Analysis
-
max time kernel
21s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-03-2021 08:37
Behavioral task
behavioral1
Sample
725e7cdd6e81b01e6ab7361fd080af6a.exe
Resource
win7v20201028
General
-
Target
725e7cdd6e81b01e6ab7361fd080af6a.exe
-
Size
5.4MB
-
MD5
725e7cdd6e81b01e6ab7361fd080af6a
-
SHA1
3580c0afb395eed72d0bdd86a129563540f3634e
-
SHA256
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
-
SHA512
ef080ab04b48f228ee5c003c07cfb05640fa0450e9a8f1ac7a652f80c9f9490153f49795daa044f5a57fac2448fb2c0237f076187114f546db255e7c221ba887
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\servs.exe xmrig C:\Users\Admin\AppData\Local\Temp\servs.exe xmrig -
Executes dropped EXE 3 IoCs
Processes:
evwws.exewlevs.exeservs.exepid process 2360 evwws.exe 812 wlevs.exe 3960 servs.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
725e7cdd6e81b01e6ab7361fd080af6a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 725e7cdd6e81b01e6ab7361fd080af6a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 725e7cdd6e81b01e6ab7361fd080af6a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1032-4-0x00000000003F0000-0x00000000003F1000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
725e7cdd6e81b01e6ab7361fd080af6a.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 725e7cdd6e81b01e6ab7361fd080af6a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
725e7cdd6e81b01e6ab7361fd080af6a.exepid process 1032 725e7cdd6e81b01e6ab7361fd080af6a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
725e7cdd6e81b01e6ab7361fd080af6a.exeservs.exepid process 1032 725e7cdd6e81b01e6ab7361fd080af6a.exe 3960 servs.exe 3960 servs.exe 3960 servs.exe 3960 servs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
725e7cdd6e81b01e6ab7361fd080af6a.exedescription pid process Token: SeDebugPrivilege 1032 725e7cdd6e81b01e6ab7361fd080af6a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
725e7cdd6e81b01e6ab7361fd080af6a.exedescription pid process target process PID 1032 wrote to memory of 2360 1032 725e7cdd6e81b01e6ab7361fd080af6a.exe evwws.exe PID 1032 wrote to memory of 2360 1032 725e7cdd6e81b01e6ab7361fd080af6a.exe evwws.exe PID 1032 wrote to memory of 812 1032 725e7cdd6e81b01e6ab7361fd080af6a.exe wlevs.exe PID 1032 wrote to memory of 812 1032 725e7cdd6e81b01e6ab7361fd080af6a.exe wlevs.exe PID 1032 wrote to memory of 3960 1032 725e7cdd6e81b01e6ab7361fd080af6a.exe servs.exe PID 1032 wrote to memory of 3960 1032 725e7cdd6e81b01e6ab7361fd080af6a.exe servs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\725e7cdd6e81b01e6ab7361fd080af6a.exe"C:\Users\Admin\AppData\Local\Temp\725e7cdd6e81b01e6ab7361fd080af6a.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\evwws.exe"C:\Users\Admin\AppData\Local\Temp\evwws.exe"2⤵
- Executes dropped EXE
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\wlevs.exe"C:\Users\Admin\AppData\Local\Temp\wlevs.exe"2⤵
- Executes dropped EXE
PID:812 -
C:\Users\Admin\AppData\Local\Temp\servs.exe"C:\Users\Admin\AppData\Local\Temp\servs.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\evwws.exeMD5
5558f586862478fba863c9f08b00a312
SHA1ce323d81cee5b679dbeb3c992d8de16079a343ec
SHA25656e2b09d32e75d09a6543d945d0a59905039dacb9c6a30f0332eb1d5b1d75380
