Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-11-2020 07:10
General
-
Target
c5f9ffd8890ca4722cd2f6ebdc39566f.exe
-
Size
778KB
-
MD5
c5f9ffd8890ca4722cd2f6ebdc39566f
-
SHA1
ddeaf76ff2426dc3a7202dc3e84ed4bcbfa97893
-
SHA256
1ba87aa4f285a9e9cf905da0bc041df4eed434e6bff38aa189387dae4ba90dc5
-
SHA512
9c0c3811139a8d35ef2debaea44bad4ab34055394d578ac7fc2646b0c2eaa786a3ddf0fa283a134f551ea254ec1ebdecd22940434e783ba10666299cce069694
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 37 IoCs
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 13 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5f9ffd8890ca4722cd2f6ebdc39566f.exe"C:\Users\Admin\AppData\Local\Temp\c5f9ffd8890ca4722cd2f6ebdc39566f.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 7602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 8842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 12122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 15722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 15842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exebestof.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 5403⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 5443⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 10483⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 11363⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 13163⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 16122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 19002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 19562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
6943b3380427465a7998ddf3a96945a0
SHA1abb680ef5e005da1610828d518c15a250b001fd9
SHA25694e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb
SHA5125c8fb35986df56b3f6f7b850a98455ab3d767372b57838d54c9faf280826975a0f2a0828fa977469a3d5e02ce9f7bea23e8b574cf793f4264f385e871de8277d
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
6943b3380427465a7998ddf3a96945a0
SHA1abb680ef5e005da1610828d518c15a250b001fd9
SHA25694e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb
SHA5125c8fb35986df56b3f6f7b850a98455ab3d767372b57838d54c9faf280826975a0f2a0828fa977469a3d5e02ce9f7bea23e8b574cf793f4264f385e871de8277d
-
memory/648-1-0x00000000041E0000-0x00000000041E1000-memory.dmpFilesize
4KB
-
memory/648-0-0x0000000002496000-0x0000000002498000-memory.dmpFilesize
8KB
-
memory/716-52-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/716-61-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/852-75-0x0000000004520000-0x0000000004521000-memory.dmpFilesize
4KB
-
memory/852-80-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/1152-68-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/1152-74-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/1156-23-0x0000000004620000-0x0000000004621000-memory.dmpFilesize
4KB
-
memory/1156-26-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/1204-11-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/1844-122-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/1844-111-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/2180-15-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/2180-18-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/2548-22-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/2548-19-0x0000000004520000-0x0000000004521000-memory.dmpFilesize
4KB
-
memory/2656-51-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/2656-48-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/2840-90-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/2840-83-0x00000000046B0000-0x00000000046B1000-memory.dmpFilesize
4KB
-
memory/2844-94-0x0000000004180000-0x0000000004181000-memory.dmpFilesize
4KB
-
memory/2844-104-0x00000000048B0000-0x00000000048B1000-memory.dmpFilesize
4KB
-
