Analysis
-
max time kernel
61s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-02-2021 19:14
Behavioral task
behavioral1
Sample
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe
Resource
win10v20201028
General
-
Target
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe
-
Size
2.6MB
-
MD5
7d5efe07472bd441a9d6b3eefc33008f
-
SHA1
bd2d32b6b2145489eb7cf1371315bf97661e7f86
-
SHA256
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca
-
SHA512
49e87152870ddecfc8695fce4d6c81d0bab0889be26c85a3b14b0abf1f60cb848f63c244fde55266c72d58ac1a2c7e38e633b828e8177dc64fbda2c8e003c7bb
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe -
Processes:
resource yara_rule behavioral2/memory/4684-3-0x0000000000140000-0x0000000000141000-memory.dmp themida -
Processes:
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exedescription pid process Token: SeDebugPrivilege 4684 291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe"C:\Users\Admin\AppData\Local\Temp\291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4684-2-0x0000000073900000-0x0000000073FEE000-memory.dmpFilesize
6.9MB
-
memory/4684-3-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/4684-5-0x0000000005B80000-0x0000000005B81000-memory.dmpFilesize
4KB
-
memory/4684-6-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/4684-7-0x0000000003420000-0x0000000003421000-memory.dmpFilesize
4KB
-
memory/4684-8-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/4684-9-0x0000000003400000-0x0000000003401000-memory.dmpFilesize
4KB
-
memory/4684-10-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB