Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-11-2020 18:42
General
-
Target
71c391018799e159e37eabeaacb0b949.exe
-
Size
668KB
-
MD5
71c391018799e159e37eabeaacb0b949
-
SHA1
8f318b2335b60f989a50826fbf12068b20b47ac7
-
SHA256
970c48c21582ed3e4cd22dded1852da31a0b83bfe93c0d82c74445928d104e7f
-
SHA512
ef1b9ce4c89e86e6641856c12671e0bae29bed364b0df1065d80c322f1a5ec9a473606a38289b83079395632e00581a69388b5f8665509da092cb8fe55330ff3
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 51 IoCs
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\71c391018799e159e37eabeaacb0b949.exe"C:\Users\Admin\AppData\Local\Temp\71c391018799e159e37eabeaacb0b949.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 7562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 8762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 12082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 15722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 15402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 16122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exebestof.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 5363⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 5403⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 10163⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 10323⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 12483⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 16762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 19802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 19002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
72131adb0e2315281aae445db11e09a2
SHA1712ca2ebaa7d9bc9bbe18f7843954cfb0d22b08e
SHA2569ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65
SHA512bbc68fa0c586aaa7227da59848407672e7629e8f1289384add8638c21bab69d41495bcfc7881446b527e5aa4db14e1babc4f71dfee32b69705e6d3b64bf46a22
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
72131adb0e2315281aae445db11e09a2
SHA1712ca2ebaa7d9bc9bbe18f7843954cfb0d22b08e
SHA2569ea7a66f0c3dc13ddfc6f05d95049dd7f641053a380578a12013db9f72367f65
SHA512bbc68fa0c586aaa7227da59848407672e7629e8f1289384add8638c21bab69d41495bcfc7881446b527e5aa4db14e1babc4f71dfee32b69705e6d3b64bf46a22
-
memory/200-150-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/200-165-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/200-157-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/424-88-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/1008-129-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/1008-136-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/1220-117-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/1220-110-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/2096-63-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/2296-97-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/2296-104-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/2296-96-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/2688-146-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/2688-140-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/2716-76-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/2716-71-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/2736-130-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/2736-121-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/2736-115-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/2796-2-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/2796-3-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/2796-6-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/3048-202-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/3048-190-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/3372-145-0x0000000006F70000-0x0000000006F71000-memory.dmpFilesize
4KB
-
memory/3372-168-0x0000000000000000-mapping.dmp
-
memory/3372-107-0x0000000000000000-mapping.dmp
-
memory/3372-108-0x0000000000000000-mapping.dmp
-
memory/3372-109-0x0000000000000000-mapping.dmp
-
memory/3372-105-0x0000000000000000-mapping.dmp
-
memory/3372-103-0x0000000000000000-mapping.dmp
-
memory/3372-102-0x0000000000000000-mapping.dmp
-
memory/3372-101-0x0000000000000000-mapping.dmp
