Analysis
-
max time kernel
101s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-08-2021 06:26
Static task
static1
Behavioral task
behavioral1
Sample
51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe
Resource
win10v20210410
General
-
Target
51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe
-
Size
121KB
-
MD5
7be8906b31d19fba436de74f50581c98
-
SHA1
5ecbd73398496ae53d77bfc76644faae8287c456
-
SHA256
51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0
-
SHA512
335488b772f4584e945e3b8e7e64005dcc34ade9691186dc5c5aa95192765487630563c4eb1e000aa3edbf7a57aa918f5db4896e59064449113309d6670d7640
Malware Config
Extracted
redline
7new
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3864-142-0x00000000030B0000-0x00000000030E2000-memory.dmp family_redline -
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
Executes dropped EXE 5 IoCs
Processes:
4502753.exe6928068.exe1519576.exe1938287.exeWinHoster.exepid process 2580 4502753.exe 2940 6928068.exe 3864 1519576.exe 684 1938287.exe 740 WinHoster.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6928068.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 6928068.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4000 2580 WerFault.exe 4502753.exe 2612 684 WerFault.exe 1938287.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
1519576.exe4502753.exe1938287.exeWerFault.exeWerFault.exepid process 3864 1519576.exe 2580 4502753.exe 684 1938287.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe 2612 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe4502753.exe1938287.exe1519576.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1852 51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe Token: SeDebugPrivilege 2580 4502753.exe Token: SeDebugPrivilege 684 1938287.exe Token: SeDebugPrivilege 3864 1519576.exe Token: SeDebugPrivilege 4000 WerFault.exe Token: SeRestorePrivilege 2612 WerFault.exe Token: SeBackupPrivilege 2612 WerFault.exe Token: SeBackupPrivilege 2612 WerFault.exe Token: SeDebugPrivilege 2612 WerFault.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe6928068.exedescription pid process target process PID 1852 wrote to memory of 2580 1852 51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe 4502753.exe PID 1852 wrote to memory of 2580 1852 51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe 4502753.exe PID 1852 wrote to memory of 2940 1852 51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe 6928068.exe PID 1852 wrote to memory of 2940 1852 51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe 6928068.exe PID 1852 wrote to memory of 2940 1852 51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe 6928068.exe PID 1852 wrote to memory of 3864 1852 51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe 1519576.exe PID 1852 wrote to memory of 3864 1852 51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe 1519576.exe PID 1852 wrote to memory of 3864 1852 51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe 1519576.exe PID 1852 wrote to memory of 684 1852 51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe 1938287.exe PID 1852 wrote to memory of 684 1852 51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe 1938287.exe PID 1852 wrote to memory of 684 1852 51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe 1938287.exe PID 2940 wrote to memory of 740 2940 6928068.exe WinHoster.exe PID 2940 wrote to memory of 740 2940 6928068.exe WinHoster.exe PID 2940 wrote to memory of 740 2940 6928068.exe WinHoster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe"C:\Users\Admin\AppData\Local\Temp\51852436597bbdbe4160762d2e6148c3785bf03eb122774ab7e4a5aae64a2be0.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\4502753.exe"C:\Users\Admin\AppData\Roaming\4502753.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2580 -s 20363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6928068.exe"C:\Users\Admin\AppData\Roaming\6928068.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1519576.exe"C:\Users\Admin\AppData\Roaming\1519576.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1938287.exe"C:\Users\Admin\AppData\Roaming\1938287.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 22043⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\1519576.exeMD5
847f33cf691e4880c90eedbd843eecef
SHA1f1ceaa79cde6aae1101ff25661594e4fb3a300af
