Analysis
-
max time kernel
29s -
max time network
28s -
platform
windows7_x64 -
resource
win7 -
submitted
28-10-2020 02:02
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Artemis6F952B81A92F.13442.exe
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Artemis6F952B81A92F.13442.exe
Resource
win10
General
-
Target
SecuriteInfo.com.Artemis6F952B81A92F.13442.exe
-
Size
745KB
-
MD5
6f952b81a92f7f780923635648b428c0
-
SHA1
6c82f9a7c8667e92fe067789b8bceed727017b02
-
SHA256
b185c97cf356748005cda3b4ccb5a6df0e059c8869ba3b3f33595984bb60f380
-
SHA512
76019d90a1c6142e9167561088e649b1d62366e81654c34b93b74ad36dc6d5a3f38f61e9cb987040dcda8ca11521a496fcb5b5857b724f53bbd2eb3cda7bc994
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2024-15-0x0000000002690000-0x00000000026B5000-memory.dmp family_redline behavioral1/memory/2024-22-0x00000000028E0000-0x0000000002904000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
bestof.exepid process 2024 bestof.exe -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Artemis6F952B81A92F.13442.exepid process 1428 SecuriteInfo.com.Artemis6F952B81A92F.13442.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com 14 checkip.amazonaws.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Artemis6F952B81A92F.13442.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SecuriteInfo.com.Artemis6F952B81A92F.13442.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SecuriteInfo.com.Artemis6F952B81A92F.13442.exe -
Processes:
SecuriteInfo.com.Artemis6F952B81A92F.13442.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 SecuriteInfo.com.Artemis6F952B81A92F.13442.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 SecuriteInfo.com.Artemis6F952B81A92F.13442.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bestof.exepid process 2024 bestof.exe 2024 bestof.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bestof.exedescription pid process Token: SeDebugPrivilege 2024 bestof.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SecuriteInfo.com.Artemis6F952B81A92F.13442.exebestof.execmd.exedescription pid process target process PID 1428 wrote to memory of 2024 1428 SecuriteInfo.com.Artemis6F952B81A92F.13442.exe bestof.exe PID 1428 wrote to memory of 2024 1428 SecuriteInfo.com.Artemis6F952B81A92F.13442.exe bestof.exe PID 1428 wrote to memory of 2024 1428 SecuriteInfo.com.Artemis6F952B81A92F.13442.exe bestof.exe PID 1428 wrote to memory of 2024 1428 SecuriteInfo.com.Artemis6F952B81A92F.13442.exe bestof.exe PID 2024 wrote to memory of 848 2024 bestof.exe cmd.exe PID 2024 wrote to memory of 848 2024 bestof.exe cmd.exe PID 2024 wrote to memory of 848 2024 bestof.exe cmd.exe PID 2024 wrote to memory of 848 2024 bestof.exe cmd.exe PID 848 wrote to memory of 1472 848 cmd.exe PING.EXE PID 848 wrote to memory of 1472 848 cmd.exe PING.EXE PID 848 wrote to memory of 1472 848 cmd.exe PING.EXE PID 848 wrote to memory of 1472 848 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Artemis6F952B81A92F.13442.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Artemis6F952B81A92F.13442.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exebestof.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
8d330917b4d7220eb231327236f93c95
SHA1467b49d82b4330ebea65b8b529fd101f371d7c9e
SHA256e956a58b3dfb4b71d0fddad3a02ffd5cc0c3413684b59e2f9f14fd3626250f1d
SHA512bbdad8394440ca08182212409a36f140853c65fbd2040f0f8cfd297c8e4c8a9334783325c9b0127c2703f5cc63eaaf664875be2781c0ea87c783e8f490367127
-
\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
8d330917b4d7220eb231327236f93c95
SHA1467b49d82b4330ebea65b8b529fd101f371d7c9e
SHA256e956a58b3dfb4b71d0fddad3a02ffd5cc0c3413684b59e2f9f14fd3626250f1d
SHA512bbdad8394440ca08182212409a36f140853c65fbd2040f0f8cfd297c8e4c8a9334783325c9b0127c2703f5cc63eaaf664875be2781c0ea87c783e8f490367127
-
memory/848-25-0x0000000000000000-mapping.dmp
-
memory/1428-1-0x00000000010E0000-0x00000000010F1000-memory.dmpFilesize
68KB
-
memory/1428-0-0x0000000000E45000-0x0000000000E46000-memory.dmpFilesize
4KB
-
memory/1472-27-0x0000000000000000-mapping.dmp
-
memory/1976-2-0x000007FEF6700000-0x000007FEF697A000-memory.dmpFilesize
2.5MB
-
memory/2024-11-0x00000000010B9000-0x00000000010BA000-memory.dmpFilesize
4KB
-
memory/2024-13-0x0000000002B10000-0x0000000002B21000-memory.dmpFilesize
68KB
-
memory/2024-14-0x0000000073A00000-0x00000000740EE000-memory.dmpFilesize
6.9MB
-
memory/2024-15-0x0000000002690000-0x00000000026B5000-memory.dmpFilesize
148KB
-
memory/2024-22-0x00000000028E0000-0x0000000002904000-memory.dmpFilesize
144KB
-
memory/2024-12-0x0000000002740000-0x0000000002751000-memory.dmpFilesize
68KB
-
memory/2024-8-0x0000000000000000-mapping.dmp