Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 20:12

General

  • Target

    LQuotePdf.exe

  • Size

    309KB

  • MD5

    516dc9c39bc4e3cb7ac6251d038c3be8

  • SHA1

    70402eff9246bab1b00c40d9b743c2c99bbfb248

  • SHA256

    68e1ab10c0906ad3d54599d03150938a0e00533060251b1223b76440e4d51b6a

  • SHA512

    ec178d0804a16dbb0325f1142dba1ce5cd364828d415bac645032e43315f15833c4987037e656c7d72298ea8cb63540865c5c4e38e1ee5d6e26cf27414d2a224

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LQuotePdf.exe
    "C:\Users\Admin\AppData\Local\Temp\LQuotePdf.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1080-2-0x0000000074CF0000-0x00000000753DE000-memory.dmp
    Filesize

    6.9MB

  • memory/1080-3-0x0000000000870000-0x0000000000871000-memory.dmp
    Filesize

    4KB