Analysis
-
max time kernel
28s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-08-2021 21:09
Static task
static1
Behavioral task
behavioral1
Sample
c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe
Resource
win10v20210408
General
-
Target
c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe
-
Size
131KB
-
MD5
6301e9c998f8c01fda4f923f6d027c58
-
SHA1
f5e9a39ddd9ffbe627b492653c46c5ba9e25240a
-
SHA256
c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b
-
SHA512
1302d2a51d72aab781db8dd862aa814686f85bc8061a4acf72538af704c14ea78f2d514285e54e5173ea5924fc1fe1b7c7ba32e78554356144f2b9f7eda71a30
Malware Config
Extracted
redline
7new
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2592-141-0x0000000004E80000-0x0000000004EB2000-memory.dmp family_redline -
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
Executes dropped EXE 5 IoCs
Processes:
4981553.exe7825578.exe3088313.exe6377463.exeWinHoster.exepid process 1560 4981553.exe 1280 7825578.exe 2592 3088313.exe 3828 6377463.exe 1748 WinHoster.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7825578.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 7825578.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2564 1560 WerFault.exe 4981553.exe 3920 3828 WerFault.exe 6377463.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
4981553.exeWerFault.exe6377463.exeWerFault.exe3088313.exepid process 1560 4981553.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 2564 WerFault.exe 3828 6377463.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 3920 WerFault.exe 2592 3088313.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe4981553.exe6377463.exe3088313.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3716 c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe Token: SeDebugPrivilege 1560 4981553.exe Token: SeDebugPrivilege 3828 6377463.exe Token: SeDebugPrivilege 2592 3088313.exe Token: SeDebugPrivilege 2564 WerFault.exe Token: SeRestorePrivilege 3920 WerFault.exe Token: SeBackupPrivilege 3920 WerFault.exe Token: SeBackupPrivilege 3920 WerFault.exe Token: SeDebugPrivilege 3920 WerFault.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe7825578.exedescription pid process target process PID 3716 wrote to memory of 1560 3716 c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe 4981553.exe PID 3716 wrote to memory of 1560 3716 c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe 4981553.exe PID 3716 wrote to memory of 1280 3716 c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe 7825578.exe PID 3716 wrote to memory of 1280 3716 c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe 7825578.exe PID 3716 wrote to memory of 1280 3716 c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe 7825578.exe PID 3716 wrote to memory of 2592 3716 c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe 3088313.exe PID 3716 wrote to memory of 2592 3716 c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe 3088313.exe PID 3716 wrote to memory of 2592 3716 c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe 3088313.exe PID 3716 wrote to memory of 3828 3716 c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe 6377463.exe PID 3716 wrote to memory of 3828 3716 c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe 6377463.exe PID 3716 wrote to memory of 3828 3716 c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe 6377463.exe PID 1280 wrote to memory of 1748 1280 7825578.exe WinHoster.exe PID 1280 wrote to memory of 1748 1280 7825578.exe WinHoster.exe PID 1280 wrote to memory of 1748 1280 7825578.exe WinHoster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe"C:\Users\Admin\AppData\Local\Temp\c512a329b9361a9d68d6feaeca69e6a146cead46a222b26627d74daa8388c48b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\4981553.exe"C:\Users\Admin\AppData\Roaming\4981553.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1560 -s 20243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7825578.exe"C:\Users\Admin\AppData\Roaming\7825578.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3088313.exe"C:\Users\Admin\AppData\Roaming\3088313.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6377463.exe"C:\Users\Admin\AppData\Roaming\6377463.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 22243⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\3088313.exeMD5
847f33cf691e4880c90eedbd843eecef
