Analysis
-
max time kernel
61s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-03-2021 15:16
Static task
static1
Behavioral task
behavioral1
Sample
965212c139d8c474ed69ff3c33b88be4.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
965212c139d8c474ed69ff3c33b88be4.exe
Resource
win10v20201028
General
-
Target
965212c139d8c474ed69ff3c33b88be4.exe
-
Size
521KB
-
MD5
965212c139d8c474ed69ff3c33b88be4
-
SHA1
cce8ddf99da03113f80cd0e3e1368186468d904d
-
SHA256
fc1c966dd0ac73c1e2aae4287b1480ba9d27d01accc069a9a69d2a4fc9f1a6a9
-
SHA512
f9f37bbbacffcd4eed9ac7d4a66c9d5d0f0b0c85ec93e03712e1d238ace52f718beec08a5fc921b6a2d6d4084d1a4280258c188c514a6e0548ebde81afe9fd12
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
Processes:
VersiumResearc.exeVersiumResearch.exeVersiumRes.exepid process 3220 VersiumResearc.exe 1496 VersiumResearch.exe 3588 VersiumRes.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
VersiumRes.exeVersiumResearc.exedescription pid process target process PID 3588 set thread context of 3052 3588 VersiumRes.exe AddInProcess32.exe PID 3220 set thread context of 3944 3220 VersiumResearc.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
VersiumResearch.exeAddInProcess32.exeAddInProcess32.exepid process 1496 VersiumResearch.exe 3052 AddInProcess32.exe 3944 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
VersiumRes.exeVersiumResearch.exeAddInProcess32.exeVersiumResearc.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 3588 VersiumRes.exe Token: SeDebugPrivilege 1496 VersiumResearch.exe Token: SeDebugPrivilege 3052 AddInProcess32.exe Token: SeDebugPrivilege 3220 VersiumResearc.exe Token: SeDebugPrivilege 3944 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
965212c139d8c474ed69ff3c33b88be4.exeVersiumRes.exeAddInProcess32.execmd.exeVersiumResearc.exedescription pid process target process PID 1276 wrote to memory of 3220 1276 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearc.exe PID 1276 wrote to memory of 3220 1276 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearc.exe PID 1276 wrote to memory of 3220 1276 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearc.exe PID 1276 wrote to memory of 1496 1276 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearch.exe PID 1276 wrote to memory of 1496 1276 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearch.exe PID 1276 wrote to memory of 1496 1276 965212c139d8c474ed69ff3c33b88be4.exe VersiumResearch.exe PID 1276 wrote to memory of 3588 1276 965212c139d8c474ed69ff3c33b88be4.exe VersiumRes.exe PID 1276 wrote to memory of 3588 1276 965212c139d8c474ed69ff3c33b88be4.exe VersiumRes.exe PID 1276 wrote to memory of 3588 1276 965212c139d8c474ed69ff3c33b88be4.exe VersiumRes.exe PID 3588 wrote to memory of 3052 3588 VersiumRes.exe AddInProcess32.exe PID 3588 wrote to memory of 3052 3588 VersiumRes.exe AddInProcess32.exe PID 3588 wrote to memory of 3052 3588 VersiumRes.exe AddInProcess32.exe PID 3588 wrote to memory of 3052 3588 VersiumRes.exe AddInProcess32.exe PID 3588 wrote to memory of 3052 3588 VersiumRes.exe AddInProcess32.exe PID 3588 wrote to memory of 3052 3588 VersiumRes.exe AddInProcess32.exe PID 3588 wrote to memory of 3052 3588 VersiumRes.exe AddInProcess32.exe PID 3588 wrote to memory of 3052 3588 VersiumRes.exe AddInProcess32.exe PID 3052 wrote to memory of 2564 3052 AddInProcess32.exe cmd.exe PID 3052 wrote to memory of 2564 3052 AddInProcess32.exe cmd.exe PID 3052 wrote to memory of 2564 3052 AddInProcess32.exe cmd.exe PID 2564 wrote to memory of 2868 2564 cmd.exe reg.exe PID 2564 wrote to memory of 2868 2564 cmd.exe