Overview

overview

10

Static

static

6fecb44a68...02.exe

windows7_x64

10

6fecb44a68...02.exe

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-11-2020 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fecb44a682a1d82f0e185ccd1785402.exe

  • Size

    591KB

  • MD5

    6fecb44a682a1d82f0e185ccd1785402

  • SHA1

    9af42122c3135c9077c603b62a4baa88366bd864

  • SHA256

    56f814347c8ec650f905e26cb30343d437b587d8f663ac6bbf4ae4ca483898e1

  • SHA512

    dd0e02d922676f3a9516ddf2c86752dd27e2e03d9da02376392b2e57093b021be05e42a9fa7b45421bccf745e5ee0de44a11c0e2122b505f36b071e1ba92bc65

Score
10/10
redlineinfostealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 32 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 14 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fecb44a682a1d82f0e185ccd1785402.exe
    "C:\Users\Admin\AppData\Local\Temp\6fecb44a682a1d82f0e185ccd1785402.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 760
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 840
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2120
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1212
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3740
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1572
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2392
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1584
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3188
    • C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
      bestof.exe
      2⤵
      • Executes dropped EXE
      PID:2608
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 528
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:3404
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 656
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:2132
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1000
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:3448
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 980
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:1672
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1612
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1716
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:1276
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1904
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1880
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1964
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3340

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
    MD5

    651026d3f1f58ca2718cac5272a53192

    SHA1

    f975cb02d4f348ae6cd3fd112b746445bd653e87

    SHA256

    fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931

    SHA512

    9fe5bf0e4df06c0c67db69d6002366ee9897bdeb9c89940657f64852e9c287f1a2fc7ec2fac4377e77f97781045a4cc080318d2ec9e628da6ed9829a0ef929c3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
    MD5

    651026d3f1f58ca2718cac5272a53192

    SHA1

    f975cb02d4f348ae6cd3fd112b746445bd653e87

    SHA256

    fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931

    SHA512

    9fe5bf0e4df06c0c67db69d6002366ee9897bdeb9c89940657f64852e9c287f1a2fc7ec2fac4377e77f97781045a4cc080318d2ec9e628da6ed9829a0ef929c3

    Download Submit

  • memory/1056-0-0x0000000002181000-0x0000000002183000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1056-1-0x0000000003D70000-0x0000000003D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1276-116-0x00000000045B0000-0x00000000045B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1276-122-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1672-159-0x0000000005080000-0x0000000005081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1672-151-0x0000000004A50000-0x0000000004A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1972-131-0x0000000004520000-0x0000000004521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1972-134-0x0000000004D50000-0x0000000004D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-63-0x00000000044F0000-0x00000000044F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-66-0x0000000004B20000-0x0000000004B21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2132-111-0x00000000050E0000-0x00000000050E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2132-102-0x00000000049B0000-0x00000000049B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2392-74-0x0000000005650000-0x0000000005651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2392-71-0x0000000004F20000-0x0000000004F21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2552-130-0x00000000056B0000-0x00000000056B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2552-126-0x0000000004E80000-0x0000000004E81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2596-99-0x00000000042D0000-0x00000000042D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-6-0x0000000004750000-0x0000000004751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-3-0x0000000004220000-0x0000000004221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-2-0x0000000004220000-0x0000000004221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-143-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-125-0x0000000007490000-0x0000000007491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-90-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-93-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-92-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-163-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-95-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-96-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-97-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-98-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-89-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-162-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-106-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-107-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-108-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-109-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-110-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-161-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-112-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-113-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-114-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-115-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-85-0x0000000072D00000-0x00000000733EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2608-118-0x00000000067F0000-0x0000000006814000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2608-120-0x0000000006860000-0x0000000006861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-121-0x0000000006820000-0x0000000006842000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2608-84-0x0000000004250000-0x0000000004251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-123-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-124-0x0000000007450000-0x0000000007451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-91-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-83-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-129-0x00000000074E0000-0x00000000074E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-82-0x000000000251B000-0x000000000251C000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-79-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-160-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-158-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-157-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-141-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-156-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-142-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-155-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-154-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-144-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-147-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-148-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-149-0x0000000000000000-mapping.dmp

    Download

  • memory/2608-150-0x00000000076D0000-0x00000000076D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3188-75-0x0000000004D20000-0x0000000004D21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3188-78-0x0000000005550000-0x0000000005551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3340-145-0x0000000004B70000-0x0000000004B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3340-137-0x0000000004440000-0x0000000004441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3404-86-0x0000000004050000-0x0000000004051000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3404-87-0x0000000004050000-0x0000000004051000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3404-94-0x0000000004780000-0x0000000004781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3448-146-0x0000000005730000-0x0000000005731000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3448-135-0x0000000005100000-0x0000000005101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3740-70-0x0000000005300000-0x0000000005301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3740-67-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

    Filesize

    4KB

    Download