Analysis
-
max time kernel
42s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-08-2021 08:27
Static task
static1
Behavioral task
behavioral1
Sample
3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe
Resource
win10v20210408
General
-
Target
3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe
-
Size
162KB
-
MD5
953513e9a9e8496e829e98288a628c6e
-
SHA1
eb6f1ee5c7eb3835779648e7e6418bcc9dc6b8bd
-
SHA256
3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562
-
SHA512
76399389dfee57bcc31f18fea3ad0efe5dd1af80eec81604f620ca0fea64248f23582405d3fd142fdb002b5180c390b6cdebe86a630735e581f1d38fc8a6437d
Malware Config
Extracted
redline
7new
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3944-144-0x0000000004D90000-0x0000000004DC3000-memory.dmp family_redline -
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
Executes dropped EXE 5 IoCs
Processes:
5926773.exe7209319.exe1774412.exe3754601.exeWinHoster.exepid process 3996 5926773.exe 3168 7209319.exe 3944 1774412.exe 3572 3754601.exe 2324 WinHoster.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7209319.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 7209319.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 576 3996 WerFault.exe 5926773.exe 3152 3572 WerFault.exe 3754601.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
5926773.exeWerFault.exe3754601.exeWerFault.exe1774412.exepid process 3996 5926773.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 3572 3754601.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3944 1774412.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe5926773.exe3754601.exe1774412.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 860 3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe Token: SeDebugPrivilege 3996 5926773.exe Token: SeDebugPrivilege 3572 3754601.exe Token: SeDebugPrivilege 3944 1774412.exe Token: SeDebugPrivilege 576 WerFault.exe Token: SeRestorePrivilege 3152 WerFault.exe Token: SeBackupPrivilege 3152 WerFault.exe Token: SeBackupPrivilege 3152 WerFault.exe Token: SeDebugPrivilege 3152 WerFault.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe7209319.exedescription pid process target process PID 860 wrote to memory of 3996 860 3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe 5926773.exe PID 860 wrote to memory of 3996 860 3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe 5926773.exe PID 860 wrote to memory of 3168 860 3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe 7209319.exe PID 860 wrote to memory of 3168 860 3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe 7209319.exe PID 860 wrote to memory of 3168 860 3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe 7209319.exe PID 860 wrote to memory of 3944 860 3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe 1774412.exe PID 860 wrote to memory of 3944 860 3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe 1774412.exe PID 860 wrote to memory of 3944 860 3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe 1774412.exe PID 860 wrote to memory of 3572 860 3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe 3754601.exe PID 860 wrote to memory of 3572 860 3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe 3754601.exe PID 860 wrote to memory of 3572 860 3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe 3754601.exe PID 3168 wrote to memory of 2324 3168 7209319.exe WinHoster.exe PID 3168 wrote to memory of 2324 3168 7209319.exe WinHoster.exe PID 3168 wrote to memory of 2324 3168 7209319.exe WinHoster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe"C:\Users\Admin\AppData\Local\Temp\3c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\5926773.exe"C:\Users\Admin\AppData\Roaming\5926773.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3996 -s 21363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7209319.exe"C:\Users\Admin\AppData\Roaming\7209319.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1774412.exe"C:\Users\Admin\AppData\Roaming\1774412.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\3754601.exe"C:\Users\Admin\AppData\Roaming\3754601.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 22283⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\1774412.exeMD5
bb470004aa699664c19b399c5e86d493
SHA11cb81c5e9189954a2b8d400051eef04851f67f13
SHA2560f5aa0e94dd4a987efaeca7c6b8abfc4d593596408389555d5b73f627d13add9
SHA512d1109ba1f5829f3effff21893724798a3f0c75fb772abd10c0bb8e2e78e98b05dcef29ac0d850a7a3eb8980aadd8ea7c1eee5155d0f63a2ee1cb7f58c7dd4093