-
memory/3372-123-0x0000000000000000-mapping.dmp
-
memory/3372-124-0x0000000000000000-mapping.dmp
-
memory/3372-125-0x0000000000000000-mapping.dmp
-
memory/3372-126-0x0000000000000000-mapping.dmp
-
memory/3372-127-0x0000000000000000-mapping.dmp
-
memory/3372-128-0x0000000000000000-mapping.dmp
-
memory/3372-100-0x0000000000000000-mapping.dmp
-
memory/3372-99-0x0000000000000000-mapping.dmp
-
memory/3372-133-0x0000000000000000-mapping.dmp
-
memory/3372-134-0x0000000000000000-mapping.dmp
-
memory/3372-95-0x0000000072AC0000-0x00000000731AE000-memory.dmpFilesize
6.9MB
-
memory/3372-137-0x0000000000000000-mapping.dmp
-
memory/3372-135-0x0000000000000000-mapping.dmp
-
memory/3372-138-0x0000000000000000-mapping.dmp
-
memory/3372-139-0x00000000043D0000-0x00000000043F4000-memory.dmpFilesize
144KB
-
memory/3372-141-0x0000000006A70000-0x0000000006A71000-memory.dmpFilesize
4KB
-
memory/3372-94-0x00000000041D0000-0x00000000041D1000-memory.dmpFilesize
4KB
-
memory/3372-144-0x0000000004460000-0x0000000004482000-memory.dmpFilesize
136KB
-
memory/3372-210-0x0000000000000000-mapping.dmp
-
memory/3372-93-0x0000000003F70000-0x0000000003F71000-memory.dmpFilesize
4KB
-
memory/3372-147-0x00000000075A0000-0x00000000075A1000-memory.dmpFilesize
4KB
-
memory/3372-148-0x00000000075E0000-0x00000000075E1000-memory.dmpFilesize
4KB
-
memory/3372-149-0x0000000007630000-0x0000000007631000-memory.dmpFilesize
4KB
-
memory/3372-92-0x0000000002484000-0x0000000002485000-memory.dmpFilesize
4KB
-
memory/3372-89-0x0000000000000000-mapping.dmp
-
memory/3372-159-0x0000000000000000-mapping.dmp
-
memory/3372-158-0x0000000000000000-mapping.dmp
-
memory/3372-161-0x0000000000000000-mapping.dmp
-
memory/3372-162-0x0000000000000000-mapping.dmp
-
memory/3372-163-0x0000000000000000-mapping.dmp
-
memory/3372-164-0x0000000000000000-mapping.dmp
-
memory/3372-160-0x0000000000000000-mapping.dmp
-
memory/3372-209-0x0000000000000000-mapping.dmp
-
memory/3372-166-0x0000000000000000-mapping.dmp
-
memory/3372-106-0x0000000000000000-mapping.dmp
-
memory/3372-167-0x0000000000000000-mapping.dmp
-
memory/3372-169-0x0000000000000000-mapping.dmp
-
memory/3372-170-0x0000000000000000-mapping.dmp
-
memory/3372-171-0x0000000000000000-mapping.dmp
-
memory/3372-172-0x0000000007C60000-0x0000000007C61000-memory.dmpFilesize
4KB
-
memory/3372-206-0x0000000000000000-mapping.dmp
-
memory/3372-174-0x0000000000000000-mapping.dmp
-
memory/3372-176-0x0000000000000000-mapping.dmp
-
memory/3372-177-0x0000000000000000-mapping.dmp
-
memory/3372-175-0x0000000000000000-mapping.dmp
-
memory/3372-178-0x0000000000000000-mapping.dmp
-
memory/3372-181-0x0000000000000000-mapping.dmp
-
memory/3372-180-0x0000000000000000-mapping.dmp
-
memory/3372-179-0x0000000000000000-mapping.dmp
-
memory/3372-208-0x0000000000000000-mapping.dmp
-
memory/3372-183-0x0000000000000000-mapping.dmp
-
memory/3372-185-0x0000000000000000-mapping.dmp
-
memory/3372-184-0x0000000000000000-mapping.dmp
-
memory/3372-186-0x0000000000000000-mapping.dmp
-
memory/3372-187-0x0000000000000000-mapping.dmp
-
memory/3372-189-0x0000000000000000-mapping.dmp
-
memory/3372-188-0x0000000000000000-mapping.dmp
-
memory/3372-207-0x0000000000000000-mapping.dmp
-
memory/3372-194-0x0000000000000000-mapping.dmp
-
memory/3372-196-0x0000000000000000-mapping.dmp
-
memory/3372-197-0x0000000000000000-mapping.dmp
-
memory/3372-199-0x0000000000000000-mapping.dmp
-
memory/3372-200-0x0000000000000000-mapping.dmp
-
memory/3372-201-0x0000000000000000-mapping.dmp
-
memory/3372-198-0x0000000000000000-mapping.dmp
-
memory/3372-195-0x0000000000000000-mapping.dmp
-
memory/3372-193-0x0000000000000000-mapping.dmp
-
memory/3372-204-0x0000000000000000-mapping.dmp
-
memory/3372-203-0x0000000000000000-mapping.dmp
-
memory/3372-205-0x0000000000000000-mapping.dmp
-
memory/3884-67-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/3884-70-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/4060-182-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/4060-173-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/4076-1-0x0000000004150000-0x0000000004151000-memory.dmpFilesize
4KB
-
memory/4076-0-0x00000000026A9000-0x00000000026AB000-memory.dmpFilesize
8KB