Analysis
-
max time kernel
150s -
max time network
59s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-03-2021 11:54
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe
-
Size
817KB
-
MD5
b4374d21ebb16da6b2900a4959e46910
-
SHA1
13c11a3abc2c5c930a46449637c79067c07501ea
-
SHA256
3f93946193930f305bd0c2f82ce462a6de400072ef0bc2b059ae1aeebb435b13
-
SHA512
e95d1d691398778ba431bd3487e0146bcd51a7d48babc2c62f8f6d3a374bc0089792c40d03b40073004d267a8642d151cfa2ee9863b5f5e6395f6007325f6e39
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/936-9-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral1/memory/936-10-0x000000000041F3A6-mapping.dmp family_redline behavioral1/memory/936-12-0x0000000000400000-0x0000000000426000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
file.exelibmfxsw32.exelibmfxsw32.exelibmfxsw32.exepid process 332 file.exe 1380 libmfxsw32.exe 572 libmfxsw32.exe 1356 libmfxsw32.exe -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exepid process 936 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 1084 icacls.exe 896 icacls.exe 1608 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exedescription pid process target process PID 1932 set thread context of 936 1932 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exepid process 936 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exedescription pid process Token: SeDebugPrivilege 936 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exeSecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exefile.execmd.exetaskeng.exedescription pid process target process PID 1932 wrote to memory of 936 1932 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 1932 wrote to memory of 936 1932 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 1932 wrote to memory of 936 1932 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 1932 wrote to memory of 936 1932 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 1932 wrote to memory of 936 1932 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 1932 wrote to memory of 936 1932 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 1932 wrote to memory of 936 1932 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 1932 wrote to memory of 936 1932 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 1932 wrote to memory of 936 1932 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 936 wrote to memory of 332 936 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe file.exe PID 936 wrote to memory of 332 936 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe file.exe PID 936 wrote to memory of 332 936 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe file.exe PID 936 wrote to memory of 332 936 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe file.exe PID 332 wrote to memory of 564 332 file.exe cmd.exe PID 332 wrote to memory of 564 332 file.exe cmd.exe PID 332 wrote to memory of 564 332 file.exe cmd.exe PID 332 wrote to memory of 564 332 file.exe cmd.exe PID 564 wrote to memory of 1084 564 cmd.exe icacls.exe PID 564 wrote to memory of 1084 564 cmd.exe icacls.exe PID 564 wrote to memory of 1084 564 cmd.exe icacls.exe PID 564 wrote to memory of 1084 564 cmd.exe icacls.exe PID 564 wrote to memory of 896 564 cmd.exe icacls.exe PID 564 wrote to memory of 896 564 cmd.exe icacls.exe PID 564 wrote to memory of 896 564 cmd.exe icacls.exe PID 564 wrote to memory of 896 564 cmd.exe icacls.exe PID 564 wrote to memory of 1608 564 cmd.exe icacls.exe PID 564 wrote to memory of 1608 564 cmd.exe icacls.exe PID 564 wrote to memory of 1608 564 cmd.exe icacls.exe PID 564 wrote to memory of 1608 564 cmd.exe icacls.exe PID 1108 wrote to memory of 572 1108 taskeng.exe libmfxsw32.exe PID 1108 wrote to memory of 572 1108 taskeng.exe libmfxsw32.exe PID 1108 wrote to memory of 1380 1108 taskeng.exe libmfxsw32.exe PID 1108 wrote to memory of 572 1108 taskeng.exe libmfxsw32.exe PID 1108 wrote