Overview

overview

10

Static

static

2d11c59e91...f0.exe

windows7_x64

10

2d11c59e91...f0.exe

windows10_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-11-2020 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d11c59e91341ca5ab2590968801f5f0.exe

  • Size

    559KB

  • MD5

    2d11c59e91341ca5ab2590968801f5f0

  • SHA1

    e40ee07968064c5ce3673ac9fa1d178d9da3bac0

  • SHA256

    697573b8a84e25e74362a869f8ce73efb397ca162e8ddf253b16b32c564c175e

  • SHA512

    2907b4b2b311c0ede651ecd48b6aa0f203e8f87817f7670b6c703e8811209e7665ad3e65d2a141c7dd81f44d73d621eb052bfb49682ff24f5e82ac2ad032e5c7

Score
10/10
redlineinfostealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 31 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d11c59e91341ca5ab2590968801f5f0.exe
    "C:\Users\Admin\AppData\Local\Temp\2d11c59e91341ca5ab2590968801f5f0.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
      bestof.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1492
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 532
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1524
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 536
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3068
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1228
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3172

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
    MD5

    651026d3f1f58ca2718cac5272a53192

    SHA1

    f975cb02d4f348ae6cd3fd112b746445bd653e87

    SHA256

    fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931

    SHA512

    9fe5bf0e4df06c0c67db69d6002366ee9897bdeb9c89940657f64852e9c287f1a2fc7ec2fac4377e77f97781045a4cc080318d2ec9e628da6ed9829a0ef929c3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
    MD5

    651026d3f1f58ca2718cac5272a53192

    SHA1

    f975cb02d4f348ae6cd3fd112b746445bd653e87

    SHA256

    fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931

    SHA512

    9fe5bf0e4df06c0c67db69d6002366ee9897bdeb9c89940657f64852e9c287f1a2fc7ec2fac4377e77f97781045a4cc080318d2ec9e628da6ed9829a0ef929c3

    Download Submit
  • memory/636-0-0x000000000303B000-0x000000000303D000-memory.dmp
    Filesize

    8KB

    Download
  • memory/636-1-0x0000000004E40000-0x0000000004E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1492-29-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-41-0x0000000004590000-0x00000000045B2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1492-6-0x00000000040B0000-0x00000000040B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1492-7-0x00000000042A0000-0x00000000042A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1492-8-0x0000000072F20000-0x000000007360E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1492-13-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-12-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-14-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-15-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-16-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-17-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-19-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-2-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-21-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-22-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-23-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-53-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-27-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-28-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-20-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-50-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-39-0x00000000041F0000-0x0000000004214000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1492-32-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-52-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-34-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-35-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-36-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-37-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-38-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-31-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-40-0x0000000006AA0000-0x0000000006AA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1492-5-0x000000000256C000-0x000000000256D000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1492-42-0x0000000006FA0000-0x0000000006FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1492-43-0x00000000075B0000-0x00000000075B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1492-44-0x0000000004630000-0x0000000004631000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1492-45-0x0000000007620000-0x0000000007621000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1492-46-0x00000000077A0000-0x00000000077A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1492-30-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-51-0x0000000000000000-mapping.dmp
    Download
  • memory/1524-18-0x00000000056C0000-0x00000000056C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-10-0x0000000004F10000-0x0000000004F11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-9-0x0000000004F10000-0x0000000004F11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3068-33-0x0000000004720000-0x0000000004721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3068-24-0x00000000040F0000-0x00000000040F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3172-47-0x0000000004B40000-0x0000000004B41000-memory.dmp
    Filesize

    4KB

    Download