Analysis
-
max time kernel
19s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-08-2021 07:57
Static task
static1
Behavioral task
behavioral1
Sample
becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe
Resource
win10v20210410
General
-
Target
becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe
-
Size
121KB
-
MD5
fb4102237f89badf92e6bd2359dc1b51
-
SHA1
9984a66eeb606ed213388907ee249a6f8f3c04a6
-
SHA256
becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2
-
SHA512
44431f9e37c2049d8251dd7c02c31fd8e45778b0d8fdd584a37ae453f8095d2dc4f4f6730c9c6524e45b93de6642053ca3efcacf601e89aca8047229a9c71af8
Malware Config
Extracted
redline
7new
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2688-141-0x0000000006DA0000-0x0000000006DD2000-memory.dmp family_redline -
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
Executes dropped EXE 5 IoCs
Processes:
7047621.exe2336772.exe5014601.exe8303752.exeWinHoster.exepid process 1404 7047621.exe 2628 2336772.exe 2688 5014601.exe 3708 8303752.exe 3868 WinHoster.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2336772.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 2336772.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4160 1404 WerFault.exe 7047621.exe 4236 3708 WerFault.exe 8303752.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
7047621.exe8303752.exeWerFault.exeWerFault.exe5014601.exepid process 1404 7047621.exe 3708 8303752.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4160 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 4236 WerFault.exe 2688 5014601.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe7047621.exe8303752.exe5014601.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1696 becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe Token: SeDebugPrivilege 1404 7047621.exe Token: SeDebugPrivilege 3708 8303752.exe Token: SeDebugPrivilege 2688 5014601.exe Token: SeDebugPrivilege 4160 WerFault.exe Token: SeRestorePrivilege 4236 WerFault.exe Token: SeBackupPrivilege 4236 WerFault.exe Token: SeBackupPrivilege 4236 WerFault.exe Token: SeDebugPrivilege 4236 WerFault.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe2336772.exedescription pid process target process PID 1696 wrote to memory of 1404 1696 becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe 7047621.exe PID 1696 wrote to memory of 1404 1696 becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe 7047621.exe PID 1696 wrote to memory of 2628 1696 becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe 2336772.exe PID 1696 wrote to memory of 2628 1696 becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe 2336772.exe PID 1696 wrote to memory of 2628 1696 becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe 2336772.exe PID 1696 wrote to memory of 2688 1696 becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe 5014601.exe PID 1696 wrote to memory of 2688 1696 becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe 5014601.exe PID 1696 wrote to memory of 2688 1696 becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe 5014601.exe PID 1696 wrote to memory of 3708 1696 becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe 8303752.exe PID 1696 wrote to memory of 3708 1696 becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe 8303752.exe PID 1696 wrote to memory of 3708 1696 becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe 8303752.exe PID 2628 wrote to memory of 3868 2628 2336772.exe WinHoster.exe PID 2628 wrote to memory of 3868 2628 2336772.exe WinHoster.exe PID 2628 wrote to memory of 3868 2628 2336772.exe WinHoster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe"C:\Users\Admin\AppData\Local\Temp\becfdc7b1badda3daa16f88567ab535e914c42c040b7d3b98ef9e79f0c9703c2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\7047621.exe"C:\Users\Admin\AppData\Roaming\7047621.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1404 -s 20283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\2336772.exe"C:\Users\Admin\AppData\Roaming\2336772.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\5014601.exe"C:\Users\Admin\AppData\Roaming\5014601.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8303752.exe"C:\Users\Admin\AppData\Roaming\8303752.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 18203⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\2336772.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\2336772.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\5014601.exeMD5
