Analysis
-
max time kernel
90s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-03-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
2a4dd042c4fa1dbe3976301e7e960a56.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
2a4dd042c4fa1dbe3976301e7e960a56.exe
Resource
win10v20201028
General
-
Target
2a4dd042c4fa1dbe3976301e7e960a56.exe
-
Size
586KB
-
MD5
2a4dd042c4fa1dbe3976301e7e960a56
-
SHA1
6f85a75e658e65e5d028f7c5262a74c40f32c19e
-
SHA256
6343e83da8699df5471ed6ef0364606e6918b9aeb8f94de5bf6759440992537b
-
SHA512
e9b8a01a6420c459b469db5ff03ba0ab5b4663cd1ef6edde83d07aedb3e6001017f7a9013f09e9ca4e8fae4665e7a06f9b4508ed4e4e0a974efef2b7799f2fef
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 1 IoCs
Processes:
noabu.exepid process 3948 noabu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2a4dd042c4fa1dbe3976301e7e960a56.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2a4dd042c4fa1dbe3976301e7e960a56.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2a4dd042c4fa1dbe3976301e7e960a56.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
noabu.exepid process 3948 noabu.exe 3948 noabu.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
noabu.exedescription pid process Token: SeDebugPrivilege 3948 noabu.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2a4dd042c4fa1dbe3976301e7e960a56.exedescription pid process target process PID 3584 wrote to memory of 3948 3584 2a4dd042c4fa1dbe3976301e7e960a56.exe noabu.exe PID 3584 wrote to memory of 3948 3584 2a4dd042c4fa1dbe3976301e7e960a56.exe noabu.exe PID 3584 wrote to memory of 3948 3584 2a4dd042c4fa1dbe3976301e7e960a56.exe noabu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a4dd042c4fa1dbe3976301e7e960a56.exe"C:\Users\Admin\AppData\Local\Temp\2a4dd042c4fa1dbe3976301e7e960a56.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\purefoe\noabu.exenoabu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\purefoe\noabu.exeMD5
3559653e624d3f27360f1b64e5251b5e
SHA16e1329621f3c3263cdea637ac041657a51fe53b8
SHA256cd9c2cdb807a8c65e1804c98dfc631ef86fd0d0248f99da9465c061c34142995
SHA512434955f1a953f05e9db9ee764ded89adecf478b841eeabfa9f01ebbbd9198ba49a0481b950dc52b94c101d0db30a74f9384ed326a69cdfeb46b5551505fc8aa0
-
C:\Users\Admin\AppData\Roaming\purefoe\noabu.exeMD5
3559653e624d3f27360f1b64e5251b5e
SHA16e1329621f3c3263cdea637ac041657a51fe53b8
SHA256cd9c2cdb807a8c65e1804c98dfc631ef86fd0d0248f99da9465c061c34142995
SHA512434955f1a953f05e9db9ee764ded89adecf478b841eeabfa9f01ebbbd9198ba49a0481b950dc52b94c101d0db30a74f9384ed326a69cdfeb46b5551505fc8aa0
-
memory/3584-3-0x0000000003110000-0x00000000031DF000-memory.dmpFilesize
828KB
-
memory/3584-4-0x0000000000400000-0x00000000004D5000-memory.dmpFilesize
852KB
-
memory/3584-2-0x0000000003290000-0x0000000003291000-memory.dmpFilesize
4KB
-
memory/3948-21-0x00000000073A2000-0x00000000073A3000-memory.dmpFilesize
4KB
-
memory/3948-24-0x00000000073A4000-0x00000000073A6000-memory.dmpFilesize
8KB
-
memory/3948-13-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/3948-14-0x0000000002F40000-0x0000000002F75000-memory.dmpFilesize
212KB
-
memory/3948-15-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3948-16-0x0000000072A20000-0x000000007310E000-memory.dmpFilesize
6.9MB
-
memory/3948-17-0x0000000004980000-0x00000000049AA000-memory.dmpFilesize
168KB
-
memory/3948-18-0x00000000073B0000-0x00000000073B1000-memory.dmpFilesize
4KB
-
memory/3948-19-0x0000000004CD0000-0x0000000004CF8000-memory.dmpFilesize
160KB
-
memory/3948-9-0x0000000000000000-mapping.dmp
-
memory/3948-20-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/3948-22-0x00000000073A3000-0x00000000073A4000-memory.dmpFilesize
4KB
-
memory/3948-23-0x0000000007300000-0x0000000007301000-memory.dmpFilesize
4KB
-
memory/3948-12-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB
-
memory/3948-25-0x0000000007DB0000-0x0000000007DB1000-memory.dmpFilesize
4KB
-
memory/3948-26-0x0000000007F90000-0x0000000007F91000-memory.dmpFilesize
4KB
-
memory/3948-27-0x0000000008620000-0x0000000008621000-memory.dmpFilesize
4KB
-
memory/3948-28-0x0000000008640000-0x0000000008641000-memory.dmpFilesize
4KB
-
memory/3948-29-0x00000000087B0000-0x00000000087B1000-memory.dmpFilesize
4KB
-
memory/3948-30-0x0000000008930000-0x0000000008931000-memory.dmpFilesize
4KB
-
memory/3948-31-0x0000000009140000-0x0000000009141000-memory.dmpFilesize
4KB
-
memory/3948-32-0x0000000009320000-0x0000000009321000-memory.dmpFilesize
4KB
-
memory/3948-33-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/3948-34-0x0000000009A10000-0x0000000009A11000-memory.dmpFilesize
4KB
-
memory/3948-35-0x000000000A260000-0x000000000A261000-memory.dmpFilesize
4KB