Analysis
-
max time kernel
150s -
max time network
73s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-03-2021 08:49
General
-
Target
331064627d4361c3f3e3ba15d4d75afc.exe
-
Size
1.1MB
-
MD5
331064627d4361c3f3e3ba15d4d75afc
-
SHA1
090fa5f883dcd45de13f2a7896748925e26630ee
-
SHA256
9234d9cc843e2d90cf272e76714371573ad4769d5e7e0de122120e45fec9cdea
-
SHA512
aa87f34aa129eef8dc3eabbf9c097161779c6580add5f694e0c779d3f9e9ba369765e05c3ab1816765bbad43cf78ac04cb5af8db9838742710b0b4aa17481df0
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Executes dropped EXE 10 IoCs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Modifies file permissions 1 TTPs 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\331064627d4361c3f3e3ba15d4d75afc.exe"C:\Users\Admin\AppData\Local\Temp\331064627d4361c3f3e3ba15d4d75afc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Ehim2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Osi.adt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^QAXGiYkwfmvZsAkSwFzQElmpDQyAvOxQLytcnqBrEKginUwgVONcJiyFqOrsSKFByFhjcQxwtdjTWaLIOREIqYuEZnxKXplTyMeSGPSyzMszVkJHexDwuWBumJjWcKrU$" Far.vsdx4⤵
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.comSaluta.com Ascolta.mpg4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.comC:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.com Ascolta.mpg5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exeC:\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"{path}"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\file.exe"{path}"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"10⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"10⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"10⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"{path}"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"{path}"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\libmfxsw32.exe.logMD5
12557ab909651a6f99d3503d614d3562
SHA1b86745768059a514bea3a438e1e96086af463246
SHA2569589c869703e95d40d5870c60f66d8460f7914e9fe8dd579533c84148112babd
SHA51210cdb2fa7cf054af937b4aeddfe16fe755d6b09db5a51f7052adbf472b4b435e16c141f3712762f3b67f990c3efcfa47659576988e321214c747d6cd98e75521
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Ascolta.mpgMD5
38c0f4e15a4b9b62fc28204d8a432dea
SHA10144690c5c90a8f15837a739963217c204197b23
SHA2560f72f7c429443ec823edaa8013f3fd80011519da12f7ea140f1957f63243a9bd
SHA512e8809d11fcfb1ff304dc67073c66e17eca0317bc963f1d5227bff7a561d9cb0b67f7e66721032e8e4a6f0fea357a666c756cb42d968cc3e442e84493e1231163
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Far.vsdxMD5
7b0207f05263d514fc4f7a2b177b6051
SHA1ab7d24200270ab0969deccf9816079225a6c2e5f
SHA256d7853ca5404edb72f4da3558f70cee027f979bce93b1fa3138a56b2a94dccfa5
SHA5126a84a5681cdd28c63458bcd89f7bcaabbda31d52d04253d017ce99c235aa3d35fa540d5357241d30d23d0606515e078a2416a01d8a354d746ee67e0484ccf428
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Osi.adtMD5
e4cd8cf31700ef541395d936e4be3fc2
SHA13ed11b6dbe745beac72040b4d3855dc5fad39feb
SHA2561c92f6179538905efea7b41b80915f0238db7b7275de0aa291a12dd2fe74efa9
SHA51233f577aca3cd94749daf6f682ca07e3ff63e041cf1bf5c576785cbe7c8796c0a18d173b154ba1e24cd7156a934e1d2f4440c7f7283c2325a7566245b7d896de0
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Tuo.accdeMD5
854ad49e5b08a3324b9dbeb070d7fe2e
SHA1ead483aa1b1d9a82a9a9dc22d284cb8239f8bd15
SHA25617c5db44d5857692a705f91adca500f700daab0f3f1896098c327a3c5eb97db6
SHA512a576e282eef72ea42eae46f5631305505f4046a7e85a62c06e83e6a2978f20f6f2c104c5278013c6d09cb965c9d5d9a6ee283fa7c87ece73c82539378c9407ae
-
memory/612-92-0x000000000042800A-mapping.dmp
-
memory/612-98-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/1240-58-0x0000000000000000-mapping.dmp
-
memory/1244-11-0x0000000000000000-mapping.dmp
-
memory/1416-83-0x000000007F9C0000-0x000000007F9C1000-memory.dmpFilesize
4KB
-
memory/1416-62-0x00000000738C0000-0x0000000073FAE000-memory.dmpFilesize
6.9MB
-
memory/1416-75-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/1520-6-0x0000000000000000-mapping.dmp
-
memory/2128-76-0x0000000000000000-mapping.dmp
-
memory/2204-84-0x0000000000000000-mapping.dmp
-
memory/2212-12-0x0000000000000000-mapping.dmp
-
memory/2212-15-0x00000000013C0000-0x00000000013C1000-memory.dmpFilesize
4KB
-
memory/2584-19-0x0000000073800000-0x0000000073EEE000-memory.dmpFilesize
6.9MB
-
memory/2584-24-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/2584-35-0x0000000005001000-0x0000000005002000-memory.dmpFilesize
4KB
-
memory/2584-36-0x0000000008510000-0x0000000008511000-memory.dmpFilesize
4KB
-
memory/2584-37-0x0000000008800000-0x0000000008801000-memory.dmpFilesize
4KB
-
memory/2584-16-0x00000000009B0000-0x00000000009D6000-memory.dmpFilesize
152KB
-
memory/2584-33-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/2584-32-0x0000000006990000-0x0000000006991000-memory.dmpFilesize
4KB
-
memory/2584-22-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB
-
memory/2584-23-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/2584-34-0x0000000006A30000-0x0000000006A31000-memory.dmpFilesize
4KB
-
memory/2584-25-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/2584-26-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/2584-27-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/2584-28-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/2584-29-0x00000000059F0000-0x00000000059F1000-memory.dmpFilesize
4KB
-
memory/2584-31-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/2584-30-0x00000000067C0000-0x00000000067C1000-memory.dmpFilesize
4KB
-
memory/2776-81-0x0000000000000000-mapping.dmp
-
memory/2888-3-0x0000000000000000-mapping.dmp
-
memory/3052-2-0x0000000000000000-mapping.dmp
-
memory/3172-99-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/3172-95-0x000000000042800A-mapping.dmp
-
memory/3228-8-0x0000000000000000-mapping.dmp
-
memory/3572-5-0x0000000000000000-mapping.dmp
-
memory/3856-74-0x0000000004F10000-0x0000000004F11000-memory.dmpFilesize
4KB
-
memory/3856-60-0x00000000738C0000-0x0000000073FAE000-memory.dmpFilesize
6.9MB
-
memory/3856-82-0x000000007F0A0000-0x000000007F0A1000-memory.dmpFilesize
4KB
-
memory/3860-73-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/3860-56-0x000000000042800A-mapping.dmp
-
memory/3860-55-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/3968-50-0x000000007F2F0000-0x000000007F2F1000-memory.dmpFilesize
4KB
-
memory/3968-41-0x0000000073800000-0x0000000073EEE000-memory.dmpFilesize
6.9MB
-
memory/3968-42-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/3968-38-0x0000000000000000-mapping.dmp
-
memory/3968-46-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/3968-47-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/3968-49-0x0000000008FB0000-0x0000000008FB2000-memory.dmpFilesize
8KB
-
memory/3968-51-0x0000000009660000-0x0000000009752000-memory.dmpFilesize
968KB
-
memory/3968-52-0x000000000BDB0000-0x000000000BE9F000-memory.dmpFilesize
956KB