Analysis
-
max time kernel
143s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-02-2021 04:34
Static task
static1
Behavioral task
behavioral1
Sample
85ef416ea4190eaf38a2697152ee6561.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
85ef416ea4190eaf38a2697152ee6561.exe
Resource
win10v20201028
General
-
Target
85ef416ea4190eaf38a2697152ee6561.exe
-
Size
3.0MB
-
MD5
85ef416ea4190eaf38a2697152ee6561
-
SHA1
556d37b62d2068273f56a988e4aed4429d7c10f6
-
SHA256
f9ef65133d324e1026972cbfbbe86fb0f2a4174a864dedbb45a73857770baaad
-
SHA512
acc21ec3f786eaabfc1d296183e218c277fabac86345a02bf45da4c9c864a29193f6c591cc9902389e3301b021e064a2149171c434d1bf95cd62c125962fb4b7
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/604-8-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral1/memory/604-9-0x000000000041EFCA-mapping.dmp family_redline behavioral1/memory/604-11-0x0000000000400000-0x0000000000426000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
SmartScreen.exepid process 340 SmartScreen.exe -
Loads dropped DLL 1 IoCs
Processes:
85ef416ea4190eaf38a2697152ee6561.exepid process 604 85ef416ea4190eaf38a2697152ee6561.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
85ef416ea4190eaf38a2697152ee6561.exedescription pid process target process PID 1828 set thread context of 604 1828 85ef416ea4190eaf38a2697152ee6561.exe 85ef416ea4190eaf38a2697152ee6561.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
85ef416ea4190eaf38a2697152ee6561.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 85ef416ea4190eaf38a2697152ee6561.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 85ef416ea4190eaf38a2697152ee6561.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 85ef416ea4190eaf38a2697152ee6561.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
85ef416ea4190eaf38a2697152ee6561.exepid process 604 85ef416ea4190eaf38a2697152ee6561.exe 604 85ef416ea4190eaf38a2697152ee6561.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
85ef416ea4190eaf38a2697152ee6561.exedescription pid process Token: SeDebugPrivilege 604 85ef416ea4190eaf38a2697152ee6561.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
85ef416ea4190eaf38a2697152ee6561.exe85ef416ea4190eaf38a2697152ee6561.exedescription pid process target process PID 1828 wrote to memory of 604 1828 85ef416ea4190eaf38a2697152ee6561.exe 85ef416ea4190eaf38a2697152ee6561.exe PID 1828 wrote to memory of 604 1828 85ef416ea4190eaf38a2697152ee6561.exe 85ef416ea4190eaf38a2697152ee6561.exe PID 1828 wrote to memory of 604 1828 85ef416ea4190eaf38a2697152ee6561.exe 85ef416ea4190eaf38a2697152ee6561.exe PID 1828 wrote to memory of 604 1828 85ef416ea4190eaf38a2697152ee6561.exe 85ef416ea4190eaf38a2697152ee6561.exe PID 1828 wrote to memory of 604 1828 85ef416ea4190eaf38a2697152ee6561.exe 85ef416ea4190eaf38a2697152ee6561.exe PID 1828 wrote to memory of 604 1828 85ef416ea4190eaf38a2697152ee6561.exe 85ef416ea4190eaf38a2697152ee6561.exe PID 1828 wrote to memory of 604 1828 85ef416ea4190eaf38a2697152ee6561.exe 85ef416ea4190eaf38a2697152ee6561.exe PID 1828 wrote to memory of 604 1828 85ef416ea4190eaf38a2697152ee6561.exe 85ef416ea4190eaf38a2697152ee6561.exe PID 1828 wrote to memory of 604 1828 85ef416ea4190eaf38a2697152ee6561.exe 85ef416ea4190eaf38a2697152ee6561.exe PID 604 wrote to memory of 340 604 85ef416ea4190eaf38a2697152ee6561.exe SmartScreen.exe PID 604 wrote to memory of 340 604 85ef416ea4190eaf38a2697152ee6561.exe SmartScreen.exe PID 604 wrote to memory of 340 604 85ef416ea4190eaf38a2697152ee6561.exe SmartScreen.exe PID 604 wrote to memory of 340 604 85ef416ea4190eaf38a2697152ee6561.exe SmartScreen.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85ef416ea4190eaf38a2697152ee6561.exe"C:\Users\Admin\AppData\Local\Temp\85ef416ea4190eaf38a2697152ee6561.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\85ef416ea4190eaf38a2697152ee6561.exe"C:\Users\Admin\AppData\Local\Temp\85ef416ea4190eaf38a2697152ee6561.exe"2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SmartScreen.exe"C:\Users\Admin\AppData\Local\Temp\SmartScreen.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SmartScreen.exeMD5
9b1d450411df0315c8586d9e9fed1c80
SHA1a7ee3d0e3257261ba1f6a8920fe27518c3fa7d83
SHA256e74a678dab7fca1ea27de8906f9c8a70f3e7023f54cf96f7e2b2f63b6881de46
SHA5127a616d85729a9971f22f01441d2f48335e44998f117707e1c2cd1b3b138b4264398ecc09da88c25d62a67b7932f71414b9b667c48afb2f1a5cb34630e161640c
-
C:\Users\Admin\AppData\Local\Temp\SmartScreen.exeMD5
9b1d450411df0315c8586d9e9fed1c80
SHA1a7ee3d0e3257261ba1f6a8920fe27518c3fa7d83
SHA256e74a678dab7fca1ea27de8906f9c8a70f3e7023f54cf96f7e2b2f63b6881de46
SHA5127a616d85729a9971f22f01441d2f48335e44998f117707e1c2cd1b3b138b4264398ecc09da88c25d62a67b7932f71414b9b667c48afb2f1a5cb34630e161640c
-
\Users\Admin\AppData\Local\Temp\SmartScreen.exeMD5
9b1d450411df0315c8586d9e9fed1c80
SHA1a7ee3d0e3257261ba1f6a8920fe27518c3fa7d83
SHA256e74a678dab7fca1ea27de8906f9c8a70f3e7023f54cf96f7e2b2f63b6881de46
SHA5127a616d85729a9971f22f01441d2f48335e44998f117707e1c2cd1b3b138b4264398ecc09da88c25d62a67b7932f71414b9b667c48afb2f1a5cb34630e161640c
-
memory/340-22-0x00000000003A0000-0x00000000003A4000-memory.dmpFilesize
16KB
-
memory/340-21-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/340-19-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/340-18-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/340-15-0x0000000000000000-mapping.dmp
-
memory/604-11-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/604-13-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/604-10-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/604-9-0x000000000041EFCA-mapping.dmp
-
memory/604-8-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1828-2-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/1828-7-0x0000000000D60000-0x0000000000DA8000-memory.dmpFilesize
288KB
-
memory/1828-6-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/1828-5-0x00000000004A0000-0x00000000004A3000-memory.dmpFilesize
12KB
-
memory/1828-3-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB