Analysis
-
max time kernel
128s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-11-2020 06:45
Static task
static1
Behavioral task
behavioral1
Sample
2d11c59e91341ca5ab2590968801f5f0.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
2d11c59e91341ca5ab2590968801f5f0.exe
Resource
win10v20201028
General
-
Target
2d11c59e91341ca5ab2590968801f5f0.exe
-
Size
559KB
-
MD5
2d11c59e91341ca5ab2590968801f5f0
-
SHA1
e40ee07968064c5ce3673ac9fa1d178d9da3bac0
-
SHA256
697573b8a84e25e74362a869f8ce73efb397ca162e8ddf253b16b32c564c175e
-
SHA512
2907b4b2b311c0ede651ecd48b6aa0f203e8f87817f7670b6c703e8811209e7665ad3e65d2a141c7dd81f44d73d621eb052bfb49682ff24f5e82ac2ad032e5c7
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 31 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-13-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-12-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-14-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-15-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-16-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-17-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-19-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-20-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-21-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-22-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-23-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-27-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-28-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-29-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-30-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-31-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-32-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-34-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-35-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-36-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-37-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-38-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-39-0x00000000041F0000-0x0000000004214000-memory.dmp family_redline behavioral2/memory/1492-41-0x0000000004590000-0x00000000045B2000-memory.dmp family_redline behavioral2/memory/1492-51-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-50-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-52-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-53-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-54-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-55-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/1492-56-0x0000000000000000-mapping.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
bestof.exepid process 1492 bestof.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1524 1492 WerFault.exe bestof.exe 3068 1492 WerFault.exe bestof.exe 3172 1492 WerFault.exe bestof.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2d11c59e91341ca5ab2590968801f5f0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2d11c59e91341ca5ab2590968801f5f0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2d11c59e91341ca5ab2590968801f5f0.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid process 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 1524 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3068 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
WerFault.exeWerFault.exebestof.exeWerFault.exedescription pid process Token: SeRestorePrivilege 1524 WerFault.exe Token: SeBackupPrivilege 1524 WerFault.exe Token: SeDebugPrivilege 1524 WerFault.exe Token: SeDebugPrivilege 3068 WerFault.exe Token: SeDebugPrivilege 1492 bestof.exe Token: SeDebugPrivilege 3172 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2d11c59e91341ca5ab2590968801f5f0.exedescription pid process target process PID 636 wrote to memory of 1492 636 2d11c59e91341ca5ab2590968801f5f0.exe bestof.exe PID 636 wrote to memory of 1492 636 2d11c59e91341ca5ab2590968801f5f0.exe bestof.exe PID 636 wrote to memory of 1492 636 2d11c59e91341ca5ab2590968801f5f0.exe bestof.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d11c59e91341ca5ab2590968801f5f0.exe"C:\Users\Admin\AppData\Local\Temp\2d11c59e91341ca5ab2590968801f5f0.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exebestof.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 5323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 5363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 12283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
651026d3f1f58ca2718cac5272a53192
SHA1f975cb02d4f348ae6cd3fd112b746445bd653e87
SHA256fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931
SHA5129fe5bf0e4df06c0c67db69d6002366ee9897bdeb9c89940657f64852e9c287f1a2fc7ec2fac4377e77f97781045a4cc080318d2ec9e628da6ed9829a0ef929c3
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
651026d3f1f58ca2718cac5272a53192
SHA1f975cb02d4f348ae6cd3fd112b746445bd653e87
SHA256fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931
SHA5129fe5bf0e4df06c0c67db69d6002366ee9897bdeb9c89940657f64852e9c287f1a2fc7ec2fac4377e77f97781045a4cc080318d2ec9e628da6ed9829a0ef929c3
-
memory/636-0-0x000000000303B000-0x000000000303D000-memory.dmpFilesize
8KB
-
memory/636-1-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/1492-29-0x0000000000000000-mapping.dmp
-
memory/1492-41-0x0000000004590000-0x00000000045B2000-memory.dmpFilesize
136KB
-
memory/1492-6-0x00000000040B0000-0x00000000040B1000-memory.dmpFilesize
4KB
-
memory/1492-7-0x00000000042A0000-0x00000000042A1000-memory.dmpFilesize
4KB
-
memory/1492-8-0x0000000072F20000-0x000000007360E000-memory.dmpFilesize
6.9MB
-
memory/1492-13-0x0000000000000000-mapping.dmp
-
memory/1492-12-0x0000000000000000-mapping.dmp
-
memory/1492-14-0x0000000000000000-mapping.dmp
-
memory/1492-15-0x0000000000000000-mapping.dmp
-
memory/1492-16-0x0000000000000000-mapping.dmp
-
memory/1492-17-0x0000000000000000-mapping.dmp
-
memory/1492-19-0x0000000000000000-mapping.dmp
-
memory/1492-56-0x0000000000000000-mapping.dmp
-
memory/1492-55-0x0000000000000000-mapping.dmp
-
memory/1492-2-0x0000000000000000-mapping.dmp
-
memory/1492-21-0x0000000000000000-mapping.dmp
-
memory/1492-22-0x0000000000000000-mapping.dmp
-
memory/1492-23-0x0000000000000000-mapping.dmp
-
memory/1492-54-0x0000000000000000-mapping.dmp
-
memory/1492-53-0x0000000000000000-mapping.dmp
-
memory/1492-27-0x0000000000000000-mapping.dmp
-
memory/1492-28-0x0000000000000000-mapping.dmp
-
memory/1492-20-0x0000000000000000-mapping.dmp
-
memory/1492-50-0x0000000000000000-mapping.dmp
-
memory/1492-39-0x00000000041F0000-0x0000000004214000-memory.dmpFilesize
144KB
-
memory/1492-32-0x0000000000000000-mapping.dmp
-
memory/1492-52-0x0000000000000000-mapping.dmp
-
memory/1492-34-0x0000000000000000-mapping.dmp
-
memory/1492-35-0x0000000000000000-mapping.dmp
-
memory/1492-36-0x0000000000000000-mapping.dmp
-
memory/1492-37-0x0000000000000000-mapping.dmp
-
memory/1492-38-0x0000000000000000-mapping.dmp
-
memory/1492-31-0x0000000000000000-mapping.dmp
-
memory/1492-40-0x0000000006AA0000-0x0000000006AA1000-memory.dmpFilesize
4KB
-
memory/1492-5-0x000000000256C000-0x000000000256D000-memory.dmpFilesize
4KB
-
memory/1492-42-0x0000000006FA0000-0x0000000006FA1000-memory.dmpFilesize
4KB
-
memory/1492-43-0x00000000075B0000-0x00000000075B1000-memory.dmpFilesize
4KB
-
memory/1492-44-0x0000000004630000-0x0000000004631000-memory.dmpFilesize
4KB
-
memory/1492-45-0x0000000007620000-0x0000000007621000-memory.dmpFilesize
4KB
-
memory/1492-46-0x00000000077A0000-0x00000000077A1000-memory.dmpFilesize
4KB
-
memory/1492-30-0x0000000000000000-mapping.dmp
-
memory/1492-51-0x0000000000000000-mapping.dmp
-
memory/1524-18-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/1524-10-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/1524-9-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/3068-33-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/3068-24-0x00000000040F0000-0x00000000040F1000-memory.dmpFilesize
4KB
-
memory/3172-47-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB