Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-03-2021 13:59
Static task
static1
Behavioral task
behavioral1
Sample
lilal1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
lilal1.exe
Resource
win10v20201028
General
-
Target
lilal1.exe
-
Size
1.1MB
-
MD5
53491ccbc0a3cfea20af934cf4a460b4
-
SHA1
2208a9d51224806826e0c9648c486ddcf16e1ddb
-
SHA256
5d5c572bd9c5a93783e2fbd7c551b54570ab531df2b7d1b93758453c4124db03
-
SHA512
87be88c619f97dfbbebac622bd89fc3be278b7ff5b62a4ab96b4fdb1323d227c07ab274c41383bf95672c00a29230ecb19afb6a09b7b62087ef684860f2e561b
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-22-0x0000000000090000-0x00000000000B6000-memory.dmp family_redline behavioral1/memory/1380-28-0x0000000000090000-0x00000000000B6000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Tutte.exe.comTutte.exe.comRegAsm.exepid process 1456 Tutte.exe.com 804 Tutte.exe.com 1380 RegAsm.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeTutte.exe.comRegAsm.exepid process 1900 cmd.exe 804 Tutte.exe.com 1380 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Tutte.exe.comdescription pid process target process PID 804 set thread context of 1380 804 Tutte.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegAsm.exepid process 1380 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1380 RegAsm.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
lilal1.execmd.execmd.exeTutte.exe.comTutte.exe.comdescription pid process target process PID 1100 wrote to memory of 1148 1100 lilal1.exe cmd.exe PID 1100 wrote to memory of 1148 1100 lilal1.exe cmd.exe PID 1100 wrote to memory of 1148 1100 lilal1.exe cmd.exe PID 1100 wrote to memory of 1148 1100 lilal1.exe cmd.exe PID 1100 wrote to memory of 1968 1100 lilal1.exe cmd.exe PID 1100 wrote to memory of 1968 1100 lilal1.exe cmd.exe PID 1100 wrote to memory of 1968 1100 lilal1.exe cmd.exe PID 1100 wrote to memory of 1968 1100 lilal1.exe cmd.exe PID 1968 wrote to memory of 1900 1968 cmd.exe cmd.exe PID 1968 wrote to memory of 1900 1968 cmd.exe cmd.exe PID 1968 wrote to memory of 1900 1968 cmd.exe cmd.exe PID 1968 wrote to memory of 1900 1968 cmd.exe cmd.exe PID 1900 wrote to memory of 1732 1900 cmd.exe findstr.exe PID 1900 wrote to memory of 1732 1900 cmd.exe findstr.exe PID 1900 wrote to memory of 1732 1900 cmd.exe findstr.exe PID 1900 wrote to memory of 1732 1900 cmd.exe findstr.exe PID 1900 wrote to memory of 1456 1900 cmd.exe Tutte.exe.com PID 1900 wrote to memory of 1456 1900 cmd.exe Tutte.exe.com PID 1900 wrote to memory of 1456 1900 cmd.exe Tutte.exe.com PID 1900 wrote to memory of 1456 1900 cmd.exe Tutte.exe.com PID 1900 wrote to memory of 564 1900 cmd.exe PING.EXE PID 1900 wrote to memory of 564 1900 cmd.exe PING.EXE PID 1900 wrote to memory of 564 1900 cmd.exe PING.EXE PID 1900 wrote to memory of 564 1900 cmd.exe PING.EXE PID 1456 wrote to memory of 804 1456 Tutte.exe.com Tutte.exe.com PID 1456 wrote to memory of 804 1456 Tutte.exe.com Tutte.exe.com PID 1456 wrote to memory of 804 1456 Tutte.exe.com Tutte.exe.com PID 1456 wrote to memory of 804 1456 Tutte.exe.com Tutte.exe.com PID 804 wrote to memory of 1380 804 Tutte.exe.com RegAsm.exe PID 804 wrote to memory of 1380 804 Tutte.exe.com RegAsm.exe PID 804 wrote to memory of 1380 804 Tutte.exe.com RegAsm.exe PID 804 wrote to memory of 1380 804 Tutte.exe.com RegAsm.exe PID 804 wrote to memory of 1380 804 Tutte.exe.com RegAsm.exe PID 804 wrote to memory of 1380 804 Tutte.exe.com RegAsm.exe PID 804 wrote to memory of 1380 804 Tutte.exe.com RegAsm.exe PID 804 wrote to memory of 1380 804 Tutte.exe.com RegAsm.exe PID 804 wrote to memory of 1380 804 Tutte.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lilal1.exe"C:\Users\Admin\AppData\Local\Temp\lilal1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo ZbDljxuR2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Chi.pps2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^KOfqYXFXHXfiHgLIXiOAXifqprhOanReqPVmXdtCRQtPPPnMTPrxfhxDngQVKRFpyhuRzjLGrjJieAkxFAUCxbMNcswIAoSqkVKBIGaH$" Finita.vssm4⤵
-
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Tutte.exe.comTutte.exe.com r4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Tutte.exe.comC:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Tutte.exe.com r5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\RegAsm.exeC:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\RegAsm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Chi.ppsMD5
033c4432ff8c726eb7f1cc3a124c4989
SHA185d7280535aab2a96b305059b7115d745a6a0ebc
SHA256825f95a11df387d9c224b933b5c8967b73fb060d670b8d6dceb739b6af2876b4
SHA512339b7b946599645a45432806cb4a3f683fda857574a7f95e1e2e49eb6d5ff5e93fb64f7fc0e30e0951a992c15542431aecd362c4b2a73e51048b4444a40dd613
-
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Cio.ppamMD5
088a2a4d78d131b13b715daf00cfd1db
SHA1b170d18f9c1cd7c14e9a8a81c577e10cce015be5
SHA2563894afb0e8f6439193844427cd50964baa7842158a1d92ff6505e353af04cfb8
SHA512f9d2c67947a3c84ea9b3daa71b7953ede6e3dfa60e6fdb0ae8d37bbf81096a9bf13613228f28c4176358b42471d514323527bfbccffbccbdcf9917391438c474
-
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Divina.vsdxMD5
56b02f5af274593f325cdfd2901fa075
SHA1e4c3ee39f5e80ea0101e04fd3efe5e977e2c5028
SHA256130d72dd84d69e4e2fb30eeebaa16a1e671f30150b104a037b73ff7e51d0b89e
SHA51288e3288a67bc08e6e157d3fff064b62ec02361d6b15e5369c27eb98bea23ce5037831140b8d55b2317d809465f7f538f33fe5a67dee60e161e020aa32546ace5
-
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Finita.vssmMD5
786f54fce2646f09f5359c0f28f857a5
SHA187df3b25247ca51c55795452a9c75c379bbc99a6
SHA256a22dcc3123e0a16499e01516b5a3152f92879775ad86be3beb1ae20c797ea739
SHA512e408b0bdc2a080a29732471a81c19f2820c536a275933e49e699d7f53ef0c59a88a6ffad567eff5a5e56a0bd63dbf77c5bc013c6a936d4ea940c22f1764f5281
-
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Tutte.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Tutte.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\rMD5
56b02f5af274593f325cdfd2901fa075
SHA1e4c3ee39f5e80ea0101e04fd3efe5e977e2c5028
SHA256130d72dd84d69e4e2fb30eeebaa16a1e671f30150b104a037b73ff7e51d0b89e
SHA51288e3288a67bc08e6e157d3fff064b62ec02361d6b15e5369c27eb98bea23ce5037831140b8d55b2317d809465f7f538f33fe5a67dee60e161e020aa32546ace5
-
\Users\Admin\AppData\Roaming\qZVHOWShJAtn\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Roaming\qZVHOWShJAtn\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Tutte.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
memory/564-14-0x0000000000000000-mapping.dmp
-
memory/804-16-0x0000000000000000-mapping.dmp
-
memory/804-21-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1100-2-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/1148-3-0x0000000000000000-mapping.dmp
-
memory/1380-22-0x0000000000090000-0x00000000000B6000-memory.dmpFilesize
152KB
-
memory/1380-27-0x0000000073020000-0x000000007370E000-memory.dmpFilesize
6.9MB
-
memory/1380-28-0x0000000000090000-0x00000000000B6000-memory.dmpFilesize
152KB
-
memory/1380-30-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/1456-11-0x0000000000000000-mapping.dmp
-
memory/1732-7-0x0000000000000000-mapping.dmp
-
memory/1900-6-0x0000000000000000-mapping.dmp
-
memory/1968-4-0x0000000000000000-mapping.dmp