Analysis
-
max time kernel
69s -
max time network
69s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 00:55
Static task
static1
Behavioral task
behavioral1
Sample
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
Resource
win10v20201028
General
-
Target
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
-
Size
571KB
-
MD5
d79d1213a930b951d933adc1f33f4ca0
-
SHA1
41b80eb754b3647e29381b7ed93ae4c7f0e6d036
-
SHA256
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b
-
SHA512
b8650a59aeb228984ec48a671e20de6668f203fee566afb3245a1770a7c19785b7d7bccf2d0ab41e73c226490abc5222e94653b70b6423aa61e1e29cd6119c97
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1668-36-0x0000000000420652-mapping.dmp family_redline behavioral1/memory/1668-35-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral1/memory/1668-39-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral1/memory/1668-38-0x0000000000400000-0x0000000000426000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
437406.exe299709.exe299709.exepid process 1700 437406.exe 300 299709.exe 1668 299709.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.execmd.exepid process 568 cmd.exe 820 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 checkip.amazonaws.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
299709.exedescription pid process target process PID 300 set thread context of 1668 300 299709.exe 299709.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
437406.exe299709.exepid process 1700 437406.exe 1700 437406.exe 1668 299709.exe 1668 299709.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe437406.exe299709.exe299709.exedescription pid process Token: SeDebugPrivilege 1584 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe Token: SeDebugPrivilege 1700 437406.exe Token: SeDebugPrivilege 300 299709.exe Token: SeDebugPrivilege 1668 299709.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.execmd.execmd.exe299709.exe299709.execmd.exedescription pid process target process PID 1584 wrote to memory of 568 1584 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 1584 wrote to memory of 568 1584 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 1584 wrote to memory of 568 1584 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 1584 wrote to memory of 568 1584 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 568 wrote to memory of 1700 568 cmd.exe 437406.exe PID 568 wrote to memory of 1700 568 cmd.exe 437406.exe PID 568 wrote to memory of 1700 568 cmd.exe 437406.exe PID 568 wrote to memory of 1700 568 cmd.exe 437406.exe PID 1584 wrote to memory of 820 1584 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 1584 wrote to memory of 820 1584 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 1584 wrote to memory of 820 1584 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 1584 wrote to memory of 820 1584 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 820 wrote to memory of 300 820 cmd.exe 299709.exe PID 820 wrote to memory of 300 820 cmd.exe 299709.exe PID 820 wrote to memory of 300 820 cmd.exe 299709.exe PID 820 wrote to memory of 300 820 cmd.exe 299709.exe PID 300 wrote to memory of 1668 300 299709.exe 299709.exe PID 300 wrote to memory of 1668 300 299709.exe 299709.exe PID 300 wrote to memory of 1668 300 299709.exe 299709.exe PID 300 wrote to memory of 1668 300 299709.exe 299709.exe PID 300 wrote to memory of 1668 300 299709.exe 299709.exe PID 300 wrote to memory of 1668 300 299709.exe 299709.exe PID 300 wrote to memory of 1668 300 299709.exe 299709.exe PID 300 wrote to memory of 1668 300 299709.exe 299709.exe PID 300 wrote to memory of 1668 300 299709.exe 299709.exe PID 1668 wrote to memory of 956 1668 299709.exe cmd.exe PID 1668 wrote to memory of 956 1668 299709.exe cmd.exe PID 1668 wrote to memory of 956 1668 299709.exe cmd.exe PID 1668 wrote to memory of 956 1668 299709.exe cmd.exe PID 956 wrote to memory of 932 956 cmd.exe PING.EXE PID 956 wrote to memory of 932 956 cmd.exe PING.EXE PID 956 wrote to memory of 932 956 cmd.exe PING.EXE PID 956 wrote to memory of 932 956 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe"C:\Users\Admin\AppData\Local\Temp\027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\827776.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\437406.exeC:\ProgramData\437406.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\299709.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\299709.exeC:\ProgramData\299709.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\299709.exe"C:\ProgramData\299709.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\ProgramData\299709.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\299709.batMD5
69160bf540a9a9e2049ea1d13cf2faf8
SHA14ca1e1ea01171ee710927284906054d8dc42f4f1
SHA25642fb95a38d8bd58043f3ef01f6069d5a4f43f1a2fabcce55b74f350c8002a4a8
SHA51209d8e2a5227bcfa23929f71042b5bcb3d89fc0dd3f76d3451c2d6abf1143532a6fffdde159bc772b5c4346a8732721d7a7f164f69fa1a8eefc0911b010216619
-
C:\ProgramData\299709.exeMD5
bce824d270be37468b18f591a78f280f
SHA1d55960603fa9d83c88bbe322e8c13cd4b94dbb9a
SHA2565bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93
SHA51240d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0
-
C:\ProgramData\299709.exeMD5
bce824d270be37468b18f591a78f280f
SHA1d55960603fa9d83c88bbe322e8c13cd4b94dbb9a
SHA2565bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93
SHA51240d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0
-
C:\ProgramData\299709.exeMD5
bce824d270be37468b18f591a78f280f
SHA1d55960603fa9d83c88bbe322e8c13cd4b94dbb9a
SHA2565bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93
SHA51240d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0
-
C:\ProgramData\437406.exeMD5
79f346d5600586cf5a70f5f6f7aeb6ae
SHA151bd20e0ffa21eecf09e1528fd216c8a6be8a271
SHA2562e9cac20edae9652a21e28e2930fe429fbda66aef0e55e0072e0a1fbfbe850fb
SHA5122ada9bb782f05eedc42c75ce98fcbdfb41ca2effc332504c51fffdcf0a660105e6f30de43b89950d0a6547bc6c244128082a8282d130df565a633b388748b0ae
-
C:\ProgramData\437406.exeMD5
79f346d5600586cf5a70f5f6f7aeb6ae
SHA151bd20e0ffa21eecf09e1528fd216c8a6be8a271
SHA2562e9cac20edae9652a21e28e2930fe429fbda66aef0e55e0072e0a1fbfbe850fb
SHA5122ada9bb782f05eedc42c75ce98fcbdfb41ca2effc332504c51fffdcf0a660105e6f30de43b89950d0a6547bc6c244128082a8282d130df565a633b388748b0ae
-
C:\ProgramData\827776.batMD5
7439d20003c0ee41be3bdaf320c0beea
SHA1ee847192f70a531f40cce9927dfcd4064f7e0603
SHA256c035e46907f68028f322211605e2cfe831e432dc5280d62dcd53c51b41baea7d
SHA5123ee6b83a66aaf283686ed34e29b405b3b07af85f99c6966a9df0adc155e8644fd2dd424363bfbe6f6775f4abc3c6bc8587d7e3b5cdb552c43ebd6db254aa5a5c
-
\ProgramData\299709.exeMD5
bce824d270be37468b18f591a78f280f
SHA1d55960603fa9d83c88bbe322e8c13cd4b94dbb9a
SHA2565bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93
SHA51240d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0
-
\ProgramData\437406.exeMD5
79f346d5600586cf5a70f5f6f7aeb6ae
SHA151bd20e0ffa21eecf09e1528fd216c8a6be8a271
SHA2562e9cac20edae9652a21e28e2930fe429fbda66aef0e55e0072e0a1fbfbe850fb
SHA5122ada9bb782f05eedc42c75ce98fcbdfb41ca2effc332504c51fffdcf0a660105e6f30de43b89950d0a6547bc6c244128082a8282d130df565a633b388748b0ae
-
memory/300-28-0x0000000000000000-mapping.dmp
-
memory/300-34-0x0000000000610000-0x0000000000626000-memory.dmpFilesize
88KB
-
memory/300-30-0x0000000074590000-0x0000000074C7E000-memory.dmpFilesize
6.9MB
-
memory/300-33-0x0000000000580000-0x00000000005C0000-memory.dmpFilesize
256KB
-
memory/300-31-0x00000000013E0000-0x00000000013E1000-memory.dmpFilesize
4KB
-
memory/568-14-0x0000000000000000-mapping.dmp
-
memory/820-24-0x0000000000000000-mapping.dmp
-
memory/932-44-0x0000000000000000-mapping.dmp
-
memory/956-43-0x0000000000000000-mapping.dmp
-
memory/1584-0-0x0000000074590000-0x0000000074C7E000-memory.dmpFilesize
6.9MB
-
memory/1584-1-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/1584-3-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/1584-4-0x00000000041C0000-0x0000000004225000-memory.dmpFilesize
404KB
-
memory/1584-5-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/1668-36-0x0000000000420652-mapping.dmp
-
memory/1668-35-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1668-39-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1668-38-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1668-40-0x0000000073860000-0x0000000073F4E000-memory.dmpFilesize
6.9MB
-
memory/1700-23-0x0000000000710000-0x0000000000734000-memory.dmpFilesize
144KB
-
memory/1700-21-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/1700-20-0x0000000074590000-0x0000000074C7E000-memory.dmpFilesize
6.9MB
-
memory/1700-18-0x0000000000000000-mapping.dmp