Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-11-2020 06:34
General
-
Target
fcdec12d6cbb88ea6e95cbb2204f8785.exe
-
Size
591KB
-
MD5
fcdec12d6cbb88ea6e95cbb2204f8785
-
SHA1
ac9bacff423395fb282f5427f2f7a16842ae55ab
-
SHA256
c9393fcd89b8a47fbf127421c4248c06e202706d65de8d782006637ce5c6778c
-
SHA512
f0a722a460ec989d083b6892d9edbd824f8baa9abfb2c0bc6283c9735da9c52ddd30b7265363fa77d463b7ab907b8b8ff43d2330cd47123e1481dee6d2e42252
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 58 IoCs
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcdec12d6cbb88ea6e95cbb2204f8785.exe"C:\Users\Admin\AppData\Local\Temp\fcdec12d6cbb88ea6e95cbb2204f8785.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 7562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 8762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 12082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 15682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 15562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exebestof.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 5323⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 6643⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 12603⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 12843⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 13203⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 15642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 18962⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 18202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 16762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
651026d3f1f58ca2718cac5272a53192
SHA1f975cb02d4f348ae6cd3fd112b746445bd653e87
SHA256fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931
SHA5129fe5bf0e4df06c0c67db69d6002366ee9897bdeb9c89940657f64852e9c287f1a2fc7ec2fac4377e77f97781045a4cc080318d2ec9e628da6ed9829a0ef929c3
-
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exeMD5
651026d3f1f58ca2718cac5272a53192
SHA1f975cb02d4f348ae6cd3fd112b746445bd653e87
SHA256fdc884b306b56d605844a30990a565fed93cbbf6d15c04c524ee606fbb1d8931
SHA5129fe5bf0e4df06c0c67db69d6002366ee9897bdeb9c89940657f64852e9c287f1a2fc7ec2fac4377e77f97781045a4cc080318d2ec9e628da6ed9829a0ef929c3
-
memory/220-2-0x00000000042F0000-0x00000000042F1000-memory.dmpFilesize
4KB
-
memory/220-3-0x00000000042F0000-0x00000000042F1000-memory.dmpFilesize
4KB
-
memory/220-5-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/912-135-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/912-112-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/1004-215-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/1004-200-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/1180-0-0x0000000001F01000-0x0000000001F03000-memory.dmpFilesize
8KB
-
memory/1180-1-0x0000000003AB0000-0x0000000003AB1000-memory.dmpFilesize
4KB
-
memory/1356-69-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/1356-65-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/1496-13-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/1496-10-0x0000000004690000-0x0000000004691000-memory.dmpFilesize
4KB
-
memory/1516-49-0x0000000004670000-0x0000000004671000-memory.dmpFilesize
4KB
-
memory/1524-14-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/1524-17-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/1908-9-0x00000000046E0000-0x00000000046E1000-memory.dmpFilesize
4KB
-
memory/1908-6-0x00000000043A0000-0x00000000043A1000-memory.dmpFilesize
4KB
-
memory/1936-52-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/1936-46-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/2064-181-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/2064-154-0x00000000042F0000-0x00000000042F1000-memory.dmpFilesize
4KB
-
memory/2668-21-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/2668-18-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/2868-31-0x00000000043D0000-0x00000000043D1000-memory.dmpFilesize
4KB
-
memory/2868-32-0x00000000043D0000-0x00000000043D1000-memory.dmpFilesize
4KB
-
memory/2868-40-0x0000000004810000-0x0000000004811000-memory.dmpFilesize
4KB
-
memory/2876-75-0x00000000047A0000-0x00000000047A1000-memory.dmpFilesize
4KB
-
