Analysis
-
max time kernel
53s -
max time network
99s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 00:55
Static task
static1
Behavioral task
behavioral1
Sample
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
Resource
win10v20201028
General
-
Target
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe
-
Size
571KB
-
MD5
d79d1213a930b951d933adc1f33f4ca0
-
SHA1
41b80eb754b3647e29381b7ed93ae4c7f0e6d036
-
SHA256
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b
-
SHA512
b8650a59aeb228984ec48a671e20de6668f203fee566afb3245a1770a7c19785b7d7bccf2d0ab41e73c226490abc5222e94653b70b6423aa61e1e29cd6119c97
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/980-34-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral2/memory/980-35-0x0000000000420652-mapping.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
816438.exe182887.exe182887.exepid process 1088 816438.exe 1004 182887.exe 980 182887.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 checkip.amazonaws.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
182887.exedescription pid process target process PID 1004 set thread context of 980 1004 182887.exe 182887.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
816438.exe182887.exepid process 1088 816438.exe 1088 816438.exe 980 182887.exe 980 182887.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe816438.exe182887.exe182887.exedescription pid process Token: SeDebugPrivilege 1180 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe Token: SeDebugPrivilege 1088 816438.exe Token: SeDebugPrivilege 1004 182887.exe Token: SeDebugPrivilege 980 182887.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.execmd.execmd.exe182887.exe182887.execmd.exedescription pid process target process PID 1180 wrote to memory of 2668 1180 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 1180 wrote to memory of 2668 1180 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 1180 wrote to memory of 2668 1180 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 2668 wrote to memory of 1088 2668 cmd.exe 816438.exe PID 2668 wrote to memory of 1088 2668 cmd.exe 816438.exe PID 2668 wrote to memory of 1088 2668 cmd.exe 816438.exe PID 1180 wrote to memory of 4040 1180 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 1180 wrote to memory of 4040 1180 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 1180 wrote to memory of 4040 1180 027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe cmd.exe PID 4040 wrote to memory of 1004 4040 cmd.exe 182887.exe PID 4040 wrote to memory of 1004 4040 cmd.exe 182887.exe PID 4040 wrote to memory of 1004 4040 cmd.exe 182887.exe PID 1004 wrote to memory of 980 1004 182887.exe 182887.exe PID 1004 wrote to memory of 980 1004 182887.exe 182887.exe PID 1004 wrote to memory of 980 1004 182887.exe 182887.exe PID 1004 wrote to memory of 980 1004 182887.exe 182887.exe PID 1004 wrote to memory of 980 1004 182887.exe 182887.exe PID 1004 wrote to memory of 980 1004 182887.exe 182887.exe PID 1004 wrote to memory of 980 1004 182887.exe 182887.exe PID 1004 wrote to memory of 980 1004 182887.exe 182887.exe PID 980 wrote to memory of 2088 980 182887.exe cmd.exe PID 980 wrote to memory of 2088 980 182887.exe cmd.exe PID 980 wrote to memory of 2088 980 182887.exe cmd.exe PID 2088 wrote to memory of 2424 2088 cmd.exe PING.EXE PID 2088 wrote to memory of 2424 2088 cmd.exe PING.EXE PID 2088 wrote to memory of 2424 2088 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe"C:\Users\Admin\AppData\Local\Temp\027df404dc6098728eb2e89c9649eb25e17cdd867bd1a80a96cdcbe9cb4f196b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\175243.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\816438.exeC:\ProgramData\816438.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\182887.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\182887.exeC:\ProgramData\182887.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\182887.exe"C:\ProgramData\182887.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\ProgramData\182887.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\175243.batMD5
22c769ab238d79cc9a90fec628ae0177
SHA129172f85d32ee363b5d3e65f6d10c438c303c191
SHA256c2a3b3c1ad0f8f8c4f08093ad552df611a27d53e67b36f42fed5bac6125a017f
SHA51288ca0c2cdc8f9c1fe22ca8a32fe52a25bf723ed75fd8478953bcdfdcdaf6720bbc860af2c7bd1d87c06b64c9996fb419dada5d810c0b149909ba48771e346255
-
C:\ProgramData\182887.batMD5
eb3846432e059fa9380d7357b5245fd4
SHA1b1120a8fbe775ad7d0c82c750c4db661b5e32d03
SHA256d2867a27f1c430ff7c5c27782cdfef84379a1691a06c8bfaa1af4e2a5752ac27
SHA512a3c6825201106107d41885e2652466d23ee0366140671d3e111c72d5b7a108dcc199f5790fa9ae4423567671369a8a4c08da69f13213226e10364a4270b65ad4
-
C:\ProgramData\182887.exeMD5
bce824d270be37468b18f591a78f280f
SHA1d55960603fa9d83c88bbe322e8c13cd4b94dbb9a
SHA2565bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93
SHA51240d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0
-
C:\ProgramData\182887.exeMD5
bce824d270be37468b18f591a78f280f
SHA1d55960603fa9d83c88bbe322e8c13cd4b94dbb9a
SHA2565bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93
SHA51240d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0
-
C:\ProgramData\182887.exeMD5
bce824d270be37468b18f591a78f280f
SHA1d55960603fa9d83c88bbe322e8c13cd4b94dbb9a
SHA2565bbf0196747d0a66cfb41e53ec49d0a738537153ff6f5af47906c1591ef33a93
SHA51240d1d2b6d367de438799039cc133adba7cf261afd4974f452624373db96add7f7d7be984de7290ba52199eb3dbe9339be1db1b214bd6f5e9c8d1d80c442df0e0
-
C:\ProgramData\816438.exeMD5
79f346d5600586cf5a70f5f6f7aeb6ae
SHA151bd20e0ffa21eecf09e1528fd216c8a6be8a271
SHA2562e9cac20edae9652a21e28e2930fe429fbda66aef0e55e0072e0a1fbfbe850fb
SHA5122ada9bb782f05eedc42c75ce98fcbdfb41ca2effc332504c51fffdcf0a660105e6f30de43b89950d0a6547bc6c244128082a8282d130df565a633b388748b0ae
-
C:\ProgramData\816438.exeMD5
79f346d5600586cf5a70f5f6f7aeb6ae
SHA151bd20e0ffa21eecf09e1528fd216c8a6be8a271
SHA2562e9cac20edae9652a21e28e2930fe429fbda66aef0e55e0072e0a1fbfbe850fb
SHA5122ada9bb782f05eedc42c75ce98fcbdfb41ca2effc332504c51fffdcf0a660105e6f30de43b89950d0a6547bc6c244128082a8282d130df565a633b388748b0ae
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\182887.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
memory/980-45-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/980-42-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/980-41-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/980-43-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/980-38-0x0000000073D20000-0x000000007440E000-memory.dmpFilesize
6.9MB
-
memory/980-44-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/980-46-0x0000000006670000-0x0000000006671000-memory.dmpFilesize
4KB
-
memory/980-35-0x0000000000420652-mapping.dmp
-
memory/980-47-0x0000000006D70000-0x0000000006D71000-memory.dmpFilesize
4KB
-
memory/980-34-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/980-53-0x0000000007410000-0x0000000007411000-memory.dmpFilesize
4KB
-
memory/1004-24-0x0000000073D20000-0x000000007440E000-memory.dmpFilesize
6.9MB
-
memory/1004-31-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/1004-25-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/1004-27-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/1004-21-0x0000000000000000-mapping.dmp
-
memory/1004-33-0x0000000004FA0000-0x0000000004FB6000-memory.dmpFilesize
88KB
-
memory/1004-30-0x0000000004BC0000-0x0000000004C00000-memory.dmpFilesize
256KB
-
memory/1088-18-0x0000000007E60000-0x0000000007E61000-memory.dmpFilesize
4KB
-
memory/1088-10-0x0000000000000000-mapping.dmp
-
memory/1088-28-0x00000000084D0000-0x00000000084D1000-memory.dmpFilesize
4KB
-
memory/1088-29-0x0000000008430000-0x0000000008431000-memory.dmpFilesize
4KB
-
memory/1088-13-0x0000000073D20000-0x000000007440E000-memory.dmpFilesize
6.9MB
-
memory/1088-17-0x0000000007530000-0x0000000007531000-memory.dmpFilesize
4KB
-
memory/1088-16-0x0000000007460000-0x0000000007484000-memory.dmpFilesize
144KB
-
memory/1088-14-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/1180-0-0x0000000073D20000-0x000000007440E000-memory.dmpFilesize
6.9MB
-
memory/1180-5-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/1180-4-0x0000000004B00000-0x0000000004B65000-memory.dmpFilesize
404KB
-
memory/1180-3-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/1180-1-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2088-57-0x0000000000000000-mapping.dmp
-
memory/2424-58-0x0000000000000000-mapping.dmp
-
memory/2668-8-0x0000000000000000-mapping.dmp
-
memory/4040-19-0x0000000000000000-mapping.dmp