Analysis
-
max time kernel
21s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-07-2021 10:03
Static task
static1
Behavioral task
behavioral1
Sample
a4f4b5daa83bb6dc85ede588ffbfdb34.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
a4f4b5daa83bb6dc85ede588ffbfdb34.exe
Resource
win10v20210408
General
-
Target
a4f4b5daa83bb6dc85ede588ffbfdb34.exe
-
Size
212KB
-
MD5
a4f4b5daa83bb6dc85ede588ffbfdb34
-
SHA1
9bbaac140fa643d30bf25af71561f5ee35874898
-
SHA256
f61201b7b85a410a62c1f1946095b3feabb6e672fb8ddc0c64789a02ae9a06f4
-
SHA512
b4f436bd64384d767109d04eea6f3f5ad192c4f1e71cc31a88ba4ac78ef97da3ef1aaade388dfc9240c38e386993e9dc21803554db8513f0ed7ebe00ee248624
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2524-134-0x00000000073B0000-0x00000000073E2000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
Processes:
3805112.exe2217218.exepid process 3200 3805112.exe 2524 2217218.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2128 3200 WerFault.exe 3805112.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
3805112.exeWerFault.exe2217218.exepid process 3200 3805112.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2524 2217218.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
a4f4b5daa83bb6dc85ede588ffbfdb34.exe3805112.exeWerFault.exe2217218.exedescription pid process Token: SeDebugPrivilege 3728 a4f4b5daa83bb6dc85ede588ffbfdb34.exe Token: SeDebugPrivilege 3200 3805112.exe Token: SeDebugPrivilege 2128 WerFault.exe Token: SeDebugPrivilege 2524 2217218.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
a4f4b5daa83bb6dc85ede588ffbfdb34.exedescription pid process target process PID 3728 wrote to memory of 3200 3728 a4f4b5daa83bb6dc85ede588ffbfdb34.exe 3805112.exe PID 3728 wrote to memory of 3200 3728 a4f4b5daa83bb6dc85ede588ffbfdb34.exe 3805112.exe PID 3728 wrote to memory of 2524 3728 a4f4b5daa83bb6dc85ede588ffbfdb34.exe 2217218.exe PID 3728 wrote to memory of 2524 3728 a4f4b5daa83bb6dc85ede588ffbfdb34.exe 2217218.exe PID 3728 wrote to memory of 2524 3728 a4f4b5daa83bb6dc85ede588ffbfdb34.exe 2217218.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4f4b5daa83bb6dc85ede588ffbfdb34.exe"C:\Users\Admin\AppData\Local\Temp\a4f4b5daa83bb6dc85ede588ffbfdb34.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Roaming\3805112.exe"C:\Users\Admin\AppData\Roaming\3805112.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3200 -s 21363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Users\Admin\AppData\Roaming\2217218.exe"C:\Users\Admin\AppData\Roaming\2217218.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
52be91bb8576b57551f38cf98bd984cc
SHA1d4b25085ae85e7b4edc2db2f77e4108fd7345fc1
SHA2562eff8b37b39a5384bf9a3732bd7395af3430bd36eafdad4ba5cec6f707cdd680
SHA512f648be8d881ba47b87544327843add140cc4142ab7fac89cd87d3c79bed23524d7b40e35fd0c65a8c50a62c4e4f32d9a1681b3e043ea882bbfc46425891011b1
-
MD5
52be91bb8576b57551f38cf98bd984cc
SHA1d4b25085ae85e7b4edc2db2f77e4108fd7345fc1
SHA2562eff8b37b39a5384bf9a3732bd7395af3430bd36eafdad4ba5cec6f707cdd680
SHA512f648be8d881ba47b87544327843add140cc4142ab7fac89cd87d3c79bed23524d7b40e35fd0c65a8c50a62c4e4f32d9a1681b3e043ea882bbfc46425891011b1
-
MD5
a37b1548c0985ae8a2763cf6d1b39c80
SHA102fc37e10be4d933c05ee52d5363bee65fb914a6
SHA2568c31f3d89d2123272c1167ad1e929aa685d4065a5f334f651d4c09c0e291e986
SHA51289f7b6b7a8f6136854bd217ac6d9170575621a66bf42f51105354ab2419ed4a4df041e94eab64ec171b2c5bbb5dbe13f5f52cb137c38c6c1758508a3fc347bb9
-
MD5
a37b1548c0985ae8a2763cf6d1b39c80
SHA102fc37e10be4d933c05ee52d5363bee65fb914a6
SHA2568c31f3d89d2123272c1167ad1e929aa685d4065a5f334f651d4c09c0e291e986
SHA51289f7b6b7a8f6136854bd217ac6d9170575621a66bf42f51105354ab2419ed4a4df041e94eab64ec171b2c5bbb5dbe13f5f52cb137c38c6c1758508a3fc347bb9