82000-memory.dmpFilesize
584KB
-
memory/4012-44-0x0000000004DC0000-0x0000000004DCA000-memory.dmpFilesize
40KB
-
memory/4012-45-0x0000000008310000-0x0000000008928000-memory.dmpFilesize
6.1MB
-
memory/4012-46-0x0000000007E60000-0x0000000007F6A000-memory.dmpFilesize
1.0MB
-
memory/4012-47-0x0000000007DB0000-0x0000000007DC2000-memory.dmpFilesize
72KB
-
memory/4012-48-0x0000000007E10000-0x0000000007E4C000-memory.dmpFilesize
240KB
-
memory/4012-49-0x0000000007F70000-0x0000000007FBC000-memory.dmpFilesize
304KB