Analysis
-
max time kernel
59s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30-10-2020 19:35
Static task
static1
Behavioral task
behavioral1
Sample
75be014e5cba03bc01cad324c0858808.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
75be014e5cba03bc01cad324c0858808.exe
Resource
win10v20201028
General
-
Target
75be014e5cba03bc01cad324c0858808.exe
-
Size
777KB
-
MD5
75be014e5cba03bc01cad324c0858808
-
SHA1
ea7975231e51ed81b1f3f101580829b2cce39fc3
-
SHA256
87cd820fbd3707a5c0163a68fc72eeee76d16867aefc372c19b03bf1edc0bbd7
-
SHA512
fef33c0723c826d899480d0a880cce771a18d0582bca1a01144f7671bb47ddf45752c7e450fdb417f91919ec1c5c4b6a6b6f21546b0f0aa6590d993adaee8eea
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1932-50-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral2/memory/1932-51-0x000000000042064E-mapping.dmp family_redline -
Executes dropped EXE 2 IoCs
Processes:
bestof.exebestof.exepid process 1440 bestof.exe 1932 bestof.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ip-api.com 23 checkip.amazonaws.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bestof.exedescription pid process target process PID 1440 set thread context of 1932 1440 bestof.exe bestof.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3336 648 WerFault.exe 75be014e5cba03bc01cad324c0858808.exe 424 648 WerFault.exe 75be014e5cba03bc01cad324c0858808.exe 4064 648 WerFault.exe 75be014e5cba03bc01cad324c0858808.exe 3140 648 WerFault.exe 75be014e5cba03bc01cad324c0858808.exe 1404 648 WerFault.exe 75be014e5cba03bc01cad324c0858808.exe 3832 648 WerFault.exe 75be014e5cba03bc01cad324c0858808.exe 2300 648 WerFault.exe 75be014e5cba03bc01cad324c0858808.exe 3768 648 WerFault.exe 75be014e5cba03bc01cad324c0858808.exe 412 648 WerFault.exe 75be014e5cba03bc01cad324c0858808.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
75be014e5cba03bc01cad324c0858808.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 75be014e5cba03bc01cad324c0858808.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 75be014e5cba03bc01cad324c0858808.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 3336 WerFault.exe 3336 WerFault.exe 3336 WerFault.exe 3336 WerFault.exe 3336 WerFault.exe 3336 WerFault.exe 3336 WerFault.exe 3336 WerFault.exe 3336 WerFault.exe 3336 WerFault.exe 3336 WerFault.exe 3336 WerFault.exe 3336 WerFault.exe 3336 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 424 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 3140 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe 1404 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exebestof.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exebestof.exedescription pid process Token: SeRestorePrivilege 3336 WerFault.exe Token: SeBackupPrivilege 3336 WerFault.exe Token: SeDebugPrivilege 3336 WerFault.exe Token: SeDebugPrivilege 424 WerFault.exe Token: SeDebugPrivilege 4064 WerFault.exe Token: SeDebugPrivilege 3140 WerFault.exe Token: SeDebugPrivilege 1404 WerFault.exe Token: SeDebugPrivilege 1440 bestof.exe Token: SeDebugPrivilege 3832 WerFault.exe Token: SeDebugPrivilege 2300 WerFault.exe Token: SeDebugPrivilege 3768 WerFault.exe Token: SeDebugPrivilege 412 WerFault.exe Token: SeDebugPrivilege 1932 bestof.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
75be014e5cba03bc01cad324c0858808.exebestof.exebestof.execmd.exedescription pid process target process PID 648 wrote to memory of 1440 648 75be014e5cba03bc01cad324c0858808.exe bestof.exe PID 648 wrote to memory of 1440 648 75be014e5cba03bc01cad324c0858808.exe bestof.exe PID 648 wrote to memory of 1440 648 75be014e5cba03bc01cad324c0858808.exe bestof.exe PID 1440 wrote to memory of 1932 1440 bestof.exe bestof.exe PID 1440 wrote to memory of 1932 1440 bestof.exe bestof.exe PID 1440 wrote to memory of 1932 1440 bestof.exe bestof.exe PID 1440 wrote to memory of 1932 1440 bestof.exe bestof.exe PID 1440 wrote to memory of 1932 1440 bestof.exe bestof.exe PID 1440 wrote to memory of 1932 1440 bestof.exe bestof.exe PID 1440 wrote to memory of 1932 1440 bestof.exe bestof.exe PID 1440 wrote to memory of 1932 1440 bestof.exe bestof.exe PID 1932 wrote to memory of 4008 1932 bestof.exe cmd.exe PID 1932 wrote to memory of 4008 1932 bestof.exe cmd.exe PID 1932 wrote to memory of 4008 1932 bestof.exe cmd.exe PID 4008 wrote to memory of 3308 4008 cmd.exe PING.EXE PID 4008 wrote to memory of 3308 4008 cmd.exe PING.EXE PID 4008 wrote to memory of 3308 4008 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\75be014e5cba03bc01cad324c0858808.exe"C:\Users\Admin\AppData\Local\Temp\75be014e5cba03bc01cad324c0858808.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 7602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 8882⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 12122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 15722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 15402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exebestof.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe"C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 16082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 19042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 19402⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 18602⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bestof.exe.logMD5