-
C:\Users\Admin\AppData\Roaming\1774412.exeMD5
bb470004aa699664c19b399c5e86d493
SHA11cb81c5e9189954a2b8d400051eef04851f67f13
SHA2560f5aa0e94dd4a987efaeca7c6b8abfc4d593596408389555d5b73f627d13add9
SHA512d1109ba1f5829f3effff21893724798a3f0c75fb772abd10c0bb8e2e78e98b05dcef29ac0d850a7a3eb8980aadd8ea7c1eee5155d0f63a2ee1cb7f58c7dd4093
-
C:\Users\Admin\AppData\Roaming\3754601.exeMD5
53d7fdc14532454784b25e7d9e03a1ea
SHA159fdcb845b0af484b06113b2c87bdecd2240b3c0
SHA2561e9ae7d5d56d0edec67e34170dfe3dd19bb5796e4b76f6e375c419d5997059a0
SHA5121cf1f5beb78d25e2a02de05137ce46be83da96bf7342b7e0421fe8b0c5dde89b545188457425d5599ea7d68b0872af2c5375c2d116744b6c630f5359a1e50adc
-
C:\Users\Admin\AppData\Roaming\3754601.exeMD5
53d7fdc14532454784b25e7d9e03a1ea
SHA159fdcb845b0af484b06113b2c87bdecd2240b3c0
SHA2561e9ae7d5d56d0edec67e34170dfe3dd19bb5796e4b76f6e375c419d5997059a0
SHA5121cf1f5beb78d25e2a02de05137ce46be83da96bf7342b7e0421fe8b0c5dde89b545188457425d5599ea7d68b0872af2c5375c2d116744b6c630f5359a1e50adc
-
C:\Users\Admin\AppData\Roaming\5926773.exeMD5
7a0118a33baa712a7c0ed95d140d09d0
SHA194b4edbcf6c9527f86b20c12c8a505031316bf6f
SHA256172a9e30421d9cecba28556b530f7de62ad342b9a6fd178c185e971a3db4dee0
SHA5120026f6fb0352679fa049ddb2e57ea62cea501380b3b27809fbd249ecc3eb992dc0dbc3a9426a4f6c2bf8394db2b84da571b2fe36328411fd2613c8916723521d
-
C:\Users\Admin\AppData\Roaming\5926773.exeMD5
7a0118a33baa712a7c0ed95d140d09d0
SHA194b4edbcf6c9527f86b20c12c8a505031316bf6f
SHA256172a9e30421d9cecba28556b530f7de62ad342b9a6fd178c185e971a3db4dee0
SHA5120026f6fb0352679fa049ddb2e57ea62cea501380b3b27809fbd249ecc3eb992dc0dbc3a9426a4f6c2bf8394db2b84da571b2fe36328411fd2613c8916723521d
-
C:\Users\Admin\AppData\Roaming\7209319.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\7209319.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
memory/860-122-0x000000001AD90000-0x000000001AD92000-memory.dmpFilesize
8KB
-
memory/860-114-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/860-118-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/860-117-0x0000000000510000-0x000000000052C000-memory.dmpFilesize
112KB
-
memory/860-116-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/2324-155-0x0000000000000000-mapping.dmp
-
memory/2324-166-0x0000000008520000-0x0000000008521000-memory.dmpFilesize
4KB
-
memory/2324-165-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/3168-138-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/3168-150-0x00000000074C0000-0x00000000074C1000-memory.dmpFilesize
4KB
-
memory/3168-127-0x0000000000000000-mapping.dmp
-
memory/3168-146-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/3168-145-0x0000000001020000-0x0000000001027000-memory.dmpFilesize
28KB
-
memory/3572-164-0x0000000008BB0000-0x0000000008BB1000-memory.dmpFilesize
4KB
-
memory/3572-149-0x0000000002F80000-0x0000000002F81000-memory.dmpFilesize
4KB
-
memory/3572-140-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/3572-169-0x0000000009250000-0x0000000009251000-memory.dmpFilesize
4KB
-
memory/3572-132-0x0000000000000000-mapping.dmp
-
memory/3572-147-0x0000000007D40000-0x0000000007D6B000-memory.dmpFilesize
172KB
-
memory/3944-130-0x0000000000000000-mapping.dmp
-
memory/3944-139-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/3944-176-0x00000000092C0000-0x00000000092C1000-memory.dmpFilesize
4KB
-
memory/3944-151-0x0000000007340000-0x0000000007341000-memory.dmpFilesize
4KB
-
memory/3944-152-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/3944-153-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/3944-154-0x00000000073E0000-0x00000000073E1000-memory.dmpFilesize
4KB
-
memory/3944-174-0x00000000091F0000-0x00000000091F1000-memory.dmpFilesize
4KB
-
memory/3944-171-0x0000000008C40000-0x0000000008C41000-memory.dmpFilesize
4KB
-
memory/3944-170-0x0000000008540000-0x0000000008541000-memory.dmpFilesize
4KB
-
memory/3944-161-0x0000000007590000-0x0000000007591000-memory.dmpFilesize
4KB
-
memory/3944-144-0x0000000004D90000-0x0000000004DC3000-memory.dmpFilesize
204KB
-
memory/3944-148-0x0000000007930000-0x0000000007931000-memory.dmpFilesize
4KB
-
memory/3996-134-0x000000001B3C0000-0x000000001B3C2000-memory.dmpFilesize
8KB
-
memory/3996-126-0x0000000000A00000-0x0000000000A34000-memory.dmpFilesize
208KB
-
memory/3996-119-0x0000000000000000-mapping.dmp
-
memory/3996-123-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/3996-125-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/3996-129-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB