Overview

overview

10

Static

static

7dfcfc4db0...72.exe

windows7_x64

10

7dfcfc4db0...72.exe

windows10_x64

10

Analysis

  • max time kernel
    21s
  • max time network
    69s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-12-2020 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7dfcfc4db04043b83c082561a945a372.exe

  • Size

    1.6MB

  • MD5

    7dfcfc4db04043b83c082561a945a372

  • SHA1

    b3c6a4b2629f3ff9525fea81d50bd6362a497efa

  • SHA256

    c86ceb78c8aa8ecb5e96f7d44a8c593ef2c310102189366d4c0d35e80c0115c9

  • SHA512

    f0a7b29215a75503040962432a3c65542f81bcc8af08e47d476acd9074daa49e053636b9e72268fe40457e83c561537f795702efab7ab5b7090d94aadfb74eb6

Score
10/10
redlinediscoveryinfostealerspywareupx

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7dfcfc4db04043b83c082561a945a372.exe
    "C:\Users\Admin\AppData\Local\Temp\7dfcfc4db04043b83c082561a945a372.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Users\Admin\AppData\Roaming\gferrfghvbc\bestof.exe
      bestof.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1200

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\gferrfghvbc\bestof.exe
    MD5

    acce3c0ba9b341978211275f39eb34db

    SHA1

    a2ddcc8ceed89151a5aca71da83675caa56b9f37

    SHA256

    c7548d44039ef4712cd3161d51f4d235f7b04fac22234cfcc602a895e87d23f7

    SHA512

    4b8e4f8840796e998858536ffd3cd19f50c9f471b9141ded9bab299b488bf7e951aecdbd2535741b7d61c7688622d7dbb8c24e4f13d9b06463892ffb7590d127

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gferrfghvbc\bestof.exe
    MD5

    acce3c0ba9b341978211275f39eb34db

    SHA1

    a2ddcc8ceed89151a5aca71da83675caa56b9f37

    SHA256

    c7548d44039ef4712cd3161d51f4d235f7b04fac22234cfcc602a895e87d23f7

    SHA512

    4b8e4f8840796e998858536ffd3cd19f50c9f471b9141ded9bab299b488bf7e951aecdbd2535741b7d61c7688622d7dbb8c24e4f13d9b06463892ffb7590d127

    Download Submit

  • memory/1108-2-0x0000000006670000-0x0000000006671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-12-0x0000000006900000-0x0000000006923000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1200-14-0x0000000008E20000-0x0000000008E21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-7-0x00000000064B0000-0x00000000064E2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1200-8-0x0000000006780000-0x0000000006781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-9-0x00000000723B0000-0x0000000072A9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1200-10-0x0000000006880000-0x00000000068A4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1200-11-0x0000000008EC0000-0x0000000008EC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-3-0x0000000000000000-mapping.dmp

    Download

  • memory/1200-13-0x00000000093C0000-0x00000000093C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-6-0x00000000064B0000-0x00000000064B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-15-0x0000000008E60000-0x0000000008E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-16-0x00000000099D0000-0x00000000099D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-17-0x0000000009B50000-0x0000000009B51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-18-0x000000000A840000-0x000000000A841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-19-0x000000000AA10000-0x000000000AA11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-20-0x000000000B030000-0x000000000B031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-21-0x000000000B0F0000-0x000000000B0F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-22-0x000000000B180000-0x000000000B181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-23-0x000000000B4F0000-0x000000000B4F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-24-0x000000000C420000-0x000000000C421000-memory.dmp

    Filesize

    4KB

    Download