Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-03-2021 11:54
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe
-
Size
817KB
-
MD5
b4374d21ebb16da6b2900a4959e46910
-
SHA1
13c11a3abc2c5c930a46449637c79067c07501ea
-
SHA256
3f93946193930f305bd0c2f82ce462a6de400072ef0bc2b059ae1aeebb435b13
-
SHA512
e95d1d691398778ba431bd3487e0146bcd51a7d48babc2c62f8f6d3a374bc0089792c40d03b40073004d267a8642d151cfa2ee9863b5f5e6395f6007325f6e39
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3832-13-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral2/memory/3832-14-0x000000000041F3A6-mapping.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
file.exelibmfxsw32.exelibmfxsw32.exelibmfxsw32.exepid process 3544 file.exe 3920 libmfxsw32.exe 3568 libmfxsw32.exe 2740 libmfxsw32.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2240 icacls.exe 3472 icacls.exe 3936 icacls.exe 3128 icacls.exe 1624 icacls.exe 1748 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exedescription pid process target process PID 508 set thread context of 3832 508 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exepid process 3832 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exedescription pid process Token: SeDebugPrivilege 3832 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exeSecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exefile.exelibmfxsw32.execmd.execmd.exedescription pid process target process PID 508 wrote to memory of 3832 508 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 508 wrote to memory of 3832 508 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 508 wrote to memory of 3832 508 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 508 wrote to memory of 3832 508 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 508 wrote to memory of 3832 508 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 508 wrote to memory of 3832 508 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 508 wrote to memory of 3832 508 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 508 wrote to memory of 3832 508 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe PID 3832 wrote to memory of 3544 3832 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe file.exe PID 3832 wrote to memory of 3544 3832 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe file.exe PID 3832 wrote to memory of 3544 3832 SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe file.exe PID 3544 wrote to memory of 788 3544 file.exe cmd.exe PID 3544 wrote to memory of 788 3544 file.exe cmd.exe PID 3544 wrote to memory of 788 3544 file.exe cmd.exe PID 3920 wrote to memory of 2204 3920 libmfxsw32.exe cmd.exe PID 3920 wrote to memory of 2204 3920 libmfxsw32.exe cmd.exe PID 3920 wrote to memory of 2204 3920 libmfxsw32.exe cmd.exe PID 788 wrote to memory of 3472 788 cmd.exe icacls.exe PID 788 wrote to memory of 3472 788 cmd.exe icacls.exe PID 788 wrote to memory of 3472 788 cmd.exe icacls.exe PID 788 wrote to memory of 3936 788 cmd.exe icacls.exe PID 788 wrote to memory of 3936 788 cmd.exe icacls.exe PID 788 wrote to memory of 3936 788 cmd.exe icacls.exe PID 2204 wrote to memory of 3128 2204 cmd.exe icacls.exe PID 2204 wrote to memory of 3128 2204 cmd.exe icacls.exe PID 2204 wrote to memory of 3128 2204 cmd.exe icacls.exe PID 788 wrote to memory of 1624 788 cmd.exe icacls.exe PID 788 wrote to memory of 1624 788 cmd.exe icacls.exe PID 788 wrote to memory of 1624 788 cmd.exe icacls.exe PID 2204 wrote to memory of 1748 2204 cmd.exe icacls.exe PID 2204 wrote to memory of 1748 2204 cmd.exe icacls.exe PID 2204 wrote to memory of 1748 2204 cmd.exe icacls.exe PID 2204 wrote to memory of 2240 2204 cmd.exe icacls.exe PID 2204 wrote to memory of 2240 2204 cmd.exe icacls.exe PID 2204 wrote to memory of 2240 2204 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"5⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"5⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Inject4.8495.10748.7579.exe.logMD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
f82b9f7268b8ee957ba06383eed7f288
SHA1a071939ffd8e94ebc6b8115777acb923962727cc
SHA2560a1783158749faf32af6feb562f8fa15fff25b40ff0275691032b0c16525ff72
SHA512e5fc306b851b128045b843d3bbd72f771c9927b8f7cdff30089cb48c9da7d67fc9abae3abc4aea99657d157f7b7f85e42b2986b6461c4abcd81a0a0f2b7e7ca6
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
f82b9f7268b8ee957ba06383eed7f288
SHA1a071939ffd8e94ebc6b8115777acb923962727cc
SHA2560a1783158749faf32af6feb562f8fa15fff25b40ff0275691032b0c16525ff72
SHA512e5fc306b851b128045b843d3bbd72f771c9927b8f7cdff30089cb48c9da7d67fc9abae3abc4aea99657d157f7b7f85e42b2986b6461c4abcd81a0a0f2b7e7ca6
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
f82b9f7268b8ee957ba06383eed7f288
SHA1a071939ffd8e94ebc6b8115777acb923962727cc
SHA2560a1783158749faf32af6feb562f8fa15fff25b40ff0275691032b0c16525ff72
SHA512e5fc306b851b128045b843d3bbd72f771c9927b8f7cdff30089cb48c9da7d67fc9abae3abc4aea99657d157f7b7f85e42b2986b6461c4abcd81a0a0f2b7e7ca6
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
f82b9f7268b8ee957ba06383eed7f288
SHA1a071939ffd8e94ebc6b8115777acb923962727cc
SHA2560a1783158749faf32af6feb562f8fa15fff25b40ff0275691032b0c16525ff72
SHA512e5fc306b851b128045b843d3bbd72f771c9927b8f7cdff30089cb48c9da7d67fc9abae3abc4aea99657d157f7b7f85e42b2986b6461c4abcd81a0a0f2b7e7ca6
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
f82b9f7268b8ee957ba06383eed7f288
SHA1a071939ffd8e94ebc6b8115777acb923962727cc
SHA2560a1783158749faf32af6feb562f8fa15fff25b40ff0275691032b0c16525ff72
SHA512e5fc306b851b128045b843d3bbd72f771c9927b8f7cdff30089cb48c9da7d67fc9abae3abc4aea99657d157f7b7f85e42b2986b6461c4abcd81a0a0f2b7e7ca6
-
memory/508-9-0x0000000004CC0000-0x0000000004CC2000-memory.dmpFilesize
8KB
-
memory/508-7-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/508-11-0x0000000007220000-0x000000000728C000-memory.dmpFilesize
432KB
-
memory/508-12-0x0000000006F20000-0x0000000006F4C000-memory.dmpFilesize
176KB
-
memory/508-2-0x0000000073F30000-0x000000007461E000-memory.dmpFilesize
6.9MB
-
memory/508-3-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/508-8-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/508-5-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/508-10-0x0000000006F80000-0x0000000006F81000-memory.dmpFilesize
4KB
-
memory/508-6-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/788-38-0x0000000000000000-mapping.dmp
-
memory/1624-45-0x0000000000000000-mapping.dmp
-
memory/1748-46-0x0000000000000000-mapping.dmp
-
memory/2204-41-0x0000000000000000-mapping.dmp
-
memory/2240-47-0x0000000000000000-mapping.dmp
-
memory/3128-44-0x0000000000000000-mapping.dmp
-
memory/3472-42-0x0000000000000000-mapping.dmp
-
memory/3544-35-0x0000000000000000-mapping.dmp
-
memory/3832-13-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3832-23-0x0000000005D00000-0x0000000005D01000-memory.dmpFilesize
4KB
-
memory/3832-33-0x0000000007430000-0x0000000007431000-memory.dmpFilesize
4KB
-
memory/3832-31-0x0000000007290000-0x0000000007291000-memory.dmpFilesize
4KB
-
memory/3832-28-0x0000000007720000-0x0000000007721000-memory.dmpFilesize
4KB
-
memory/3832-27-0x0000000007020000-0x0000000007021000-memory.dmpFilesize
4KB
-
memory/3832-26-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/3832-25-0x0000000005DA0000-0x0000000005DA1000-memory.dmpFilesize
4KB
-
memory/3832-24-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB
-
memory/3832-32-0x0000000002F21000-0x0000000002F22000-memory.dmpFilesize
4KB
-
memory/3832-22-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/3832-14-0x000000000041F3A6-mapping.dmp
-
memory/3832-21-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/3832-20-0x0000000002F20000-0x0000000002F21000-memory.dmpFilesize
4KB
-
memory/3832-19-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/3832-16-0x0000000073F30000-0x000000007461E000-memory.dmpFilesize
6.9MB
-
memory/3936-43-0x0000000000000000-mapping.dmp