Analysis

  • max time kernel
    23s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-12-2020 11:38

General

  • Target

    SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe

  • Size

    2.5MB

  • MD5

    726416c22fec0616dad74b6af93fdb2e

  • SHA1

    7bec6c4668e9ace3464e40f9a32bf325fc815ed9

  • SHA256

    5caf05d632263d6fcb361a630f017850caebd0c9851888a755c0dae99062df7e

  • SHA512

    472cb84ca1a48af7317e0521bc6912e986ff614d6f26729cd2efc1c64a0e17e454b627b217b09d4955d07391a8ff6b5e454563711964f374d7eea216bec7b5dc

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45172172.18303.29340.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • Runs ping.exe
        PID:4056

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3160-12-0x00000000073A0000-0x00000000073A1000-memory.dmp

    Filesize

    4KB

  • memory/3160-9-0x0000000005780000-0x0000000005781000-memory.dmp

    Filesize

    4KB

  • memory/3160-13-0x0000000006E70000-0x0000000006E71000-memory.dmp

    Filesize

    4KB

  • memory/3160-8-0x0000000005710000-0x0000000005711000-memory.dmp

    Filesize

    4KB

  • memory/3160-14-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

    Filesize

    4KB

  • memory/3160-10-0x0000000005A20000-0x0000000005A21000-memory.dmp

    Filesize

    4KB

  • memory/3160-11-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

    Filesize

    4KB

  • memory/3160-15-0x0000000006F90000-0x0000000006F91000-memory.dmp

    Filesize

    4KB

  • memory/3160-7-0x0000000005730000-0x0000000005731000-memory.dmp

    Filesize

    4KB

  • memory/3160-6-0x0000000005E10000-0x0000000005E11000-memory.dmp

    Filesize

    4KB

  • memory/3160-3-0x00000000733D0000-0x0000000073ABE000-memory.dmp

    Filesize

    6.9MB

  • memory/3160-16-0x0000000006F10000-0x0000000006F11000-memory.dmp

    Filesize

    4KB

  • memory/3160-17-0x00000000072D0000-0x00000000072D1000-memory.dmp

    Filesize

    4KB

  • memory/3160-18-0x0000000008B40000-0x0000000008B41000-memory.dmp

    Filesize

    4KB

  • memory/3160-19-0x0000000008C30000-0x0000000008C31000-memory.dmp

    Filesize

    4KB

  • memory/3160-4-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

    Filesize

    4KB