Analysis
-
max time kernel
67s -
max time network
600s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-03-2021 19:06
Static task
static1
Behavioral task
behavioral1
Sample
COVERT-Pro-Inst (1).exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
COVERT-Pro-Inst (1).exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
COVERT-Pro-Inst (1).exe
Resource
win10v20201028
General
-
Target
COVERT-Pro-Inst (1).exe
-
Size
30.9MB
-
MD5
604aaadd302aac9e9d783bd8910ce594
-
SHA1
f6500c98ff55c6a974ed02194ff0be25d96ec9f8
-
SHA256
41a0c8a3158186712649e53fce67714641bf8d3e485731255ab9b3a954da7046
-
SHA512
b25b97fb60aeb9baa15f68be02963d9ac074040f989705fbfcfae825bcc8799998e705c9691371538d64401b1432444df60b2a7881b6b5b3b6f1b21b7eba0feb
Malware Config
Extracted
icedid
1235390667
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Protection.exepid process 2108 Protection.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 15 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 663 checkip.amazonaws.com 688 api.ipify.org 297 ip-api.com 337 checkip.amazonaws.com 599 checkip.amazonaws.com 810 ipinfo.io 806 checkip.amazonaws.com 829 ipinfo.io 240 ipinfo.io 248 ipinfo.io 425 checkip.amazonaws.com 430 ip-api.com 638 checkip.amazonaws.com 791 checkip.amazonaws.com 808 ipinfo.io -
Drops file in System32 directory 1 IoCs
Processes:
COVERT-Pro-Inst (1).exedescription ioc process File opened for modification C:\Windows\SysWOW64\systems.put COVERT-Pro-Inst (1).exe -
Drops file in Program Files directory 19 IoCs
Processes:
COVERT-Pro-Inst (1).exedescription ioc process File created C:\Program Files (x86)\COVERT Pro\Bases\SU2.kms COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\language\Czech.lng COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\language\Italian.lng COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\language\German.lng COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\Help\Help-COVERT-Pro.chm COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\Bases\SU3.kms COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\Bases\SU4.kms COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\Bases\SU5.kms COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\language\Russian.lng COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\language\Turkish.lng COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\Bases\SU6.kms COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\Bases\SU8.kms COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\(Password 1111) Restore COVERT Pro.zip COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\language\Select.ini COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\language\Ukrainian.lng COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\Protection.exe COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\Bases\SU1.kms COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\Bases\SU7.kms COVERT-Pro-Inst (1).exe File created C:\Program Files (x86)\COVERT Pro\language\Polish.lng COVERT-Pro-Inst (1).exe -
Drops file in Windows directory 4 IoCs
Processes:
COVERT-Pro-Inst (1).exeProtection.exedescription ioc process File opened for modification C:\Windows\syss.nok COVERT-Pro-Inst (1).exe File opened for modification C:\Windows\fileMPinst.ini COVERT-Pro-Inst (1).exe File opened for modification C:\Windows\Protection.INI Protection.exe File opened for modification C:\Windows\memofor.ini Protection.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 247 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 252 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 809 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 814 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 825 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 831 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
COVERT-Pro-Inst (1).exeProtection.exepid process 3116 COVERT-Pro-Inst (1).exe 3116 COVERT-Pro-Inst (1).exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Protection.exepid process 2108 Protection.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
