Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-12-2020 07:30
Static task
static1
Behavioral task
behavioral1
Sample
0ee74f44700ad685b4487aaa4e20874e.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0ee74f44700ad685b4487aaa4e20874e.exe
Resource
win10v20201028
General
-
Target
0ee74f44700ad685b4487aaa4e20874e.exe
-
Size
594KB
-
MD5
0ee74f44700ad685b4487aaa4e20874e
-
SHA1
923303b9769e44f6deb3a857b023d94fd81b05e7
-
SHA256
17812ccf744622c22a465fd1d2c0098dbf215423dd433014afab29e232446e4c
-
SHA512
e292764c37a4f5b88c9013c7cd5ec96ef783329ce4fbf4de0df66875168dfdebfd2e2046a1d182eb6f1670ae74f89e910351c0706accb62b289da60eb91e8f57
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1608-12-0x0000000004DE0000-0x0000000004E04000-memory.dmp family_redline behavioral1/memory/1608-13-0x00000000068B0000-0x00000000068D2000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
bestof.exepid process 1608 bestof.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\leadentop\bestof.exe upx C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe upx -
Loads dropped DLL 1 IoCs
Processes:
0ee74f44700ad685b4487aaa4e20874e.exepid process 2012 0ee74f44700ad685b4487aaa4e20874e.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
0ee74f44700ad685b4487aaa4e20874e.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0ee74f44700ad685b4487aaa4e20874e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0ee74f44700ad685b4487aaa4e20874e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bestof.exedescription pid process Token: SeDebugPrivilege 1608 bestof.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0ee74f44700ad685b4487aaa4e20874e.exedescription pid process target process PID 2012 wrote to memory of 1608 2012 0ee74f44700ad685b4487aaa4e20874e.exe bestof.exe PID 2012 wrote to memory of 1608 2012 0ee74f44700ad685b4487aaa4e20874e.exe bestof.exe PID 2012 wrote to memory of 1608 2012 0ee74f44700ad685b4487aaa4e20874e.exe bestof.exe PID 2012 wrote to memory of 1608 2012 0ee74f44700ad685b4487aaa4e20874e.exe bestof.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ee74f44700ad685b4487aaa4e20874e.exe"C:\Users\Admin\AppData\Local\Temp\0ee74f44700ad685b4487aaa4e20874e.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Roaming\leadentop\bestof.exebestof.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ce62304c3eff639e1b2352667a569b8a
SHA15a5cb774b59befe102fe04e93d9853cfbda3334b
SHA256e8356fad49709d2563d2707dbb09f4f1019e30a0ff5836047a11b3d1d84f4d62
SHA51299d77537f2fade1ca2255c16fcd5d64618f0364f15cddb1b6a48814c9a7e59ccdac72db7f0a1cf4b0eac63180264fd58989e43839373d085ecb42ad2b9fe6f41
-
MD5
ce62304c3eff639e1b2352667a569b8a
SHA15a5cb774b59befe102fe04e93d9853cfbda3334b
SHA256e8356fad49709d2563d2707dbb09f4f1019e30a0ff5836047a11b3d1d84f4d62
SHA51299d77537f2fade1ca2255c16fcd5d64618f0364f15cddb1b6a48814c9a7e59ccdac72db7f0a1cf4b0eac63180264fd58989e43839373d085ecb42ad2b9fe6f41