memory/2876-80-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/3692-198-0x00000000042F0000-0x00000000042F1000-memory.dmpFilesize
4KB
-
memory/3692-205-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/3792-73-0x0000000006A70000-0x0000000006A71000-memory.dmpFilesize
4KB
-
memory/3792-141-0x0000000000000000-mapping.dmp
-
memory/3792-45-0x0000000000000000-mapping.dmp
-
memory/3792-43-0x0000000000000000-mapping.dmp
-
memory/3792-53-0x0000000000000000-mapping.dmp
-
memory/3792-54-0x0000000000000000-mapping.dmp
-
memory/3792-55-0x0000000000000000-mapping.dmp
-
memory/3792-56-0x0000000000000000-mapping.dmp
-
memory/3792-57-0x0000000000000000-mapping.dmp
-
memory/3792-58-0x0000000000000000-mapping.dmp
-
memory/3792-60-0x0000000000000000-mapping.dmp
-
memory/3792-61-0x0000000000000000-mapping.dmp
-
memory/3792-62-0x0000000000000000-mapping.dmp
-
memory/3792-63-0x0000000000000000-mapping.dmp
-
memory/3792-64-0x0000000000000000-mapping.dmp
-
memory/3792-42-0x0000000000000000-mapping.dmp
-
memory/3792-68-0x00000000043B0000-0x00000000043D4000-memory.dmpFilesize
144KB
-
memory/3792-41-0x0000000000000000-mapping.dmp
-
memory/3792-70-0x0000000006B30000-0x0000000006B31000-memory.dmpFilesize
4KB
-
memory/3792-71-0x0000000004550000-0x0000000004572000-memory.dmpFilesize
136KB
-
memory/3792-72-0x0000000007030000-0x0000000007031000-memory.dmpFilesize
4KB
-
memory/3792-39-0x0000000000000000-mapping.dmp
-
memory/3792-74-0x0000000006AB0000-0x0000000006AB1000-memory.dmpFilesize
4KB
-
memory/3792-37-0x0000000000000000-mapping.dmp
-
memory/3792-78-0x0000000007640000-0x0000000007641000-memory.dmpFilesize
4KB
-
memory/3792-38-0x0000000000000000-mapping.dmp
-
memory/3792-95-0x00000000077A0000-0x00000000077A1000-memory.dmpFilesize
4KB
-
memory/3792-35-0x0000000000000000-mapping.dmp
-
memory/3792-120-0x0000000000000000-mapping.dmp
-
memory/3792-122-0x0000000000000000-mapping.dmp
-
memory/3792-124-0x0000000000000000-mapping.dmp
-
memory/3792-128-0x0000000000000000-mapping.dmp
-
memory/3792-131-0x0000000000000000-mapping.dmp
-
memory/3792-127-0x0000000000000000-mapping.dmp
-
memory/3792-133-0x0000000000000000-mapping.dmp
-
memory/3792-36-0x0000000000000000-mapping.dmp
-
memory/3792-140-0x0000000000000000-mapping.dmp
-
memory/3792-44-0x0000000000000000-mapping.dmp
-
memory/3792-144-0x0000000000000000-mapping.dmp
-
memory/3792-145-0x0000000000000000-mapping.dmp
-
memory/3792-147-0x0000000000000000-mapping.dmp
-
memory/3792-150-0x0000000000000000-mapping.dmp
-
memory/3792-34-0x0000000000000000-mapping.dmp
-
memory/3792-163-0x0000000000000000-mapping.dmp
-
memory/3792-165-0x0000000000000000-mapping.dmp
-
memory/3792-167-0x0000000000000000-mapping.dmp
-
memory/3792-168-0x0000000000000000-mapping.dmp
-
memory/3792-171-0x0000000000000000-mapping.dmp
-
memory/3792-174-0x0000000000000000-mapping.dmp
-
memory/3792-173-0x0000000000000000-mapping.dmp
-
memory/3792-177-0x0000000000000000-mapping.dmp
-
memory/3792-179-0x0000000000000000-mapping.dmp
-
memory/3792-28-0x0000000072E40000-0x000000007352E000-memory.dmpFilesize
6.9MB
-
memory/3792-183-0x0000000000000000-mapping.dmp
-
memory/3792-185-0x0000000000000000-mapping.dmp
-
memory/3792-186-0x0000000000000000-mapping.dmp
-
memory/3792-188-0x0000000000000000-mapping.dmp
-
memory/3792-192-0x0000000000000000-mapping.dmp
-
memory/3792-194-0x0000000000000000-mapping.dmp
-
memory/3792-196-0x0000000000000000-mapping.dmp
-
memory/3792-191-0x0000000000000000-mapping.dmp
-
memory/3792-197-0x0000000000000000-mapping.dmp
-
memory/3792-27-0x00000000041B0000-0x00000000041B1000-memory.dmpFilesize
4KB
-
memory/3792-26-0x0000000003FC0000-0x0000000003FC1000-memory.dmpFilesize
4KB
-
memory/3792-204-0x0000000000000000-mapping.dmp
-
memory/3792-206-0x0000000000000000-mapping.dmp
-
memory/3792-207-0x0000000000000000-mapping.dmp
-
memory/3792-25-0x00000000024FB000-0x00000000024FC000-memory.dmpFilesize
4KB
-
memory/3792-208-0x0000000000000000-mapping.dmp
-
memory/3792-209-0x0000000000000000-mapping.dmp
-
memory/3792-210-0x0000000000000000-mapping.dmp
-
memory/3792-211-0x0000000000000000-mapping.dmp
-
memory/3792-212-0x0000000000000000-mapping.dmp
-
memory/3792-213-0x0000000000000000-mapping.dmp
-
memory/3792-214-0x0000000000000000-mapping.dmp
-
memory/3792-22-0x0000000000000000-mapping.dmp