to memory of 1380 1108 taskeng.exe libmfxsw32.exe PID 1108 wrote to memory of 572 1108 taskeng.exe libmfxsw32.exe PID 1108 wrote to memory of 1380 1108 taskeng.exe libmfxsw32.exe PID 1108 wrote to memory of 1380 1108 taskeng.exe libmfxsw32.exe PID 1108 wrote to memory of 1356 1108 taskeng.exe libmfxsw32.exe PID 1108 wrote to memory of 1356 1108 taskeng.exe libmfxsw32.exe PID 1108 wrote to memory of 1356 1108 taskeng.exe libmfxsw32.exe PID 1108 wrote to memory of 1356 1108 taskeng.exe libmfxsw32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe"{path}"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"5⤵
- Modifies file permissions
-
C:\Windows\system32\taskeng.exetaskeng.exe {6EB1BE6E-F68F-441E-989F-C260F7A1BA25} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
f82b9f7268b8ee957ba06383eed7f288
SHA1a071939ffd8e94ebc6b8115777acb923962727cc
SHA2560a1783158749faf32af6feb562f8fa15fff25b40ff0275691032b0c16525ff72
SHA512e5fc306b851b128045b843d3bbd72f771c9927b8f7cdff30089cb48c9da7d67fc9abae3abc4aea99657d157f7b7f85e42b2986b6461c4abcd81a0a0f2b7e7ca6
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
f82b9f7268b8ee957ba06383eed7f288
SHA1a071939ffd8e94ebc6b8115777acb923962727cc
SHA2560a1783158749faf32af6feb562f8fa15fff25b40ff0275691032b0c16525ff72
SHA512e5fc306b851b128045b843d3bbd72f771c9927b8f7cdff30089cb48c9da7d67fc9abae3abc4aea99657d157f7b7f85e42b2986b6461c4abcd81a0a0f2b7e7ca6
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
f82b9f7268b8ee957ba06383eed7f288
SHA1a071939ffd8e94ebc6b8115777acb923962727cc
SHA2560a1783158749faf32af6feb562f8fa15fff25b40ff0275691032b0c16525ff72
SHA512e5fc306b851b128045b843d3bbd72f771c9927b8f7cdff30089cb48c9da7d67fc9abae3abc4aea99657d157f7b7f85e42b2986b6461c4abcd81a0a0f2b7e7ca6
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
f82b9f7268b8ee957ba06383eed7f288
SHA1a071939ffd8e94ebc6b8115777acb923962727cc
SHA2560a1783158749faf32af6feb562f8fa15fff25b40ff0275691032b0c16525ff72
SHA512e5fc306b851b128045b843d3bbd72f771c9927b8f7cdff30089cb48c9da7d67fc9abae3abc4aea99657d157f7b7f85e42b2986b6461c4abcd81a0a0f2b7e7ca6
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
f82b9f7268b8ee957ba06383eed7f288
SHA1a071939ffd8e94ebc6b8115777acb923962727cc
SHA2560a1783158749faf32af6feb562f8fa15fff25b40ff0275691032b0c16525ff72
SHA512e5fc306b851b128045b843d3bbd72f771c9927b8f7cdff30089cb48c9da7d67fc9abae3abc4aea99657d157f7b7f85e42b2986b6461c4abcd81a0a0f2b7e7ca6
-
\Users\Admin\AppData\Local\Temp\file.exeMD5
f82b9f7268b8ee957ba06383eed7f288
SHA1a071939ffd8e94ebc6b8115777acb923962727cc
SHA2560a1783158749faf32af6feb562f8fa15fff25b40ff0275691032b0c16525ff72
SHA512e5fc306b851b128045b843d3bbd72f771c9927b8f7cdff30089cb48c9da7d67fc9abae3abc4aea99657d157f7b7f85e42b2986b6461c4abcd81a0a0f2b7e7ca6
-
memory/332-18-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/332-16-0x0000000000000000-mapping.dmp
-
memory/564-20-0x0000000000000000-mapping.dmp
-
memory/572-24-0x0000000000000000-mapping.dmp
-
memory/896-22-0x0000000000000000-mapping.dmp
-
memory/936-14-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/936-12-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/936-11-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/936-10-0x000000000041F3A6-mapping.dmp
-
memory/936-9-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1084-21-0x0000000000000000-mapping.dmp
-
memory/1356-30-0x0000000000000000-mapping.dmp
-
memory/1380-25-0x0000000000000000-mapping.dmp
-
memory/1608-23-0x0000000000000000-mapping.dmp
-
memory/1932-8-0x0000000000A50000-0x0000000000A7C000-memory.dmpFilesize
176KB
-
memory/1932-2-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/1932-7-0x0000000005630000-0x000000000569C000-memory.dmpFilesize
432KB
-
memory/1932-6-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/1932-5-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/1932-3-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB