Overview

overview

10

Static

static

c5f9ffd889...6f.exe

windows7_x64

10

c5f9ffd889...6f.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01-11-2020 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5f9ffd8890ca4722cd2f6ebdc39566f.exe

  • Size

    778KB

  • MD5

    c5f9ffd8890ca4722cd2f6ebdc39566f

  • SHA1

    ddeaf76ff2426dc3a7202dc3e84ed4bcbfa97893

  • SHA256

    1ba87aa4f285a9e9cf905da0bc041df4eed434e6bff38aa189387dae4ba90dc5

  • SHA512

    9c0c3811139a8d35ef2debaea44bad4ab34055394d578ac7fc2646b0c2eaa786a3ddf0fa283a134f551ea254ec1ebdecd22940434e783ba10666299cce069694

Score
10/10
redlineinfostealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 37 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 13 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5f9ffd8890ca4722cd2f6ebdc39566f.exe
    "C:\Users\Admin\AppData\Local\Temp\c5f9ffd8890ca4722cd2f6ebdc39566f.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 760
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 884
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1212
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2180
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1572
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1584
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1156
    • C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
      bestof.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3804
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 540
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:4000
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 544
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:716
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1048
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1136
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1316
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:1844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1612
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1900
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:1152
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1956
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:852

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
    MD5

    6943b3380427465a7998ddf3a96945a0

    SHA1

    abb680ef5e005da1610828d518c15a250b001fd9

    SHA256

    94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb

    SHA512

    5c8fb35986df56b3f6f7b850a98455ab3d767372b57838d54c9faf280826975a0f2a0828fa977469a3d5e02ce9f7bea23e8b574cf793f4264f385e871de8277d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
    MD5

    6943b3380427465a7998ddf3a96945a0

    SHA1

    abb680ef5e005da1610828d518c15a250b001fd9

    SHA256

    94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb

    SHA512

    5c8fb35986df56b3f6f7b850a98455ab3d767372b57838d54c9faf280826975a0f2a0828fa977469a3d5e02ce9f7bea23e8b574cf793f4264f385e871de8277d

    Download Submit

  • memory/648-1-0x00000000041E0000-0x00000000041E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/648-0-0x0000000002496000-0x0000000002498000-memory.dmp

    Filesize

    8KB

    Download

  • memory/716-52-0x0000000004C90000-0x0000000004C91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/716-61-0x00000000052C0000-0x00000000052C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/852-75-0x0000000004520000-0x0000000004521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/852-80-0x0000000004D50000-0x0000000004D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1152-68-0x0000000004C50000-0x0000000004C51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1152-74-0x0000000005290000-0x0000000005291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1156-23-0x0000000004620000-0x0000000004621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1156-26-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1204-11-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1844-122-0x0000000005270000-0x0000000005271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1844-111-0x0000000004A40000-0x0000000004A41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2180-15-0x0000000004E40000-0x0000000004E41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2180-18-0x0000000005670000-0x0000000005671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2548-22-0x0000000004C50000-0x0000000004C51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2548-19-0x0000000004520000-0x0000000004521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2656-51-0x0000000005250000-0x0000000005251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2656-48-0x0000000004B20000-0x0000000004B21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2840-90-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2840-83-0x00000000046B0000-0x00000000046B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-94-0x0000000004180000-0x0000000004181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-104-0x00000000048B0000-0x00000000048B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-3-0x00000000044D0000-0x00000000044D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-2-0x00000000044D0000-0x00000000044D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-10-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3804-65-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-87-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-46-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-45-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-47-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-43-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-27-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-55-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-56-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-57-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-59-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-60-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-58-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-41-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-62-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-63-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-64-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-66-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-39-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-67-0x00000000043A0000-0x00000000043C4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3804-40-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-69-0x0000000006C50000-0x0000000006C51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3804-72-0x0000000004560000-0x0000000004582000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3804-73-0x0000000007150000-0x0000000007151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3804-38-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-37-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-77-0x0000000006A80000-0x0000000006A81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3804-79-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3804-33-0x0000000072B00000-0x00000000731EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3804-81-0x0000000006B10000-0x0000000006B11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3804-82-0x00000000078B0000-0x00000000078B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3804-114-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-88-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-44-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-86-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-89-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-121-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-92-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-93-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-91-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-32-0x0000000004450000-0x0000000004451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3804-100-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-101-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-102-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-103-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-99-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-98-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-97-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-31-0x0000000004040000-0x0000000004041000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3804-106-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-105-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-107-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-108-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-109-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-110-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-30-0x0000000002424000-0x0000000002425000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3804-115-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-116-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-117-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-118-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-119-0x0000000000000000-mapping.dmp

    Download

  • memory/3804-120-0x0000000000000000-mapping.dmp

    Download

  • memory/4000-34-0x0000000004E60000-0x0000000004E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-35-0x0000000004E60000-0x0000000004E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-42-0x0000000005510000-0x0000000005511000-memory.dmp

    Filesize

    4KB

    Download