Analysis

  • max time kernel
    17s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    16-01-2021 07:30

General

  • Target

    1c7b5feef64697929d2b89c6e53e1642.exe

  • Size

    352KB

  • MD5

    1c7b5feef64697929d2b89c6e53e1642

  • SHA1

    3188662f3ce00e97131f98c9824c8d26e5086bbb

  • SHA256

    521bbb71dd98cad2946f25016fe0eb27ce076423b09819abc5dd09d24939a769

  • SHA512

    0e76a0478a865305166f09d619f9fe95a07a54d1e591824f7b5ffd7726179b873104dcca281ae7ac10f1bc1ac18fffeebb45daaa4e4d73ebde6757a9031bfaf7

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c7b5feef64697929d2b89c6e53e1642.exe
    "C:\Users\Admin\AppData\Local\Temp\1c7b5feef64697929d2b89c6e53e1642.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4056

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4056-2-0x0000000004886000-0x0000000004887000-memory.dmp

    Filesize

    4KB

  • memory/4056-3-0x0000000006350000-0x0000000006351000-memory.dmp

    Filesize

    4KB

  • memory/4056-4-0x0000000006510000-0x0000000006511000-memory.dmp

    Filesize

    4KB

  • memory/4056-5-0x00000000732A0000-0x000000007398E000-memory.dmp

    Filesize

    6.9MB

  • memory/4056-6-0x00000000063D0000-0x00000000063F9000-memory.dmp

    Filesize

    164KB

  • memory/4056-7-0x0000000008D90000-0x0000000008D91000-memory.dmp

    Filesize

    4KB

  • memory/4056-8-0x00000000064D0000-0x00000000064F7000-memory.dmp

    Filesize

    156KB

  • memory/4056-9-0x0000000009290000-0x0000000009291000-memory.dmp

    Filesize

    4KB

  • memory/4056-10-0x00000000068F0000-0x00000000068F1000-memory.dmp

    Filesize

    4KB

  • memory/4056-13-0x0000000008CD0000-0x0000000008CD1000-memory.dmp

    Filesize

    4KB

  • memory/4056-16-0x0000000008D10000-0x0000000008D11000-memory.dmp

    Filesize

    4KB

  • memory/4056-17-0x0000000009970000-0x0000000009971000-memory.dmp

    Filesize

    4KB

  • memory/4056-18-0x000000000A650000-0x000000000A651000-memory.dmp

    Filesize

    4KB

  • memory/4056-19-0x000000000A820000-0x000000000A821000-memory.dmp

    Filesize

    4KB

  • memory/4056-20-0x000000000AE50000-0x000000000AE51000-memory.dmp

    Filesize

    4KB

  • memory/4056-21-0x000000000AF10000-0x000000000AF11000-memory.dmp

    Filesize

    4KB

  • memory/4056-22-0x000000000AFA0000-0x000000000AFA1000-memory.dmp

    Filesize

    4KB

  • memory/4056-23-0x000000000B370000-0x000000000B371000-memory.dmp

    Filesize

    4KB

  • memory/4056-24-0x000000000C0B0000-0x000000000C0B1000-memory.dmp

    Filesize

    4KB

  • memory/4056-25-0x000000000C450000-0x000000000C451000-memory.dmp

    Filesize

    4KB