SHA512cc95b77a4e7d21294c0b59c06459a8d817927b33f66e33cd0f68ee8daab994335258b5a738efbf8bed082ed4a480736ec76cfe881700752fe983fec091c6d25f
-
C:\Users\Admin\AppData\Local\Temp\evwws.exeMD5
5558f586862478fba863c9f08b00a312
SHA1ce323d81cee5b679dbeb3c992d8de16079a343ec
SHA25656e2b09d32e75d09a6543d945d0a59905039dacb9c6a30f0332eb1d5b1d75380
SHA512cc95b77a4e7d21294c0b59c06459a8d817927b33f66e33cd0f68ee8daab994335258b5a738efbf8bed082ed4a480736ec76cfe881700752fe983fec091c6d25f
-
C:\Users\Admin\AppData\Local\Temp\servs.exeMD5
099d181819dd32f9e89d7bc7afd8ee22
SHA1c826d3afa43fe1d52dfce13b5cc002d1d0137681
SHA256711f9480b179be2456835df08da8aa29a1024a0d652a0ec7cb75d7f8f44e07d8
SHA512300d3d5c492978f141ba0621291520e8acc9cc15e54da14b00a4ebdae3376aba44d439eb8059b88c57d2f2a10e5956c8cfe6f9d2985f5b86e1a3d5a211cf3404
-
C:\Users\Admin\AppData\Local\Temp\servs.exeMD5
099d181819dd32f9e89d7bc7afd8ee22
SHA1c826d3afa43fe1d52dfce13b5cc002d1d0137681
SHA256711f9480b179be2456835df08da8aa29a1024a0d652a0ec7cb75d7f8f44e07d8
SHA512300d3d5c492978f141ba0621291520e8acc9cc15e54da14b00a4ebdae3376aba44d439eb8059b88c57d2f2a10e5956c8cfe6f9d2985f5b86e1a3d5a211cf3404
-
C:\Users\Admin\AppData\Local\Temp\wlevs.exeMD5
34afbbd143dff19b346039f0d2889914
SHA1b998a5edfbc67a5a056b25e11a232b297433729b
SHA256c031a29ab360685db6dd3980848661d0d12343b798b918aca4e8422ab880355e
SHA512ea130936b4d70bf144217b0979aec4791939c4fc1474afd4bc63628b72c1d0b20c544c5781dc794e686afe695a9d72d642be4e1568d1ac39673f52fd7e7f1462
-
C:\Users\Admin\AppData\Local\Temp\wlevs.exeMD5
34afbbd143dff19b346039f0d2889914
SHA1b998a5edfbc67a5a056b25e11a232b297433729b
SHA256c031a29ab360685db6dd3980848661d0d12343b798b918aca4e8422ab880355e
SHA512ea130936b4d70bf144217b0979aec4791939c4fc1474afd4bc63628b72c1d0b20c544c5781dc794e686afe695a9d72d642be4e1568d1ac39673f52fd7e7f1462
-
memory/812-30-0x0000028827E40000-0x0000028827E54000-memory.dmpFilesize
80KB
-
memory/812-24-0x0000000000000000-mapping.dmp
-
memory/1032-10-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/1032-9-0x0000000005CA0000-0x0000000005CA1000-memory.dmpFilesize
4KB
-
memory/1032-14-0x0000000005A30000-0x0000000005A31000-memory.dmpFilesize
4KB
-
memory/1032-15-0x0000000006CC0000-0x0000000006CC1000-memory.dmpFilesize
4KB
-
memory/1032-16-0x00000000073C0000-0x00000000073C1000-memory.dmpFilesize
4KB
-
memory/1032-17-0x0000000006E90000-0x0000000006E91000-memory.dmpFilesize
4KB
-
memory/1032-18-0x0000000007DF0000-0x0000000007DF1000-memory.dmpFilesize
4KB
-
memory/1032-19-0x0000000006F30000-0x0000000006F31000-memory.dmpFilesize
4KB
-
memory/1032-20-0x00000000079F0000-0x00000000079F1000-memory.dmpFilesize
4KB
-
memory/1032-4-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1032-12-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/1032-11-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/1032-3-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/1032-13-0x0000000003450000-0x0000000003451000-memory.dmpFilesize
4KB
-
memory/1032-8-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/1032-6-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/1032-7-0x0000000077D14000-0x0000000077D15000-memory.dmpFilesize
4KB
-
memory/2360-21-0x0000000000000000-mapping.dmp
-
memory/3960-27-0x0000000000000000-mapping.dmp