Analysis
-
max time kernel
134s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-11-2020 07:22
Static task
static1
Behavioral task
behavioral1
Sample
b4efb79c970f4986050184fdccd0dd06.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b4efb79c970f4986050184fdccd0dd06.exe
Resource
win10v20201028
General
-
Target
b4efb79c970f4986050184fdccd0dd06.exe
-
Size
789KB
-
MD5
b4efb79c970f4986050184fdccd0dd06
-
SHA1
55634b78a92b7949584df0b3ce0e2d01a4a91850
-
SHA256
70af11ae12fdc645f1845b038d01ac9ba1000905c0150553fad12400db54e8dd
-
SHA512
b42dd87439debdfae1bb26479487cab184ecbc10b4b43d7716b291b9b32786d296a74a30b8ce1c9b8e2c8516f42d080e92cf1fd7ae6ef2c12b6955188ae1f880
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 36 IoCs
Processes:
resource yara_rule behavioral2/memory/3880-32-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-34-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-33-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-35-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-36-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-38-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-39-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-40-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-41-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-42-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-50-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-51-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-52-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-53-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-55-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-54-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-57-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-58-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-59-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-60-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-61-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-65-0x0000000004300000-0x0000000004324000-memory.dmp family_redline behavioral2/memory/3880-68-0x0000000004470000-0x0000000004492000-memory.dmp family_redline behavioral2/memory/3880-81-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-82-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-83-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-85-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-84-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-86-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-80-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-88-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-89-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-90-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-92-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-93-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3880-91-0x0000000000000000-mapping.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
bestof.exepid process 3880 bestof.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 12 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1156 428 WerFault.exe b4efb79c970f4986050184fdccd0dd06.exe 2388 428 WerFault.exe b4efb79c970f4986050184fdccd0dd06.exe 968 428 WerFault.exe b4efb79c970f4986050184fdccd0dd06.exe 1400 428 WerFault.exe b4efb79c970f4986050184fdccd0dd06.exe 420 428 WerFault.exe b4efb79c970f4986050184fdccd0dd06.exe 2324 3880 WerFault.exe bestof.exe 4020 428 WerFault.exe b4efb79c970f4986050184fdccd0dd06.exe 2880 3880 WerFault.exe bestof.exe 2760 428 WerFault.exe b4efb79c970f4986050184fdccd0dd06.exe 2852 428 WerFault.exe b4efb79c970f4986050184fdccd0dd06.exe 3916 3880 WerFault.exe bestof.exe 2296 3880 WerFault.exe bestof.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
b4efb79c970f4986050184fdccd0dd06.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b4efb79c970f4986050184fdccd0dd06.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b4efb79c970f4986050184fdccd0dd06.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 1400 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe 420 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 1156 WerFault.exe Token: SeBackupPrivilege 1156 WerFault.exe Token: SeDebugPrivilege 1156 WerFault.exe Token: SeDebugPrivilege 2388 WerFault.exe Token: SeDebugPrivilege 968 WerFault.exe Token: SeDebugPrivilege 1400 WerFault.exe Token: SeDebugPrivilege 420 WerFault.exe Token: SeDebugPrivilege 2324 WerFault.exe Token: SeDebugPrivilege 4020 WerFault.exe Token: SeDebugPrivilege 2880 WerFault.exe Token: SeDebugPrivilege 2760 WerFault.exe Token: SeDebugPrivilege 2852 WerFault.exe Token: SeDebugPrivilege 3916 WerFault.exe Token: SeDebugPrivilege 2296 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b4efb79c970f4986050184fdccd0dd06.exedescription pid process target process PID 428 wrote to memory of 3880 428 b4efb79c970f4986050184fdccd0dd06.exe bestof.exe PID 428 wrote to memory of 3880 428 b4efb79c970f4986050184fdccd0dd06.exe bestof.exe PID 428 wrote to memory of 3880 428 b4efb79c970f4986050184fdccd0dd06.exe bestof.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4efb79c970f4986050184fdccd0dd06.exe"C:\Users\Admin\AppData\Local\Temp\b4efb79c970f4986050184fdccd0dd06.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 7642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 8642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 12122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 15722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 15402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exebestof.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 5403⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 5443⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 10163⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 10323⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 16122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 19002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 18162⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
6943b3380427465a7998ddf3a96945a0
SHA1abb680ef5e005da1610828d518c15a250b001fd9
SHA25694e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb
SHA5125c8fb35986df56b3f6f7b850a98455ab3d767372b57838d54c9faf280826975a0f2a0828fa977469a3d5e02ce9f7bea23e8b574cf793f4264f385e871de8277d
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
6943b3380427465a7998ddf3a96945a0
SHA1abb680ef5e005da1610828d518c15a250b001fd9
SHA25694e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb
SHA5125c8fb35986df56b3f6f7b850a98455ab3d767372b57838d54c9faf280826975a0f2a0828fa977469a3d5e02ce9f7bea23e8b574cf793f4264f385e871de8277d
-
memory/420-18-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/420-21-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/428-0-0x000000000269B000-0x000000000269D000-memory.dmpFilesize
8KB
-
memory/428-1-0x00000000040A0000-0x00000000040A1000-memory.dmpFilesize
4KB
-
memory/968-10-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/968-13-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/1156-3-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/1156-5-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/1156-2-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/1400-14-0x0000000004620000-0x0000000004621000-memory.dmpFilesize
4KB
-
memory/1400-17-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/2296-105-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/2296-94-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/2324-37-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/2324-29-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/2324-30-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/2388-6-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/2388-9-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/2760-66-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/2760-62-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/2852-70-0x0000000004500000-0x0000000004501000-memory.dmpFilesize
4KB
-
memory/2852-75-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/2880-56-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/2880-46-0x00000000042C0000-0x00000000042C1000-memory.dmpFilesize
4KB
-
memory/3880-60-0x0000000000000000-mapping.dmp
-
memory/3880-81-0x0000000000000000-mapping.dmp
-
memory/3880-38-0x0000000000000000-mapping.dmp
-
memory/3880-39-0x0000000000000000-mapping.dmp
-
memory/3880-40-0x0000000000000000-mapping.dmp
-
memory/3880-41-0x0000000000000000-mapping.dmp
-
memory/3880-42-0x0000000000000000-mapping.dmp
-
memory/3880-113-0x0000000007C30000-0x0000000007C31000-memory.dmpFilesize
4KB
-
memory/3880-35-0x0000000000000000-mapping.dmp
-
memory/3880-112-0x0000000000000000-mapping.dmp
-
memory/3880-50-0x0000000000000000-mapping.dmp
-
memory/3880-51-0x0000000000000000-mapping.dmp
-
memory/3880-52-0x0000000000000000-mapping.dmp
-
memory/3880-53-0x0000000000000000-mapping.dmp
-
memory/3880-55-0x0000000000000000-mapping.dmp
-
memory/3880-54-0x0000000000000000-mapping.dmp
-
memory/3880-33-0x0000000000000000-mapping.dmp
-
memory/3880-57-0x0000000000000000-mapping.dmp
-
memory/3880-58-0x0000000000000000-mapping.dmp
-
memory/3880-59-0x0000000000000000-mapping.dmp
-
memory/3880-34-0x0000000000000000-mapping.dmp
-
memory/3880-61-0x0000000000000000-mapping.dmp
-
memory/3880-32-0x0000000000000000-mapping.dmp
-
memory/3880-65-0x0000000004300000-0x0000000004324000-memory.dmpFilesize
144KB
-
memory/3880-28-0x0000000072280000-0x000000007296E000-memory.dmpFilesize
6.9MB
-
memory/3880-67-0x0000000006BF0000-0x0000000006BF1000-memory.dmpFilesize
4KB
-
memory/3880-68-0x0000000004470000-0x0000000004492000-memory.dmpFilesize
136KB
-
memory/3880-69-0x00000000070F0000-0x00000000070F1000-memory.dmpFilesize
4KB
-
memory/3880-27-0x0000000004530000-0x0000000004531000-memory.dmpFilesize
4KB
-
memory/3880-71-0x0000000006A80000-0x0000000006A81000-memory.dmpFilesize
4KB
-
memory/3880-74-0x0000000006AC0000-0x0000000006AC1000-memory.dmpFilesize
4KB
-
memory/3880-26-0x00000000040E0000-0x00000000040E1000-memory.dmpFilesize
4KB
-
memory/3880-76-0x0000000006B10000-0x0000000006B11000-memory.dmpFilesize
4KB
-
memory/3880-110-0x0000000000000000-mapping.dmp
-
memory/3880-36-0x0000000000000000-mapping.dmp
-
memory/3880-82-0x0000000000000000-mapping.dmp
-
memory/3880-83-0x0000000000000000-mapping.dmp
-
memory/3880-85-0x0000000000000000-mapping.dmp
-
memory/3880-84-0x0000000000000000-mapping.dmp
-
memory/3880-86-0x0000000000000000-mapping.dmp
-
memory/3880-80-0x0000000000000000-mapping.dmp
-
memory/3880-111-0x0000000000000000-mapping.dmp
-
memory/3880-88-0x0000000000000000-mapping.dmp
-
memory/3880-89-0x0000000000000000-mapping.dmp
-
memory/3880-90-0x0000000000000000-mapping.dmp
-
memory/3880-92-0x0000000000000000-mapping.dmp
-
memory/3880-93-0x0000000000000000-mapping.dmp
-
memory/3880-91-0x0000000000000000-mapping.dmp
-
memory/3880-25-0x0000000002674000-0x0000000002675000-memory.dmpFilesize
4KB
-
memory/3880-98-0x0000000000000000-mapping.dmp
-
memory/3880-97-0x0000000000000000-mapping.dmp
-
memory/3880-99-0x0000000000000000-mapping.dmp
-
memory/3880-100-0x0000000000000000-mapping.dmp
-
memory/3880-101-0x0000000000000000-mapping.dmp
-
memory/3880-102-0x0000000000000000-mapping.dmp
-
memory/3880-103-0x0000000000000000-mapping.dmp
-
memory/3880-104-0x0000000000000000-mapping.dmp
-
memory/3880-22-0x0000000000000000-mapping.dmp
-
memory/3880-106-0x0000000000000000-mapping.dmp
-
memory/3880-107-0x0000000000000000-mapping.dmp
-
memory/3880-108-0x0000000000000000-mapping.dmp
-
memory/3880-109-0x0000000000000000-mapping.dmp
-
memory/3916-87-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/3916-77-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/4020-49-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/4020-43-0x00000000045C0000-0x00000000045C1000-memory.dmpFilesize
4KB