Analysis
-
max time kernel
56s -
max time network
58s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-10-2021 05:37
Static task
static1
Behavioral task
behavioral1
Sample
c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe
Resource
win10v20210408
General
-
Target
c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe
-
Size
173KB
-
MD5
a15cfab138e8757a1f15de1bb54f304b
-
SHA1
3e4b076de410be96d02076b927f47be45c3968e7
-
SHA256
c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771
-
SHA512
6199040c478bed5bb8f844d27bcb6b64386c0648cf25886b53e771c868ba9bb8d92fcc30d9831761e3af90aacc9ac67118ba1b3d47dd30ebb70fa9e1588c8670
Malware Config
Signatures
-
CoreEntity .NET Packer 2 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\laecdym.tmp coreentity C:\Users\Admin\AppData\Roaming\laecdym.exe coreentity -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\laecdym.tmp family_redline C:\Users\Admin\AppData\Roaming\laecdym.exe family_redline -
Executes dropped EXE 2 IoCs
Processes:
laecdym.exelaecdym.exepid process 60 laecdym.exe 3232 laecdym.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\laecdym.exe upx C:\Users\Admin\AppData\Roaming\laecdym.exe upx C:\Users\Admin\AppData\Roaming\laecdym.tmp upx C:\Users\Admin\AppData\Roaming\laecdym.exe upx behavioral1/memory/1396-144-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1396-150-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tvypufk = "C:\\Users\\Admin\\AppData\\Roaming\\laecdym.exe" c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe -
Processes:
c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exelaecdym.exelaecdym.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA laecdym.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA laecdym.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
laecdym.exelaecdym.exedescription pid process target process PID 60 set thread context of 1536 60 laecdym.exe svchost.exe PID 60 set thread context of 3128 60 laecdym.exe svchost.exe PID 3232 set thread context of 624 3232 laecdym.exe svchost.exe PID 3232 set thread context of 1396 3232 laecdym.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2980 3128 WerFault.exe svchost.exe -
Processes:
c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes" c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes" c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes" c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no" c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601 = "0" c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: 34 1536 svchost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exelaecdym.exelaecdym.exesvchost.exepid process 628 c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe 60 laecdym.exe 3232 laecdym.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exelaecdym.execmd.exelaecdym.exedescription pid process target process PID 628 wrote to memory of 60 628 c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe laecdym.exe PID 628 wrote to memory of 60 628 c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe laecdym.exe PID 628 wrote to memory of 60 628 c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe laecdym.exe PID 628 wrote to memory of 1232 628 c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe cmd.exe PID 628 wrote to memory of 1232 628 c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe cmd.exe PID 628 wrote to memory of 1232 628 c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe cmd.exe PID 60 wrote to memory of 1536 60 laecdym.exe svchost.exe PID 60 wrote to memory of 1536 60 laecdym.exe svchost.exe PID 60 wrote to memory of 1536 60 laecdym.exe svchost.exe PID 60 wrote to memory of 1536 60 laecdym.exe svchost.exe PID 60 wrote to memory of 1536 60 laecdym.exe svchost.exe PID 60 wrote to memory of 1536 60 laecdym.exe svchost.exe PID 60 wrote to memory of 1536 60 laecdym.exe svchost.exe PID 60 wrote to memory of 1536 60 laecdym.exe svchost.exe PID 60 wrote to memory of 1536 60 laecdym.exe svchost.exe PID 60 wrote to memory of 1536 60 laecdym.exe svchost.exe PID 60 wrote to memory of 3128 60 laecdym.exe svchost.exe PID 60 wrote to memory of 3128 60 laecdym.exe svchost.exe PID 60 wrote to memory of 3128 60 laecdym.exe svchost.exe PID 60 wrote to memory of 3128 60 laecdym.exe svchost.exe PID 60 wrote to memory of 3104 60 laecdym.exe cmd.exe PID 60 wrote to memory of 3104 60 laecdym.exe cmd.exe PID 60 wrote to memory of 3104 60 laecdym.exe cmd.exe PID 3104 wrote to memory of 3232 3104 cmd.exe laecdym.exe PID 3104 wrote to memory of 3232 3104 cmd.exe laecdym.exe PID 3104 wrote to memory of 3232 3104 cmd.exe laecdym.exe PID 3232 wrote to memory of 624 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 624 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 624 