Overview

overview

10

Static

static

c63d192540...a7.exe

windows7_x64

10

c63d192540...a7.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01-11-2020 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c63d19254013b1268954ca8ad88b40a7.exe

  • Size

    789KB

  • MD5

    c63d19254013b1268954ca8ad88b40a7

  • SHA1

    6df96fbebc9708ba1dfc209e06fc95586f4f74ef

  • SHA256

    4e2065cecd07e0a7974565b591d3969f58c23f093afcda612413bb88ea39d2b6

  • SHA512

    7227d76627ac9727458777446ef3897f4c0f8e7538d08e6fdbb2fdbbdbb6ffcb78d5f3f4e7a9d768284e2ad8afa294b16c3bfabfd0e86f5789310cfbdcdfe507

Score
10/10
redlineinfostealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 39 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 15 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c63d19254013b1268954ca8ad88b40a7.exe
    "C:\Users\Admin\AppData\Local\Temp\c63d19254013b1268954ca8ad88b40a7.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 756
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3584
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 836
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1124
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1208
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:688
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1568
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1576
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
      bestof.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1076
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 540
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 524
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:1388
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 1040
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:2320
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 1052
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:3132
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 1280
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:2348
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1620
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:2176
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1900
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1872
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3124
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 920
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:1136
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1624
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3944

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
    MD5

    6943b3380427465a7998ddf3a96945a0

    SHA1

    abb680ef5e005da1610828d518c15a250b001fd9

    SHA256

    94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb

    SHA512

    5c8fb35986df56b3f6f7b850a98455ab3d767372b57838d54c9faf280826975a0f2a0828fa977469a3d5e02ce9f7bea23e8b574cf793f4264f385e871de8277d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
    MD5

    6943b3380427465a7998ddf3a96945a0

    SHA1

    abb680ef5e005da1610828d518c15a250b001fd9

    SHA256

    94e489927f1f04b50d80382b4ebbb245d8b0cd55f36dac8d7de3c543cbf361fb

    SHA512

    5c8fb35986df56b3f6f7b850a98455ab3d767372b57838d54c9faf280826975a0f2a0828fa977469a3d5e02ce9f7bea23e8b574cf793f4264f385e871de8277d

    Download Submit

  • memory/688-69-0x00000000047E0000-0x00000000047E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/688-72-0x0000000004F10000-0x0000000004F11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1076-121-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-201-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-291-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-292-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-287-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-125-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-286-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-285-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-284-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-81-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-278-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-282-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-85-0x00000000040A0000-0x00000000040A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1076-86-0x00000000041F0000-0x00000000041F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1076-87-0x0000000072A60000-0x000000007314E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1076-281-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-280-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-94-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-98-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-97-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-96-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-95-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-93-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-279-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-100-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-101-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-102-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-103-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-104-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-270-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-123-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-113-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-114-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-269-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-115-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-117-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-118-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-119-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-268-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-198-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-200-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-197-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-122-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-124-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-127-0x0000000004410000-0x0000000004434000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1076-179-0x00000000077B0000-0x00000000077B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1076-130-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1076-139-0x0000000006B10000-0x0000000006B11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1076-132-0x00000000069F0000-0x0000000006A12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1076-133-0x00000000070C0000-0x00000000070C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1076-138-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1076-137-0x0000000006A80000-0x0000000006A81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1124-68-0x00000000049D0000-0x00000000049D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1124-63-0x00000000047E0000-0x00000000047E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1136-191-0x0000000005090000-0x0000000005091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1136-199-0x00000000056C0000-0x00000000056C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1388-110-0x0000000004B20000-0x0000000004B21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1388-120-0x0000000005050000-0x0000000005051000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2176-116-0x00000000057C0000-0x00000000057C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2176-107-0x0000000004F90000-0x0000000004F91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2204-126-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2204-131-0x0000000005470000-0x0000000005471000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2320-187-0x00000000047E0000-0x00000000047E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2320-203-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2320-194-0x00000000047E0000-0x00000000047E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2348-288-0x00000000047E0000-0x00000000047E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-0-0x000000000260B000-0x000000000260D000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2604-1-0x0000000004090000-0x0000000004091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2664-99-0x00000000050A0000-0x00000000050A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2664-91-0x00000000049F0000-0x00000000049F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2664-90-0x00000000049F0000-0x00000000049F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2736-80-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2736-75-0x00000000047E0000-0x00000000047E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3124-134-0x0000000004D50000-0x0000000004D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3132-271-0x00000000047E0000-0x00000000047E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3132-283-0x00000000049E0000-0x00000000049E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3232-74-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3232-73-0x0000000000740000-0x0000000000741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3584-2-0x00000000047E0000-0x00000000047E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3584-3-0x00000000047E0000-0x00000000047E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3584-6-0x0000000004D10000-0x0000000004D11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-212-0x0000000004D10000-0x0000000004D11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-224-0x0000000005440000-0x0000000005441000-memory.dmp

    Filesize

    4KB

    Download