COVERT-Pro-Inst (1).exeProtection.exedescription pid process Token: SeDebugPrivilege 3116 COVERT-Pro-Inst (1).exe Token: SeCreateTokenPrivilege 2108 Protection.exe Token: SeAssignPrimaryTokenPrivilege 2108 Protection.exe Token: SeLockMemoryPrivilege 2108 Protection.exe Token: SeIncreaseQuotaPrivilege 2108 Protection.exe Token: 0 2108 Protection.exe Token: SeMachineAccountPrivilege 2108 Protection.exe Token: SeTcbPrivilege 2108 Protection.exe Token: SeSecurityPrivilege 2108 Protection.exe Token: SeTakeOwnershipPrivilege 2108 Protection.exe Token: SeLoadDriverPrivilege 2108 Protection.exe Token: SeSystemProfilePrivilege 2108 Protection.exe Token: SeSystemtimePrivilege 2108 Protection.exe Token: SeProfSingleProcessPrivilege 2108 Protection.exe Token: SeIncBasePriorityPrivilege 2108 Protection.exe Token: SeCreatePagefilePrivilege 2108 Protection.exe Token: SeCreatePermanentPrivilege 2108 Protection.exe Token: SeBackupPrivilege 2108 Protection.exe Token: SeRestorePrivilege 2108 Protection.exe Token: SeShutdownPrivilege 2108 Protection.exe Token: SeDebugPrivilege 2108 Protection.exe Token: SeAuditPrivilege 2108 Protection.exe Token: SeSystemEnvironmentPrivilege 2108 Protection.exe Token: SeChangeNotifyPrivilege 2108 Protection.exe Token: SeRemoteShutdownPrivilege 2108 Protection.exe Token: SeUndockPrivilege 2108 Protection.exe Token: SeSyncAgentPrivilege 2108 Protection.exe Token: SeEnableDelegationPrivilege 2108 Protection.exe Token: SeManageVolumePrivilege 2108 Protection.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
COVERT-Pro-Inst (1).exeProtection.exepid process 3116 COVERT-Pro-Inst (1).exe 3116 COVERT-Pro-Inst (1).exe 3116 COVERT-Pro-Inst (1).exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe 2108 Protection.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
COVERT-Pro-Inst (1).exedescription pid process target process PID 3116 wrote to memory of 2108 3116 COVERT-Pro-Inst (1).exe Protection.exe PID 3116 wrote to memory of 2108 3116 COVERT-Pro-Inst (1).exe Protection.exe PID 3116 wrote to memory of 2108 3116 COVERT-Pro-Inst (1).exe Protection.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\COVERT-Pro-Inst (1).exe"C:\Users\Admin\AppData\Local\Temp\COVERT-Pro-Inst (1).exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\COVERT Pro\Protection.exe"C:\Program Files (x86)\COVERT Pro\Protection.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\COVERT Pro\Bases\SU1.kmsMD5
a3f93cabd94efc086d87a5a47f2b2a4e
SHA11c49d2737c7d2c6f5d4bb083a113fb3bee4a67ea
SHA256f4ca15357003927d9962ddfe9211d68a5d11fd2f25a7e5b6e96267d5dd0035eb
SHA512755ea134838e999a2c8cd5a9fcc09d8c36e621b8155e24620ed44e95b7315a3d64fd9d0763ae39cb75aee7092d4cb5fa35f8350639205dcf0e1acfdac53f027c
-
C:\Program Files (x86)\COVERT Pro\Protection.exeMD5
94b3c08f74c955864ebee9090e81e220
SHA1e60ec6c9d4aa885afb8006e98e43b0a861b5f5d8
SHA256b851d2dd00742b6c20c8c84980ce56fe7c3df85aaa469ec78a5189d0d3b8c79f
SHA5122d5946ce2d5105ba37b3693fe7fde86704706f39165de4dae120264542bd25ed24167fa4e1280fffd889deb3cc1fb1c3ae4606667da2b92facbf4a0a91a352ca
-
C:\Program Files (x86)\COVERT Pro\Protection.exeMD5
94b3c08f74c955864ebee9090e81e220
SHA1e60ec6c9d4aa885afb8006e98e43b0a861b5f5d8
SHA256b851d2dd00742b6c20c8c84980ce56fe7c3df85aaa469ec78a5189d0d3b8c79f
SHA5122d5946ce2d5105ba37b3693fe7fde86704706f39165de4dae120264542bd25ed24167fa4e1280fffd889deb3cc1fb1c3ae4606667da2b92facbf4a0a91a352ca
-
C:\Program Files (x86)\COVERT Pro\language\Russian.lngMD5
8f85d3f7609e6600f6c942daacf353f4
SHA1f37f26d9f9982a8e897b2665a4d3ce9a8b26566c
SHA2565dea64e85c341102388ddafb66f8f3fae42976abd255396e502e1aad823445f5
SHA512b9e1620ffa7bfd795b444831b515f46b68acd88bdb1c9bfee92afabd199370ba231e86455a9fc4d622f8c10e4324ae796a29198fcdb1118a7b1ae83f7c388926
-
C:\Program Files (x86)\COVERT Pro\language\Select.iniMD5
b21efb65b67f1519a0200dbd8ea510c1
SHA1234dcec83d08495ac92daadfa2bfb09f79f598a1
SHA2569bac02fa0daea3fba778a1bf6b3ed86ccb8efa59ffdb4b38a5f34b8c093e1210
SHA512f31ca3d337d39b516de13ee67793e31ec92e0c21e24d2c746d5dc2a99d64b1551432b23bcf62ec6d8fd2115de0b445399bfcbde2647efd35b51962b9d4406af2
-
memory/2108-2-0x0000000000000000-mapping.dmp