memory/3240-3-0x00000000044D0000-0x00000000044D1000-memory.dmpFilesize
4KB
-
memory/3240-2-0x00000000044D0000-0x00000000044D1000-memory.dmpFilesize
4KB
-
memory/3240-10-0x00000000046C0000-0x00000000046C1000-memory.dmpFilesize
4KB
-
memory/3804-65-0x0000000000000000-mapping.dmp
-
memory/3804-87-0x0000000000000000-mapping.dmp
-
memory/3804-46-0x0000000000000000-mapping.dmp
-
memory/3804-45-0x0000000000000000-mapping.dmp
-
memory/3804-47-0x0000000000000000-mapping.dmp
-
memory/3804-43-0x0000000000000000-mapping.dmp
-
memory/3804-27-0x0000000000000000-mapping.dmp
-
memory/3804-55-0x0000000000000000-mapping.dmp
-
memory/3804-56-0x0000000000000000-mapping.dmp
-
memory/3804-57-0x0000000000000000-mapping.dmp
-
memory/3804-59-0x0000000000000000-mapping.dmp
-
memory/3804-60-0x0000000000000000-mapping.dmp
-
memory/3804-58-0x0000000000000000-mapping.dmp
-
memory/3804-41-0x0000000000000000-mapping.dmp
-
memory/3804-62-0x0000000000000000-mapping.dmp
-
memory/3804-63-0x0000000000000000-mapping.dmp
-
memory/3804-64-0x0000000000000000-mapping.dmp
-
memory/3804-66-0x0000000000000000-mapping.dmp
-
memory/3804-39-0x0000000000000000-mapping.dmp
-
memory/3804-67-0x00000000043A0000-0x00000000043C4000-memory.dmpFilesize
144KB
-
memory/3804-40-0x0000000000000000-mapping.dmp
-
memory/3804-69-0x0000000006C50000-0x0000000006C51000-memory.dmpFilesize
4KB
-
memory/3804-72-0x0000000004560000-0x0000000004582000-memory.dmpFilesize
136KB
-
memory/3804-73-0x0000000007150000-0x0000000007151000-memory.dmpFilesize
4KB
-
memory/3804-38-0x0000000000000000-mapping.dmp
-
memory/3804-37-0x0000000000000000-mapping.dmp
-
memory/3804-77-0x0000000006A80000-0x0000000006A81000-memory.dmpFilesize
4KB
-
memory/3804-79-0x0000000006AC0000-0x0000000006AC1000-memory.dmpFilesize
4KB
-
memory/3804-33-0x0000000072B00000-0x00000000731EE000-memory.dmpFilesize
6.9MB
-
memory/3804-81-0x0000000006B10000-0x0000000006B11000-memory.dmpFilesize
4KB
-
memory/3804-82-0x00000000078B0000-0x00000000078B1000-memory.dmpFilesize
4KB
-
memory/3804-114-0x0000000000000000-mapping.dmp
-
memory/3804-88-0x0000000000000000-mapping.dmp
-
memory/3804-44-0x0000000000000000-mapping.dmp
-
memory/3804-86-0x0000000000000000-mapping.dmp
-
memory/3804-89-0x0000000000000000-mapping.dmp
-
memory/3804-121-0x0000000000000000-mapping.dmp
-
memory/3804-92-0x0000000000000000-mapping.dmp
-
memory/3804-93-0x0000000000000000-mapping.dmp
-
memory/3804-91-0x0000000000000000-mapping.dmp
-
memory/3804-32-0x0000000004450000-0x0000000004451000-memory.dmpFilesize
4KB
-
memory/3804-100-0x0000000000000000-mapping.dmp
-
memory/3804-101-0x0000000000000000-mapping.dmp
-
memory/3804-102-0x0000000000000000-mapping.dmp
-
memory/3804-103-0x0000000000000000-mapping.dmp
-
memory/3804-99-0x0000000000000000-mapping.dmp
-
memory/3804-98-0x0000000000000000-mapping.dmp
-
memory/3804-97-0x0000000000000000-mapping.dmp
-
memory/3804-31-0x0000000004040000-0x0000000004041000-memory.dmpFilesize
4KB
-
memory/3804-106-0x0000000000000000-mapping.dmp
-
memory/3804-105-0x0000000000000000-mapping.dmp
-
memory/3804-107-0x0000000000000000-mapping.dmp
-
memory/3804-108-0x0000000000000000-mapping.dmp
-
memory/3804-109-0x0000000000000000-mapping.dmp
-
memory/3804-110-0x0000000000000000-mapping.dmp
-
memory/3804-30-0x0000000002424000-0x0000000002425000-memory.dmpFilesize
4KB
-
memory/3804-115-0x0000000000000000-mapping.dmp
-
memory/3804-116-0x0000000000000000-mapping.dmp
-
memory/3804-117-0x0000000000000000-mapping.dmp
-
memory/3804-118-0x0000000000000000-mapping.dmp
-
memory/3804-119-0x0000000000000000-mapping.dmp
-
memory/3804-120-0x0000000000000000-mapping.dmp
-
memory/4000-34-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/4000-35-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/4000-42-0x0000000005510000-0x0000000005511000-memory.dmpFilesize
4KB