Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-11-2020 07:10
General
-
Target
c63d19254013b1268954ca8ad88b40a7.exe
-
Size
789KB
-
MD5
c63d19254013b1268954ca8ad88b40a7
-
SHA1
6df96fbebc9708ba1dfc209e06fc95586f4f74ef
-
SHA256
4e2065cecd07e0a7974565b591d3969f58c23f093afcda612413bb88ea39d2b6
-
SHA512
7227d76627ac9727458777446ef3897f4c0f8e7538d08e6fdbb2fdbbdbb6ffcb78d5f3f4e7a9d768284e2ad8afa294b16c3bfabfd0e86f5789310cfbdcdfe507
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 39 IoCs
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 15 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c63d19254013b1268954ca8ad88b40a7.exe"C:\Users\Admin\AppData\Local\Temp\c63d19254013b1268954ca8ad88b40a7.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 7562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 8362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 12082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 15682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 15762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exebestof.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 5403⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 5243⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 10403⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 10523⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 12803⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 16202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 19002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 18722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 9202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 16242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
6943b3380427465a7998ddf3a96945a0
SHA1abb680ef5e005da1610828d518c15a250b001fd9
SHA25694e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb
SHA5125c8fb35986df56b3f6f7b850a98455ab3d767372b57838d54c9faf280826975a0f2a0828fa977469a3d5e02ce9f7bea23e8b574cf793f4264f385e871de8277d
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
6943b3380427465a7998ddf3a96945a0
SHA1abb680ef5e005da1610828d518c15a250b001fd9
SHA25694e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb
SHA5125c8fb35986df56b3f6f7b850a98455ab3d767372b57838d54c9faf280826975a0f2a0828fa977469a3d5e02ce9f7bea23e8b574cf793f4264f385e871de8277d
-
memory/688-69-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/688-72-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/1076-121-0x0000000000000000-mapping.dmp
-
memory/1076-201-0x0000000000000000-mapping.dmp
-
memory/1076-291-0x0000000000000000-mapping.dmp
-
memory/1076-292-0x0000000000000000-mapping.dmp
-
memory/1076-287-0x0000000000000000-mapping.dmp
-
memory/1076-125-0x0000000000000000-mapping.dmp
-
memory/1076-286-0x0000000000000000-mapping.dmp
-
memory/1076-285-0x0000000000000000-mapping.dmp
-
memory/1076-284-0x0000000000000000-mapping.dmp
-
memory/1076-81-0x0000000000000000-mapping.dmp
-
memory/1076-278-0x0000000000000000-mapping.dmp
-
memory/1076-282-0x0000000000000000-mapping.dmp
-
memory/1076-85-0x00000000040A0000-0x00000000040A1000-memory.dmpFilesize
4KB
-
memory/1076-86-0x00000000041F0000-0x00000000041F1000-memory.dmpFilesize
4KB
-
memory/1076-87-0x0000000072A60000-0x000000007314E000-memory.dmpFilesize
6.9MB
-
memory/1076-281-0x0000000000000000-mapping.dmp
-
memory/1076-280-0x0000000000000000-mapping.dmp
-
memory/1076-94-0x0000000000000000-mapping.dmp
-
memory/1076-98-0x0000000000000000-mapping.dmp
-
memory/1076-97-0x0000000000000000-mapping.dmp
-
memory/1076-96-0x0000000000000000-mapping.dmp
-
memory/1076-95-0x0000000000000000-mapping.dmp
-
memory/1076-93-0x0000000000000000-mapping.dmp
-
memory/1076-279-0x0000000000000000-mapping.dmp
-
memory/1076-100-0x0000000000000000-mapping.dmp
-
memory/1076-101-0x0000000000000000-mapping.dmp
-
memory/1076-102-0x0000000000000000-mapping.dmp
-
memory/1076-103-0x0000000000000000-mapping.dmp
-
memory/1076-104-0x0000000000000000-mapping.dmp
-
memory/1076-270-0x0000000000000000-mapping.dmp
-
memory/1076-123-0x0000000000000000-mapping.dmp
-
memory/1076-113-0x0000000000000000-mapping.dmp
-
memory/1076-114-0x0000000000000000-mapping.dmp
-
memory/1076-269-0x0000000000000000-mapping.dmp
-
memory/1076-115-0x0000000000000000-mapping.dmp
-
memory/1076-117-0x0000000000000000-mapping.dmp
-
memory/1076-118-0x0000000000000000-mapping.dmp
-
memory/1076-119-0x0000000000000000-mapping.dmp
-
memory/1076-268-0x0000000000000000-mapping.dmp
-
memory/1076-198-0x0000000000000000-mapping.dmp
-
memory/1076-200-0x0000000000000000-mapping.dmp
-
memory/1076-197-0x0000000000000000-mapping.dmp
-
memory/1076-122-0x0000000000000000-mapping.dmp
-
memory/1076-124-0x0000000000000000-mapping.dmp
-
memory/1076-127-0x0000000004410000-0x0000000004434000-memory.dmpFilesize
144KB
-
memory/1076-179-0x00000000077B0000-0x00000000077B1000-memory.dmpFilesize
4KB
-
memory/1076-130-0x0000000006BC0000-0x0000000006BC1000-memory.dmpFilesize
4KB
-
memory/1076-139-0x0000000006B10000-0x0000000006B11000-memory.dmpFilesize
4KB
-
memory/1076-132-0x00000000069F0000-0x0000000006A12000-memory.dmpFilesize
136KB
-
memory/1076-133-0x00000000070C0000-0x00000000070C1000-memory.dmpFilesize
4KB
-
memory/1076-138-0x0000000006AC0000-0x0000000006AC1000-memory.dmpFilesize
4KB
-
memory/1076-137-0x0000000006A80000-0x0000000006A81000-memory.dmpFilesize
4KB
-
memory/1124-68-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/1124-63-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/1136-191-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/1136-199-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/1388-110-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/1388-120-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/2176-116-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/2176-107-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/2204-126-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/2204-131-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/2320-187-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/2320-203-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/2320-194-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/2348-288-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/2604-0-0x000000000260B000-0x000000000260D000-memory.dmpFilesize
8KB
-
memory/2604-1-0x0000000004090000-0x0000000004091000-memory.dmpFilesize
4KB
-
memory/2664-99-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/2664-91-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/2664-90-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/2736-80-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/2736-75-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/3124-134-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/3132-271-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/3132-283-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/3232-74-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/3232-73-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/3584-2-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/3584-3-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/3584-6-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/3944-212-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/3944-224-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB