Analysis

  • max time kernel
    33s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-01-2021 05:49

General

  • Target

    SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exe

  • Size

    535KB

  • MD5

    0394ed76010d0e8255ccafec70223c27

  • SHA1

    ce76f575ddbbedd13423fc58923f76967a83b533

  • SHA256

    51615786dd61880b418061e7ab53c560ab69e979879a27c2feb9f68a62996b72

  • SHA512

    94c37b5035aa66cbc0d7610ed42ef476608921acf474d6b241f4a8d0b4b4889110fed2d06c66ef6e5c7b3b1f5f490d75ccec0e48368f7bad046845f9ec32600c

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36094879.31571.9882.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Roaming\CurrencyWidgets\msconfig.exe
      "C:\Users\Admin\AppData\Roaming\CurrencyWidgets\msconfig.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          4⤵
          • Runs ping.exe
          PID:3508

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\CurrencyWidgets\msconfig.exe
    MD5

    8b021c061663ac4e87fd8568b47268f8

    SHA1

    6c22ee34fb6a7b6f83d872ed8a96330a6874d229

    SHA256

    b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e

    SHA512

    30a42177b43e5b295f5497462ae963f2be7f7b4aaf656114fefc133de4a2def4f1629bcdb310e0234f684e65bc84874d5c9f3807632ebf659ff2ee3f387b786f

  • C:\Users\Admin\AppData\Roaming\CurrencyWidgets\msconfig.exe
    MD5

    8b021c061663ac4e87fd8568b47268f8

    SHA1

    6c22ee34fb6a7b6f83d872ed8a96330a6874d229

    SHA256

    b721b7bd732b96647e8603f5beaa7bd1a0ab6f861f525eeaae3927a367d4231e

    SHA512

    30a42177b43e5b295f5497462ae963f2be7f7b4aaf656114fefc133de4a2def4f1629bcdb310e0234f684e65bc84874d5c9f3807632ebf659ff2ee3f387b786f

  • memory/816-2-0x00007FFB852D0000-0x00007FFB85CBC000-memory.dmp
    Filesize

    9.9MB

  • memory/816-3-0x0000000000380000-0x0000000000381000-memory.dmp
    Filesize

    4KB

  • memory/960-28-0x0000000000000000-mapping.dmp
  • memory/3508-29-0x0000000000000000-mapping.dmp
  • memory/3548-15-0x0000000009C80000-0x0000000009C81000-memory.dmp
    Filesize

    4KB

  • memory/3548-20-0x000000000AF40000-0x000000000AF41000-memory.dmp
    Filesize

    4KB

  • memory/3548-11-0x0000000073E90000-0x000000007457E000-memory.dmp
    Filesize

    6.9MB

  • memory/3548-12-0x0000000006DB0000-0x0000000006DD3000-memory.dmp
    Filesize

    140KB

  • memory/3548-13-0x0000000009780000-0x0000000009781000-memory.dmp
    Filesize

    4KB

  • memory/3548-14-0x0000000006F60000-0x0000000006F82000-memory.dmp
    Filesize

    136KB

  • memory/3548-9-0x0000000006CB0000-0x0000000006CB1000-memory.dmp
    Filesize

    4KB

  • memory/3548-16-0x00000000070D0000-0x00000000070D1000-memory.dmp
    Filesize

    4KB

  • memory/3548-17-0x0000000007110000-0x0000000007111000-memory.dmp
    Filesize

    4KB

  • memory/3548-18-0x00000000095B0000-0x00000000095B1000-memory.dmp
    Filesize

    4KB

  • memory/3548-19-0x000000000A290000-0x000000000A291000-memory.dmp
    Filesize

    4KB

  • memory/3548-10-0x0000000007150000-0x0000000007151000-memory.dmp
    Filesize

    4KB

  • memory/3548-21-0x000000000B110000-0x000000000B111000-memory.dmp
    Filesize

    4KB

  • memory/3548-22-0x000000000B730000-0x000000000B731000-memory.dmp
    Filesize

    4KB

  • memory/3548-23-0x000000000B7F0000-0x000000000B7F1000-memory.dmp
    Filesize

    4KB

  • memory/3548-24-0x000000000B880000-0x000000000B881000-memory.dmp
    Filesize

    4KB

  • memory/3548-25-0x000000000BBF0000-0x000000000BBF1000-memory.dmp
    Filesize

    4KB

  • memory/3548-26-0x000000000BCF0000-0x000000000BCF1000-memory.dmp
    Filesize

    4KB

  • memory/3548-27-0x000000000CD80000-0x000000000CD81000-memory.dmp
    Filesize

    4KB

  • memory/3548-8-0x0000000004F79000-0x0000000004F7A000-memory.dmp
    Filesize

    4KB

  • memory/3548-5-0x0000000000000000-mapping.dmp