Analysis
-
max time kernel
33s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 05:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exe
-
Size
535KB
-
MD5
0394ed76010d0e8255ccafec70223c27
-
SHA1
ce76f575ddbbedd13423fc58923f76967a83b533
-
SHA256
51615786dd61880b418061e7ab53c560ab69e979879a27c2feb9f68a62996b72
-
SHA512
94c37b5035aa66cbc0d7610ed42ef476608921acf474d6b241f4a8d0b4b4889110fed2d06c66ef6e5c7b3b1f5f490d75ccec0e48368f7bad046845f9ec32600c
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3548-12-0x0000000006DB0000-0x0000000006DD3000-memory.dmp family_redline behavioral2/memory/3548-14-0x0000000006F60000-0x0000000006F82000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
msconfig.exepid process 3548 msconfig.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\CurrencyWidgets\msconfig.exe upx C:\Users\Admin\AppData\Roaming\CurrencyWidgets\msconfig.exe upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 whoer.net 9 whoer.net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
msconfig.exepid process 3548 msconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exemsconfig.exedescription pid process Token: SeDebugPrivilege 816 SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exe Token: SeDebugPrivilege 3548 msconfig.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exemsconfig.execmd.exedescription pid process target process PID 816 wrote to memory of 3548 816 SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exe msconfig.exe PID 816 wrote to memory of 3548 816 SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exe msconfig.exe PID 816 wrote to memory of 3548 816 SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exe msconfig.exe PID 3548 wrote to memory of 960 3548 msconfig.exe cmd.exe PID 3548 wrote to memory of 960 3548 msconfig.exe cmd.exe PID 3548 wrote to memory of 960 3548 msconfig.exe cmd.exe PID 960 wrote to memory of 3508 960 cmd.exe PING.EXE PID 960 wrote to memory of 3508 960 cmd.exe PING.EXE PID 960 wrote to memory of 3508 960 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CurrencyWidgets\msconfig.exe"C:\Users\Admin\AppData\Roaming\CurrencyWidgets\msconfig.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\CurrencyWidgets\msconfig.exeMD5
8b021c061663ac4e87fd8568b47268f8
SHA16c22ee34fb6a7b6f83d872ed8a96330a6874d229
SHA256b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
SHA51230a42177b43e5b295f5497462ae963f2be7f7b4aaf656114fefc133de4a2def4f1629bcdb310e0234f684e65bc84874d5c9f3807632ebf659ff2ee3f387b786f
-
C:\Users\Admin\AppData\Roaming\CurrencyWidgets\msconfig.exeMD5
8b021c061663ac4e87fd8568b47268f8
SHA16c22ee34fb6a7b6f83d872ed8a96330a6874d229
SHA256b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e
SHA51230a42177b43e5b295f5497462ae963f2be7f7b4aaf656114fefc133de4a2def4f1629bcdb310e0234f684e65bc84874d5c9f3807632ebf659ff2ee3f387b786f
-
memory/816-2-0x00007FFB852D0000-0x00007FFB85CBC000-memory.dmpFilesize
9.9MB
-
memory/816-3-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/960-28-0x0000000000000000-mapping.dmp
-
memory/3508-29-0x0000000000000000-mapping.dmp
-
memory/3548-15-0x0000000009C80000-0x0000000009C81000-memory.dmpFilesize
4KB
-
memory/3548-20-0x000000000AF40000-0x000000000AF41000-memory.dmpFilesize
4KB
-
memory/3548-11-0x0000000073E90000-0x000000007457E000-memory.dmpFilesize
6.9MB
-
memory/3548-12-0x0000000006DB0000-0x0000000006DD3000-memory.dmpFilesize
140KB
-
memory/3548-13-0x0000000009780000-0x0000000009781000-memory.dmpFilesize
4KB
-
memory/3548-14-0x0000000006F60000-0x0000000006F82000-memory.dmpFilesize
136KB
-
memory/3548-9-0x0000000006CB0000-0x0000000006CB1000-memory.dmpFilesize
4KB
-
memory/3548-16-0x00000000070D0000-0x00000000070D1000-memory.dmpFilesize
4KB
-
memory/3548-17-0x0000000007110000-0x0000000007111000-memory.dmpFilesize
4KB
-
memory/3548-18-0x00000000095B0000-0x00000000095B1000-memory.dmpFilesize
4KB
-
memory/3548-19-0x000000000A290000-0x000000000A291000-memory.dmpFilesize
4KB
-
memory/3548-10-0x0000000007150000-0x0000000007151000-memory.dmpFilesize
4KB
-
memory/3548-21-0x000000000B110000-0x000000000B111000-memory.dmpFilesize
4KB
-
memory/3548-22-0x000000000B730000-0x000000000B731000-memory.dmpFilesize
4KB
-
memory/3548-23-0x000000000B7F0000-0x000000000B7F1000-memory.dmpFilesize
4KB
-
memory/3548-24-0x000000000B880000-0x000000000B881000-memory.dmpFilesize
4KB
-
memory/3548-25-0x000000000BBF0000-0x000000000BBF1000-memory.dmpFilesize
4KB
-
memory/3548-26-0x000000000BCF0000-0x000000000BCF1000-memory.dmpFilesize
4KB
-
memory/3548-27-0x000000000CD80000-0x000000000CD81000-memory.dmpFilesize
4KB
-
memory/3548-8-0x0000000004F79000-0x0000000004F7A000-memory.dmpFilesize
4KB
-
memory/3548-5-0x0000000000000000-mapping.dmp