605f809fab8c19729d39d075f7ffdb53
SHA1c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA2566904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA51282cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
ae71797ed71a11f172c9d03701ae88c7
SHA110a0cc04fbed99c4f0f1f908979455da6868f1eb
SHA2560215f9dd19951e07aaa5ddfed10c4b46af716a8e3ce1ccb853f0992d14ee3e34
SHA5127f6fa1d06268a9b1a3541f19f1a2636be3579d6bcb8eb6f54f53bfdd380f1a7150e32a61799aefec5b52b920e8b39213d5dacf8e24654559b1022f6fd51a5d77
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
ae71797ed71a11f172c9d03701ae88c7
SHA110a0cc04fbed99c4f0f1f908979455da6868f1eb
SHA2560215f9dd19951e07aaa5ddfed10c4b46af716a8e3ce1ccb853f0992d14ee3e34
SHA5127f6fa1d06268a9b1a3541f19f1a2636be3579d6bcb8eb6f54f53bfdd380f1a7150e32a61799aefec5b52b920e8b39213d5dacf8e24654559b1022f6fd51a5d77
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
ae71797ed71a11f172c9d03701ae88c7
SHA110a0cc04fbed99c4f0f1f908979455da6868f1eb
SHA2560215f9dd19951e07aaa5ddfed10c4b46af716a8e3ce1ccb853f0992d14ee3e34
SHA5127f6fa1d06268a9b1a3541f19f1a2636be3579d6bcb8eb6f54f53bfdd380f1a7150e32a61799aefec5b52b920e8b39213d5dacf8e24654559b1022f6fd51a5d77
-
memory/412-44-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/412-47-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/424-6-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/424-9-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/648-1-0x0000000004010000-0x0000000004011000-memory.dmpFilesize
4KB
-
memory/648-0-0x000000000246B000-0x000000000246D000-memory.dmpFilesize
8KB
-
memory/1404-24-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/1404-21-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/1440-29-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/1440-25-0x0000000000000000-mapping.dmp
-
memory/1440-48-0x00000000051A0000-0x00000000051DA000-memory.dmpFilesize
232KB
-
memory/1440-49-0x0000000005300000-0x0000000005316000-memory.dmpFilesize
88KB
-
memory/1440-28-0x0000000072200000-0x00000000728EE000-memory.dmpFilesize
6.9MB
-
memory/1932-59-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/1932-65-0x0000000007DD0000-0x0000000007DD1000-memory.dmpFilesize
4KB
-
memory/1932-70-0x0000000008D30000-0x0000000008D31000-memory.dmpFilesize
4KB
-
memory/1932-69-0x0000000008C40000-0x0000000008C41000-memory.dmpFilesize
4KB
-
memory/1932-68-0x00000000071C0000-0x00000000071C1000-memory.dmpFilesize
4KB
-
memory/1932-67-0x0000000006F10000-0x0000000006F11000-memory.dmpFilesize
4KB
-
memory/1932-66-0x0000000006F90000-0x0000000006F91000-memory.dmpFilesize
4KB
-
memory/1932-64-0x0000000006E70000-0x0000000006E71000-memory.dmpFilesize
4KB
-
memory/1932-63-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/1932-62-0x0000000006CA0000-0x0000000006CA1000-memory.dmpFilesize
4KB
-
memory/1932-61-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/1932-60-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/1932-50-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1932-51-0x000000000042064E-mapping.dmp
-
memory/1932-58-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/1932-57-0x0000000005E80000-0x0000000005E81000-memory.dmpFilesize
4KB
-
memory/1932-54-0x0000000073260000-0x000000007394E000-memory.dmpFilesize
6.9MB
-
memory/2300-38-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/2300-35-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/3140-17-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/3140-20-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/3308-72-0x0000000000000000-mapping.dmp
-
memory/3336-5-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/3336-2-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/3336-3-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/3768-43-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/3768-42-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/3768-39-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/3832-31-0x00000000042A0000-0x00000000042A1000-memory.dmpFilesize
4KB
-
memory/3832-34-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/4008-71-0x0000000000000000-mapping.dmp
-
memory/4064-13-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/4064-10-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB