Analysis
-
max time kernel
68s -
max time network
68s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-11-2020 06:48
Static task
static1
Behavioral task
behavioral1
Sample
Acrobat Cracker v.6.3.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Acrobat Cracker v.6.3.exe
Resource
win10v20201028
General
-
Target
Acrobat Cracker v.6.3.exe
-
Size
1.6MB
-
MD5
41598929a42c3f2bb561cc704ddad70e
-
SHA1
c60a0243e7e6220daf6890015705cd5b299f4dc2
-
SHA256
91fb579cf12c337d31c8b753b06352cc334c3720568c2c6ddfe2dc164b5a8b1c
-
SHA512
2db2086b8bcdf8db2335353fb4c3ce2e5f49a1f3030eca4bfd21d7c87461550b3f28a042ed4e3191530d8285b1368c7e86b13d7f4daaf33bce76d6e24651d1f6
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1644-6-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral1/memory/1644-7-0x000000000042050E-mapping.dmp family_redline behavioral1/memory/1644-8-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral1/memory/1644-9-0x0000000000400000-0x0000000000426000-memory.dmp family_redline -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1052 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 checkip.amazonaws.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Acrobat Cracker v.6.3.exedescription pid process target process PID 1584 set thread context of 1644 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Acrobat Cracker v.6.3.exeAcrobat Cracker v.6.3.exepid process 1584 Acrobat Cracker v.6.3.exe 1584 Acrobat Cracker v.6.3.exe 1584 Acrobat Cracker v.6.3.exe 1584 Acrobat Cracker v.6.3.exe 1644 Acrobat Cracker v.6.3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Acrobat Cracker v.6.3.exeAcrobat Cracker v.6.3.exedescription pid process Token: SeDebugPrivilege 1584 Acrobat Cracker v.6.3.exe Token: SeDebugPrivilege 1644 Acrobat Cracker v.6.3.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Acrobat Cracker v.6.3.exeAcrobat Cracker v.6.3.execmd.exedescription pid process target process PID 1584 wrote to memory of 1652 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1652 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1652 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1652 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1560 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1560 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1560 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1560 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1644 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1644 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1644 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1644 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1644 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1644 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1644 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1644 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1584 wrote to memory of 1644 1584 Acrobat Cracker v.6.3.exe Acrobat Cracker v.6.3.exe PID 1644 wrote to memory of 1052 1644 Acrobat Cracker v.6.3.exe cmd.exe PID 1644 wrote to memory of 1052 1644 Acrobat Cracker v.6.3.exe cmd.exe PID 1644 wrote to memory of 1052 1644 Acrobat Cracker v.6.3.exe cmd.exe PID 1644 wrote to memory of 1052 1644 Acrobat Cracker v.6.3.exe cmd.exe PID 1052 wrote to memory of 1112 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1112 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1112 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1112 1052 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Temp\Acrobat Cracker v.6.3.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1052-13-0x0000000000000000-mapping.dmp
-
memory/1112-14-0x0000000000000000-mapping.dmp
-
memory/1584-0-0x0000000074590000-0x0000000074C7E000-memory.dmpFilesize
6.9MB
-
memory/1584-1-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/1584-3-0x00000000022A0000-0x000000000232D000-memory.dmpFilesize
564KB
-
memory/1584-4-0x00000000020A0000-0x00000000020E7000-memory.dmpFilesize
284KB
-
memory/1584-5-0x0000000000700000-0x0000000000716000-memory.dmpFilesize
88KB
-
memory/1644-6-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1644-7-0x000000000042050E-mapping.dmp
-
memory/1644-8-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1644-9-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1644-10-0x0000000074590000-0x0000000074C7E000-memory.dmpFilesize
6.9MB