SHA1f1ceaa79cde6aae1101ff25661594e4fb3a300af
SHA25622561d7f28f4914eb00ece540d4b48e3064706e3e627e6b46c58b35311aa27c7
SHA512de5e34f0158d878e50e9ad558093585fb0302348f78997b9f429747357ce7acad84357548d584aa2c1a81030caf44adfb4f6954051449aa805cfe906b47308af
-
C:\Users\Admin\AppData\Roaming\3088313.exeMD5
847f33cf691e4880c90eedbd843eecef
SHA1f1ceaa79cde6aae1101ff25661594e4fb3a300af
SHA25622561d7f28f4914eb00ece540d4b48e3064706e3e627e6b46c58b35311aa27c7
SHA512de5e34f0158d878e50e9ad558093585fb0302348f78997b9f429747357ce7acad84357548d584aa2c1a81030caf44adfb4f6954051449aa805cfe906b47308af
-
C:\Users\Admin\AppData\Roaming\4981553.exeMD5
c1c2faffcf934cd29b20b4922ea0d2f7
SHA1a2e239069b9559de7c6a3ddb35653e64e1dcbede
SHA256cd364c53f5dd10e6a4d9e0992a471a398580a322531ffb09c6184118e8226fe1
SHA512238e18d61fed19fb2d887dc20aa7b43af6807e4cd1ca662f97b7ba63fd734f0df2a703c25acbb8f502c06957e874231319c0138f07663b661fa192349beaf0ff
-
C:\Users\Admin\AppData\Roaming\4981553.exeMD5
c1c2faffcf934cd29b20b4922ea0d2f7
SHA1a2e239069b9559de7c6a3ddb35653e64e1dcbede
SHA256cd364c53f5dd10e6a4d9e0992a471a398580a322531ffb09c6184118e8226fe1
SHA512238e18d61fed19fb2d887dc20aa7b43af6807e4cd1ca662f97b7ba63fd734f0df2a703c25acbb8f502c06957e874231319c0138f07663b661fa192349beaf0ff
-
C:\Users\Admin\AppData\Roaming\6377463.exeMD5
36acd7e8f309426cb30aeda6c58234a6
SHA1e111555e3324dcb03fda2b03fd4f765dec10ee75
SHA256d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d
SHA51262449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c
-
C:\Users\Admin\AppData\Roaming\6377463.exeMD5
36acd7e8f309426cb30aeda6c58234a6
SHA1e111555e3324dcb03fda2b03fd4f765dec10ee75
SHA256d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d
SHA51262449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c
-
C:\Users\Admin\AppData\Roaming\7825578.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\7825578.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
memory/1280-124-0x0000000000000000-mapping.dmp
-
memory/1280-135-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1280-142-0x0000000007330000-0x0000000007331000-memory.dmpFilesize
4KB
-
memory/1280-146-0x0000000006ED0000-0x0000000006ED1000-memory.dmpFilesize
4KB
-
memory/1280-140-0x0000000000AC0000-0x0000000000AC7000-memory.dmpFilesize
28KB
-
memory/1560-123-0x0000000000950000-0x000000000097B000-memory.dmpFilesize
172KB
-
memory/1560-128-0x000000001AE40000-0x000000001AE42000-memory.dmpFilesize
8KB
-
memory/1560-121-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1560-118-0x0000000000000000-mapping.dmp
-
memory/1748-151-0x0000000000000000-mapping.dmp
-
memory/1748-161-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/1748-162-0x0000000007300000-0x0000000007301000-memory.dmpFilesize
4KB
-
memory/2592-145-0x0000000007A40000-0x0000000007A41000-memory.dmpFilesize
4KB
-
memory/2592-148-0x00000000074F0000-0x00000000074F1000-memory.dmpFilesize
4KB
-
memory/2592-141-0x0000000004E80000-0x0000000004EB2000-memory.dmpFilesize
200KB
-
memory/2592-167-0x0000000009250000-0x0000000009251000-memory.dmpFilesize
4KB
-
memory/2592-134-0x00000000006D0000-0x00000000006D1000-memory.dmpFilesize
4KB
-
memory/2592-126-0x0000000000000000-mapping.dmp
-
memory/2592-147-0x0000000007490000-0x0000000007491000-memory.dmpFilesize
4KB
-
memory/2592-166-0x0000000008B50000-0x0000000008B51000-memory.dmpFilesize
4KB
-
memory/2592-159-0x00000000076E0000-0x00000000076E1000-memory.dmpFilesize
4KB
-
memory/2592-150-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/2592-171-0x0000000008E00000-0x0000000008E01000-memory.dmpFilesize
4KB
-
memory/2592-168-0x0000000008D20000-0x0000000008D21000-memory.dmpFilesize
4KB
-
memory/2592-149-0x0000000007530000-0x0000000007531000-memory.dmpFilesize
4KB
-
memory/3716-116-0x0000000000E90000-0x0000000000EA8000-memory.dmpFilesize
96KB
-
memory/3716-117-0x000000001B270000-0x000000001B272000-memory.dmpFilesize
8KB
-
memory/3716-114-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/3828-131-0x0000000000000000-mapping.dmp
-
memory/3828-165-0x00000000094E0000-0x00000000094E1000-memory.dmpFilesize
4KB
-
memory/3828-136-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/3828-160-0x0000000008E40000-0x0000000008E41000-memory.dmpFilesize
4KB
-
memory/3828-143-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/3828-144-0x0000000003330000-0x000000000335B000-memory.dmpFilesize
172KB