SHA25622561d7f28f4914eb00ece540d4b48e3064706e3e627e6b46c58b35311aa27c7
SHA512de5e34f0158d878e50e9ad558093585fb0302348f78997b9f429747357ce7acad84357548d584aa2c1a81030caf44adfb4f6954051449aa805cfe906b47308af
-
C:\Users\Admin\AppData\Roaming\1519576.exeMD5
847f33cf691e4880c90eedbd843eecef
SHA1f1ceaa79cde6aae1101ff25661594e4fb3a300af
SHA25622561d7f28f4914eb00ece540d4b48e3064706e3e627e6b46c58b35311aa27c7
SHA512de5e34f0158d878e50e9ad558093585fb0302348f78997b9f429747357ce7acad84357548d584aa2c1a81030caf44adfb4f6954051449aa805cfe906b47308af
-
C:\Users\Admin\AppData\Roaming\1938287.exeMD5
36acd7e8f309426cb30aeda6c58234a6
SHA1e111555e3324dcb03fda2b03fd4f765dec10ee75
SHA256d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d
SHA51262449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c
-
C:\Users\Admin\AppData\Roaming\1938287.exeMD5
36acd7e8f309426cb30aeda6c58234a6
SHA1e111555e3324dcb03fda2b03fd4f765dec10ee75
SHA256d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d
SHA51262449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c
-
C:\Users\Admin\AppData\Roaming\4502753.exeMD5
c1c2faffcf934cd29b20b4922ea0d2f7
SHA1a2e239069b9559de7c6a3ddb35653e64e1dcbede
SHA256cd364c53f5dd10e6a4d9e0992a471a398580a322531ffb09c6184118e8226fe1
SHA512238e18d61fed19fb2d887dc20aa7b43af6807e4cd1ca662f97b7ba63fd734f0df2a703c25acbb8f502c06957e874231319c0138f07663b661fa192349beaf0ff
-
C:\Users\Admin\AppData\Roaming\4502753.exeMD5
c1c2faffcf934cd29b20b4922ea0d2f7
SHA1a2e239069b9559de7c6a3ddb35653e64e1dcbede
SHA256cd364c53f5dd10e6a4d9e0992a471a398580a322531ffb09c6184118e8226fe1
SHA512238e18d61fed19fb2d887dc20aa7b43af6807e4cd1ca662f97b7ba63fd734f0df2a703c25acbb8f502c06957e874231319c0138f07663b661fa192349beaf0ff
-
C:\Users\Admin\AppData\Roaming\6928068.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\6928068.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
memory/684-148-0x0000000002220000-0x000000000224B000-memory.dmpFilesize
172KB
-
memory/684-141-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/684-129-0x0000000000000000-mapping.dmp
-
memory/684-134-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/684-172-0x0000000008400000-0x0000000008401000-memory.dmpFilesize
4KB
-
memory/740-150-0x0000000000000000-mapping.dmp
-
memory/740-158-0x00000000088E0000-0x00000000088E1000-memory.dmpFilesize
4KB
-
memory/740-161-0x0000000005980000-0x0000000005981000-memory.dmpFilesize
4KB
-
memory/1852-117-0x000000001B860000-0x000000001B862000-memory.dmpFilesize
8KB
-
memory/1852-116-0x00000000012B0000-0x00000000012C6000-memory.dmpFilesize
88KB
-
memory/1852-114-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB
-
memory/2580-121-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2580-139-0x0000000002050000-0x0000000002052000-memory.dmpFilesize
8KB
-
memory/2580-118-0x0000000000000000-mapping.dmp
-
memory/2580-126-0x0000000002060000-0x000000000208B000-memory.dmpFilesize
172KB
-
memory/2940-123-0x0000000000000000-mapping.dmp
-
memory/2940-145-0x0000000007180000-0x0000000007181000-memory.dmpFilesize
4KB
-
memory/2940-143-0x00000000075E0000-0x00000000075E1000-memory.dmpFilesize
4KB
-
memory/2940-140-0x00000000027B0000-0x00000000027B7000-memory.dmpFilesize
28KB
-
memory/2940-133-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/3864-127-0x0000000000000000-mapping.dmp
-
memory/3864-149-0x0000000007C90000-0x0000000007C91000-memory.dmpFilesize
4KB
-
memory/3864-147-0x0000000007C50000-0x0000000007C51000-memory.dmpFilesize
4KB
-
memory/3864-146-0x0000000007BF0000-0x0000000007BF1000-memory.dmpFilesize
4KB
-
memory/3864-144-0x0000000008200000-0x0000000008201000-memory.dmpFilesize
4KB
-
memory/3864-159-0x0000000007E30000-0x0000000007E31000-memory.dmpFilesize
4KB
-
memory/3864-160-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/3864-142-0x00000000030B0000-0x00000000030E2000-memory.dmpFilesize
200KB
-
memory/3864-162-0x00000000092E0000-0x00000000092E1000-memory.dmpFilesize
4KB
-
memory/3864-163-0x00000000099E0000-0x00000000099E1000-memory.dmpFilesize
4KB
-
memory/3864-164-0x0000000009230000-0x0000000009231000-memory.dmpFilesize
4KB
-
memory/3864-165-0x00000000098B0000-0x00000000098B1000-memory.dmpFilesize
4KB
-
memory/3864-168-0x00000000099C0000-0x00000000099C1000-memory.dmpFilesize
4KB
-
memory/3864-137-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB