Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-12-2020 17:04
Static task
static1
Behavioral task
behavioral1
Sample
5c441448142f5dc5358221d1197d9fcd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5c441448142f5dc5358221d1197d9fcd.exe
Resource
win10v20201028
General
-
Target
5c441448142f5dc5358221d1197d9fcd.exe
-
Size
594KB
-
MD5
5c441448142f5dc5358221d1197d9fcd
-
SHA1
54e4371d254313709280c8a7e5eb8fa0dce22e6f
-
SHA256
733b75ae9580dccc5e4cc7941e621f89c53b35d94a8b792241f1603ba2e8e675
-
SHA512
6bcc40a67feba6e2232f26b368341985e1050cfffbecb5843870b9e0bcb2616dc59407dd844274b4cc5eb09e90188c8bcdade0bff1ac0d40946cacab94686faa
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/524-12-0x0000000005240000-0x0000000005264000-memory.dmp family_redline behavioral1/memory/524-13-0x0000000006B40000-0x0000000006B62000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
bestof.exepid process 524 bestof.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\leadentop\bestof.exe upx C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe upx -
Loads dropped DLL 1 IoCs
Processes:
5c441448142f5dc5358221d1197d9fcd.exepid process 1008 5c441448142f5dc5358221d1197d9fcd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5c441448142f5dc5358221d1197d9fcd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5c441448142f5dc5358221d1197d9fcd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5c441448142f5dc5358221d1197d9fcd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bestof.exedescription pid process Token: SeDebugPrivilege 524 bestof.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5c441448142f5dc5358221d1197d9fcd.exedescription pid process target process PID 1008 wrote to memory of 524 1008 5c441448142f5dc5358221d1197d9fcd.exe bestof.exe PID 1008 wrote to memory of 524 1008 5c441448142f5dc5358221d1197d9fcd.exe bestof.exe PID 1008 wrote to memory of 524 1008 5c441448142f5dc5358221d1197d9fcd.exe bestof.exe PID 1008 wrote to memory of 524 1008 5c441448142f5dc5358221d1197d9fcd.exe bestof.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c441448142f5dc5358221d1197d9fcd.exe"C:\Users\Admin\AppData\Local\Temp\5c441448142f5dc5358221d1197d9fcd.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Roaming\leadentop\bestof.exebestof.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ce62304c3eff639e1b2352667a569b8a
SHA15a5cb774b59befe102fe04e93d9853cfbda3334b
SHA256e8356fad49709d2563d2707dbb09f4f1019e30a0ff5836047a11b3d1d84f4d62
SHA51299d77537f2fade1ca2255c16fcd5d64618f0364f15cddb1b6a48814c9a7e59ccdac72db7f0a1cf4b0eac63180264fd58989e43839373d085ecb42ad2b9fe6f41
-
MD5
ce62304c3eff639e1b2352667a569b8a
SHA15a5cb774b59befe102fe04e93d9853cfbda3334b
SHA256e8356fad49709d2563d2707dbb09f4f1019e30a0ff5836047a11b3d1d84f4d62
SHA51299d77537f2fade1ca2255c16fcd5d64618f0364f15cddb1b6a48814c9a7e59ccdac72db7f0a1cf4b0eac63180264fd58989e43839373d085ecb42ad2b9fe6f41