Analysis
-
max time kernel
44s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-02-2021 20:12
Behavioral task
behavioral1
Sample
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe
Resource
win10v20201028
General
-
Target
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe
-
Size
2.6MB
-
MD5
7d5efe07472bd441a9d6b3eefc33008f
-
SHA1
bd2d32b6b2145489eb7cf1371315bf97661e7f86
-
SHA256
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca
-
SHA512
49e87152870ddecfc8695fce4d6c81d0bab0889be26c85a3b14b0abf1f60cb848f63c244fde55266c72d58ac1a2c7e38e633b828e8177dc64fbda2c8e003c7bb
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe -
Processes:
resource yara_rule behavioral2/memory/3636-3-0x0000000000210000-0x0000000000211000-memory.dmp themida -
Processes:
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exedescription pid process Token: SeDebugPrivilege 3636 291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe"C:\Users\Admin\AppData\Local\Temp\291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3636-2-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/3636-3-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/3636-5-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/3636-6-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/3636-7-0x00000000031A0000-0x00000000031A1000-memory.dmpFilesize
4KB
-
memory/3636-8-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/3636-9-0x0000000003180000-0x0000000003181000-memory.dmpFilesize
4KB
-
memory/3636-10-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB