Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-02-2021 00:53
General
-
Target
e2111cb3b07841995b0a0e4678c69c85.exe
-
Size
622KB
-
MD5
e2111cb3b07841995b0a0e4678c69c85
-
SHA1
7d9d4ab1b35208d076d7fe45405e6986178a287d
-
SHA256
b666325729d0aa8e49292441558e945d0075439d6e6a544181fe708864835383
-
SHA512
653f1a0052bfc026cfff35c3ac4475e1e5f6cb2a2355ceb45f507c66b5e2898002c1c7a9d3af88634eba261020628c82406d6f978600a063a710b7e80c77e856
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2111cb3b07841995b0a0e4678c69c85.exe"C:\Users\Admin\AppData\Local\Temp\e2111cb3b07841995b0a0e4678c69c85.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\paperships\noabu.exenoabu.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\paperships\noabu.exeMD5
41ccae281672141f14028e730c70b618
SHA102de56652fa90ab1304c4b22f394ba9d5e132dfd
SHA2560e09d3298aae4a2a440ae32321a8f6db607e9cb072156b17eb8fb12b212c1cf6
SHA512e59a4a14c27365fad90b08feaca57c825f4c6c74b0f551ab0fc652b366d78a26672f85ef37f25249c8d92fe4163773a19eb494ca27cf54fc2d0c704dcfdc95c4
-
\Users\Admin\AppData\Roaming\paperships\noabu.exeMD5
41ccae281672141f14028e730c70b618
SHA102de56652fa90ab1304c4b22f394ba9d5e132dfd
SHA2560e09d3298aae4a2a440ae32321a8f6db607e9cb072156b17eb8fb12b212c1cf6
SHA512e59a4a14c27365fad90b08feaca57c825f4c6c74b0f551ab0fc652b366d78a26672f85ef37f25249c8d92fe4163773a19eb494ca27cf54fc2d0c704dcfdc95c4
-
memory/384-3-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/384-4-0x0000000000230000-0x00000000002FF000-memory.dmpFilesize
828KB
-
memory/384-5-0x0000000000400000-0x00000000004D5000-memory.dmpFilesize
852KB
-
memory/384-2-0x0000000000BA0000-0x0000000000BB1000-memory.dmpFilesize
68KB
-
memory/652-15-0x0000000073C00000-0x00000000742EE000-memory.dmpFilesize
6.9MB
-
memory/652-9-0x0000000000000000-mapping.dmp
-
memory/652-11-0x0000000000AE0000-0x0000000000AF1000-memory.dmpFilesize
68KB
-
memory/652-12-0x00000000022E0000-0x00000000022F1000-memory.dmpFilesize
68KB
-
memory/652-13-0x0000000000230000-0x0000000000265000-memory.dmpFilesize
212KB
-
memory/652-14-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/652-16-0x00000000008F0000-0x0000000000919000-memory.dmpFilesize
164KB
-
memory/652-17-0x0000000004CE1000-0x0000000004CE2000-memory.dmpFilesize
4KB
-
memory/652-18-0x0000000004CE2000-0x0000000004CE3000-memory.dmpFilesize
4KB
-
memory/652-19-0x00000000024E0000-0x0000000002507000-memory.dmpFilesize
156KB
-
memory/652-20-0x0000000004CE3000-0x0000000004CE4000-memory.dmpFilesize
4KB
-
memory/652-21-0x0000000004CE4000-0x0000000004CE6000-memory.dmpFilesize
8KB
-
memory/820-7-0x000007FEF7300000-0x000007FEF757A000-memory.dmpFilesize
2.5MB