redline | 677618666eb31c80e9dbecb17907676d2da2a39d24f7c20785ef577239ef5e6f

Analysis

max time kernel
150s
max time network
114s
platform
windows10_x64
resource
win10v20201028
submitted
23-02-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TI.exe
Size

2.5MB
MD5

a5d3fdf55abb54ec0b632dee9d3459d4
SHA1

c177421eb77f0d341e5d1bd6cfbccb60e0c86a1c
SHA256

677618666eb31c80e9dbecb17907676d2da2a39d24f7c20785ef577239ef5e6f
SHA512

4faafc484d66545a3355ba4d76da6dd021b556a06ec5b15fa8b4b8a4f1161b44ffad5e654991cf658fc6bd49b458e59586155dfdf339e1150b278ff5b9a41324

Score

10^/10

redline xmrig discovery evasion infostealer miner spyware themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 1 IoCs

miner

resource	yara_rule
behavioral2/memory/3904-37-0x00007FF7B6530000-0x00007FF7B76E8000-memory.dmp	xmrig

Executes dropped EXE 4 IoCs

pid	Process
2760	1zjzhjbg.exe
2980	i2sjufgt.exe
3904	cpu.exe
904	RantimeBroker.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1zjzhjbg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	i2sjufgt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	i2sjufgt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RantimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RantimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1zjzhjbg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

themida 9 IoCs

Detects Themida, Advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/496-5-0x0000000000950000-0x0000000000951000-memory.dmp	themida
behavioral2/files/0x000200000001ab8f-9.dat	themida
behavioral2/memory/2760-12-0x00000000000E0000-0x00000000000E1000-memory.dmp	themida
behavioral2/files/0x000100000001ab93-16.dat	themida
behavioral2/files/0x000100000001ab93-17.dat	themida
behavioral2/memory/2980-23-0x0000000000250000-0x0000000000251000-memory.dmp	themida
behavioral2/files/0x000100000001ab96-47.dat	themida
behavioral2/files/0x000100000001ab96-48.dat	themida
behavioral2/memory/904-52-0x0000000001380000-0x0000000001381000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	i2sjufgt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RantimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1zjzhjbg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
496	TI.exe
2760	1zjzhjbg.exe
2980	i2sjufgt.exe
904	RantimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe
2980	i2sjufgt.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	496	TI.exe
Token: SeDebugPrivilege	2980	i2sjufgt.exe
Token: SeLockMemoryPrivilege	3904	cpu.exe
Token: SeLockMemoryPrivilege	3904	cpu.exe
Token: SeDebugPrivilege	2760	1zjzhjbg.exe
Token: SeDebugPrivilege	904	RantimeBroker.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 496 wrote to memory of 2760	496	TI.exe	75
PID 496 wrote to memory of 2760	496	TI.exe	75
PID 496 wrote to memory of 2760	496	TI.exe	75
PID 496 wrote to memory of 2980	496	TI.exe	78
PID 496 wrote to memory of 2980	496	TI.exe	78
PID 496 wrote to memory of 2980	496	TI.exe	78
PID 2980 wrote to memory of 3476	2980	i2sjufgt.exe	79
PID 2980 wrote to memory of 3476	2980	i2sjufgt.exe	79
PID 2980 wrote to memory of 3476	2980	i2sjufgt.exe	79
PID 2980 wrote to memory of 3904	2980	i2sjufgt.exe	81
PID 2980 wrote to memory of 3904	2980	i2sjufgt.exe	81

C:\Users\Admin\AppData\Local\Temp\TI.exe
"C:\Users\Admin\AppData\Local\Temp\TI.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:496
- C:\Users\Admin\AppData\Local\1zjzhjbg.exe
  "C:\Users\Admin\AppData\Local\1zjzhjbg.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Users\Admin\AppData\Local\i2sjufgt.exe
  "C:\Users\Admin\AppData\Local\i2sjufgt.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Service © Microsoft Corporation" /tr "C:\Users\Admin\AppData\Roaming\Windows\RantimeBroker.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3476
- - C:\Users\Admin\AppData\Roaming\Windows\CPU\cpu.exe
    "C:\Users\Admin\AppData\Roaming\Windows\CPU\cpu.exe" -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3904

C:\Users\Admin\AppData\Roaming\Windows\RantimeBroker.exe
C:\Users\Admin\AppData\Roaming\Windows\RantimeBroker.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/496-7-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/496-5-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/496-4-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/496-3-0x0000000077C64000-0x0000000077C65000-memory.dmp

Filesize
4KB

Download
memory/904-51-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/904-52-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/904-54-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/2760-40-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/2760-14-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/2760-25-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/2760-11-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/2760-28-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/2760-12-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2760-39-0x00000000069A0000-0x00000000069A1000-memory.dmp

Filesize
4KB

Download
memory/2760-31-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2760-32-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2760-33-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/2760-44-0x00000000087F0000-0x00000000087F1000-memory.dmp

Filesize
4KB

Download
memory/2760-20-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/2760-42-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

Filesize
4KB

Download
memory/2760-41-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/2760-19-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2980-30-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/2980-22-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-27-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/2980-23-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3904-38-0x0000026E8E6B0000-0x0000026E8E6D0000-memory.dmp

Filesize
128KB

Download
memory/3904-37-0x00007FF7B6530000-0x00007FF7B76E8000-memory.dmp

Filesize
17.7MB

Download
memory/3904-36-0x0000026E8CCF0000-0x0000026E8CD04000-memory.dmp

Filesize
80KB

Download
memory/3904-45-0x0000026F20E30000-0x0000026F20E50000-memory.dmp

Filesize
128KB

Download
memory/3904-46-0x0000026F20E50000-0x0000026F20E70000-memory.dmp

Filesize
128KB

Download