7dfa7a1ec7a798b241d0a3521a0c593a
SHA123fa15493fd3f2e782488d341331aaf914eeba03
SHA256a64f106b863dec9b842e6fd952995a7ad8dd3b272324a1265dfcb513cd986d17
SHA5123817b7a711e354c5111e5354704b3a7fa07cce8801cc46f8c6ca9bf9d893cdfe1d03c7b9faefb135d193bc937a3403de84e2c8ee4a296ca0f397dca73b1acd7b
-
C:\Users\Admin\AppData\Roaming\5014601.exeMD5
7dfa7a1ec7a798b241d0a3521a0c593a
SHA123fa15493fd3f2e782488d341331aaf914eeba03
SHA256a64f106b863dec9b842e6fd952995a7ad8dd3b272324a1265dfcb513cd986d17
SHA5123817b7a711e354c5111e5354704b3a7fa07cce8801cc46f8c6ca9bf9d893cdfe1d03c7b9faefb135d193bc937a3403de84e2c8ee4a296ca0f397dca73b1acd7b
-
C:\Users\Admin\AppData\Roaming\7047621.exeMD5
b6b7f896ec6c87db2a811a44abc0c5b5
SHA1b17eac180c2139947d2f8fdc87ff8a2a615cbcbf
SHA25602ca78fdf706e494a923c01179c6f2bcc2fd59e55d79039ac7a20a51453670c6
SHA51227150b8bced3845b834be55e40cc31882a0d5290a0363fbc8e0f20244dc6e3f022c2cb5dc7e8a18b9b140994d85995e7e6ee4270ed37bfbc9535cb97ee313c63
-
C:\Users\Admin\AppData\Roaming\7047621.exeMD5
b6b7f896ec6c87db2a811a44abc0c5b5
SHA1b17eac180c2139947d2f8fdc87ff8a2a615cbcbf
SHA25602ca78fdf706e494a923c01179c6f2bcc2fd59e55d79039ac7a20a51453670c6
SHA51227150b8bced3845b834be55e40cc31882a0d5290a0363fbc8e0f20244dc6e3f022c2cb5dc7e8a18b9b140994d85995e7e6ee4270ed37bfbc9535cb97ee313c63
-
C:\Users\Admin\AppData\Roaming\8303752.exeMD5
36acd7e8f309426cb30aeda6c58234a6
SHA1e111555e3324dcb03fda2b03fd4f765dec10ee75
SHA256d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d
SHA51262449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c
-
C:\Users\Admin\AppData\Roaming\8303752.exeMD5
36acd7e8f309426cb30aeda6c58234a6
SHA1e111555e3324dcb03fda2b03fd4f765dec10ee75
SHA256d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d
SHA51262449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
memory/1404-128-0x00000000008C0000-0x00000000008EB000-memory.dmpFilesize
172KB
-
memory/1404-121-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/1404-118-0x0000000000000000-mapping.dmp
-
memory/1404-146-0x000000001AFE0000-0x000000001AFE2000-memory.dmpFilesize
8KB
-
memory/1696-114-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/1696-117-0x000000001B100000-0x000000001B102000-memory.dmpFilesize
8KB
-
memory/1696-116-0x0000000002540000-0x0000000002555000-memory.dmpFilesize
84KB
-
memory/2628-140-0x0000000007B70000-0x0000000007B71000-memory.dmpFilesize
4KB
-
memory/2628-123-0x0000000000000000-mapping.dmp
-
memory/2628-135-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/2628-139-0x0000000001300000-0x0000000001307000-memory.dmpFilesize
28KB
-
memory/2628-143-0x0000000007710000-0x0000000007711000-memory.dmpFilesize
4KB
-
memory/2688-145-0x0000000006F40000-0x0000000006F41000-memory.dmpFilesize
4KB
-
memory/2688-159-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/2688-144-0x0000000006EE0000-0x0000000006EE1000-memory.dmpFilesize
4KB
-
memory/2688-141-0x0000000006DA0000-0x0000000006DD2000-memory.dmpFilesize
200KB
-
memory/2688-125-0x0000000000000000-mapping.dmp
-
memory/2688-172-0x0000000009310000-0x0000000009311000-memory.dmpFilesize
4KB
-
memory/2688-170-0x0000000009290000-0x0000000009291000-memory.dmpFilesize
4KB
-
memory/2688-148-0x0000000006F80000-0x0000000006F81000-memory.dmpFilesize
4KB
-
memory/2688-167-0x0000000008BA0000-0x0000000008BA1000-memory.dmpFilesize
4KB
-
memory/2688-166-0x00000000084A0000-0x00000000084A1000-memory.dmpFilesize
4KB
-
memory/2688-133-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2688-142-0x0000000007460000-0x0000000007461000-memory.dmpFilesize
4KB
-
memory/2688-155-0x0000000007130000-0x0000000007131000-memory.dmpFilesize
4KB
-
memory/3708-129-0x0000000000000000-mapping.dmp
-
memory/3708-162-0x00000000082C0000-0x00000000082C1000-memory.dmpFilesize
4KB
-
memory/3708-165-0x0000000008950000-0x0000000008951000-memory.dmpFilesize
4KB
-
memory/3708-149-0x0000000004DB0000-0x0000000004DDB000-memory.dmpFilesize
172KB
-
memory/3708-147-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/3708-134-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/3868-160-0x0000000007FB0000-0x0000000007FB1000-memory.dmpFilesize
4KB
-
memory/3868-161-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/3868-150-0x0000000000000000-mapping.dmp