reg.exe PID 2564 wrote to memory of 2868 2564 cmd.exe reg.exe PID 3220 wrote to memory of 3944 3220 VersiumResearc.exe AddInProcess32.exe PID 3220 wrote to memory of 3944 3220 VersiumResearc.exe AddInProcess32.exe PID 3220 wrote to memory of 3944 3220 VersiumResearc.exe AddInProcess32.exe PID 3220 wrote to memory of 3944 3220 VersiumResearc.exe AddInProcess32.exe PID 3220 wrote to memory of 3944 3220 VersiumResearc.exe AddInProcess32.exe PID 3220 wrote to memory of 3944 3220 VersiumResearc.exe AddInProcess32.exe PID 3220 wrote to memory of 3944 3220 VersiumResearc.exe AddInProcess32.exe PID 3220 wrote to memory of 3944 3220 VersiumResearc.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\965212c139d8c474ed69ff3c33b88be4.exe"C:\Users\Admin\AppData\Local\Temp\965212c139d8c474ed69ff3c33b88be4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\VersiumResearc.exeC:\Users\Admin\AppData\Local\Temp\VersiumResearc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\VersiumResearch.exeC:\Users\Admin\AppData\Local\Temp\VersiumResearch.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\VersiumRes.exeC:\Users\Admin\AppData\Local\Temp\VersiumRes.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C reg add HKEY_CURRENT_USER\Software\DataFinder\keycheck /v Status /t REG_DWORD /d 1 && reg add HKEY_CURRENT_USER\Software\DataFinder\VersiumResearch /v Status /t REG_DWORD /d 14⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\DataFinder\keycheck /v Status /t REG_DWORD /d 15⤵PID:2868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3375f93b9adc89753e8d23050bce6ca0
SHA19532d3600af4bd299e649e8dfd16896ba63fd27e
SHA256dcea8294dccb23d9690c3f14ebe53b4ed0ee4da80171f238e9cf8160ac708295
SHA512b4c65c9bb265992311707149cd2e285ae87eaabf179e046d2e38dd22901b84c1aa1ea94966d6f4eed31230f2869ccde47587ec65e92ca58d3a8b1f8358786a8d
-
MD5
7959ab8670c919f85a98c231079739c8
SHA1251792b13b125bdec88fe59244864da038fb4a27
SHA2561d4a8313f0e48235cd8df99469b602d049ed558d82fc1e283476600e4149a145
SHA512ab123560fdf39be963882f75cc1434ada2d14486cc9e0e4be11dcf79b046e1a19ff26ff28fd4a3a46c11b7526d29eaded77a4cd7d7e713fea268f62dfcff0841
-
MD5
7959ab8670c919f85a98c231079739c8
SHA1251792b13b125bdec88fe59244864da038fb4a27
SHA2561d4a8313f0e48235cd8df99469b602d049ed558d82fc1e283476600e4149a145
SHA512ab123560fdf39be963882f75cc1434ada2d14486cc9e0e4be11dcf79b046e1a19ff26ff28fd4a3a46c11b7526d29eaded77a4cd7d7e713fea268f62dfcff0841
-
MD5
bda1efdad61372b0b12a4277e9558484
SHA1dc9be4e90eaacbf08b4b04d71b5fe17cd752e6a6
SHA2563a959095c9ef35d13c356c3236798cd6f4cdfab08bfddc618aa63875784ff3fc
SHA5127b9e715627c6300075eeee8ec861e32ba96b855ce5857d7adb7518061cea5a48237b2cf886b5cfef88f40934f90656d8a64b7286dcb303ab44a4846c010edec1
-
MD5
bda1efdad61372b0b12a4277e9558484
SHA1dc9be4e90eaacbf08b4b04d71b5fe17cd752e6a6
SHA2563a959095c9ef35d13c356c3236798cd6f4cdfab08bfddc618aa63875784ff3fc
SHA5127b9e715627c6300075eeee8ec861e32ba96b855ce5857d7adb7518061cea5a48237b2cf886b5cfef88f40934f90656d8a64b7286dcb303ab44a4846c010edec1
-
MD5
aedd7327b99ed5177d43ed7758f1ebff
SHA146137683ee73646c9aa05ed27b661ad2ecbe9c20
SHA2560d6704a682e281399df401b4aac628f0ff16826b31e2c61df32919e77c55edf8
SHA51268b35c614d38064fed6dbaf34a06063445fd4433b15776431ffefaaafda4ea29bbcdf427bd3a835287debc8dec447efb4443f19bded463b1230819928360a392
-
MD5
aedd7327b99ed5177d43ed7758f1ebff
SHA146137683ee73646c9aa05ed27b661ad2ecbe9c20
SHA2560d6704a682e281399df401b4aac628f0ff16826b31e2c61df32919e77c55edf8
SHA51268b35c614d38064fed6dbaf34a06063445fd4433b15776431ffefaaafda4ea29bbcdf427bd3a835287debc8dec447efb4443f19bded463b1230819928360a392