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 624 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 624 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 624 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 624 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 624 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 624 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 624 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 1396 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 1396 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 1396 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 1396 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 1396 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 1396 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 1396 3232 laecdym.exe svchost.exe PID 3232 wrote to memory of 1396 3232 laecdym.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe"C:\Users\Admin\AppData\Local\Temp\c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Roaming\laecdym.exeC:\Users\Admin\AppData\Roaming\laecdym.exe -copystart2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\windows\syswow64\svchost.exe"c:\windows\syswow64\svchost.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536 -
\??\c:\windows\syswow64\svchost.exe"c:\windows\syswow64\svchost.exe"3⤵PID:3128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 924⤵
- Program crash
PID:2980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\laecdym.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Roaming\laecdym.exe"C:\Users\Admin\AppData\Roaming\laecdym.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\windows\syswow64\svchost.exe"c:\windows\syswow64\svchost.exe"5⤵PID:624
-
\??\c:\windows\syswow64\svchost.exe"c:\windows\syswow64\svchost.exe"5⤵
- Suspicious use of SetWindowsHookEx
PID:1396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\hherslht.bat2⤵PID:1232
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\123cook.datMD5
974ffbca5bbd42034497785811c21aa4
SHA1970444eafe20858171db647df9ad7dc22364dc95
SHA2569b8b72587e35e3e887571532b3257ebcd28e79b2ef8aa705bc97d1ec18f5967c
SHA5120e2889de4acf1e9486e245b6ec6901f58323785956857bbbef6ac611243e030dc4ec3a71869c3fdd74223fc193d3a7ca60f880a5a1558b9dcd3c4ae1c6ed26be
-
C:\Users\Admin\AppData\Roaming\dnsfix9.datMD5
23ec2f4d3c628f818d837b8185dc77d8
SHA1d8beebfc53a348c4fa06277b625473735686d240
SHA2562dddcbab5f4a269eaead1bcab3612f409f04a1a1e5bd8cc63e02ff452ac9b240
SHA512806be85fb3ecc5f3501cbdfac2eb5c4310d6614605e6db91ce0f0b080121b51e616efcd44880fb829c4c092023d1d9edbbae5169e560f0d5d612dde950b714e3
-
C:\Users\Admin\AppData\Roaming\hherslht.batMD5
b082368cbee1f32f19a7e56efd1186af
SHA168dd18e7bcb185f094ee17ccfcbcdcc7d012b44f
SHA256f21dd9765ced43566c417062ed542d5e3d73adbfdc5e153c338a686c95bceb78
SHA5126cef1fabba685a08e53d90ca12510a6201d2736f222514f9774ffbe8863dd3857c42c0ce658c0fbbadeb7be0cce9101df801106c5511e3d83f577c4a623c5bc0
-
C:\Users\Admin\AppData\Roaming\laecdym.batMD5
215e9c23809a33afcfa6ba0c7a8f2432
SHA1403605c75316ff763f559d2b01ce4e0102c08eca
SHA25650892731df1a36551bb5feba4739773acc210628ca679dcbecb32c8e6e7c3cde
SHA5126de9d3f613c410aa2f8d91b5021194f7c61afb40051ec1761ce3f6cf3128661fbbf954077f9073931fcee304a1150210853c918ff322b01116c67f7d22ad2b25
-
C:\Users\Admin\AppData\Roaming\laecdym.exeMD5
2444e03117e660583838d48a661ae932
SHA1572526db445f2f02b2e6d1c8dd82a870f60d9c5d
SHA256b56d41d4181b040371c30b41ddbc4ef6eb25b735b5d789cc2f2033b1774293f2
SHA512307d8c9b2d830c75cb0877af73752731e2523e7523b97a2a610d4a4fac817cf1a7402970951cbbba609346761c6f76535c3eb4e78ddf79e885db47d788a8f78e
-
C:\Users\Admin\AppData\Roaming\laecdym.exeMD5
a15cfab138e8757a1f15de1bb54f304b
SHA13e4b076de410be96d02076b927f47be45c3968e7
SHA256c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771
SHA5126199040c478bed5bb8f844d27bcb6b64386c0648cf25886b53e771c868ba9bb8d92fcc30d9831761e3af90aacc9ac67118ba1b3d47dd30ebb70fa9e1588c8670
-
C:\Users\Admin\AppData\Roaming\laecdym.exeMD5
a15cfab138e8757a1f15de1bb54f304b
SHA13e4b076de410be96d02076b927f47be45c3968e7
SHA256c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771
SHA5126199040c478bed5bb8f844d27bcb6b64386c0648cf25886b53e771c868ba9bb8d92fcc30d9831761e3af90aacc9ac67118ba1b3d47dd30ebb70fa9e1588c8670
-
C:\Users\Admin\AppData\Roaming\laecdym.tmpMD5
a7b4da75b991105c78e556a179e92379
SHA180f5cb6ee26acb8201903e1808343c339854fc6d
SHA256403bdfdd7e789f73d463b8259481fc6744739edeadb0111124bc5743ab9e25ac
SHA512bacf63303ae58b837fa62dece83ee85b592b24d3e419daf5495582c4b61da5e72434aec76328aed3a7db0e973cbec2c2fbde3520bdbb2a82721f91b6979633c2
-
memory/60-116-0x0000000000000000-mapping.dmp
-
memory/624-139-0x00000000004065F0-mapping.dmp
-
memory/624-142-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1232-121-0x0000000000000000-mapping.dmp
-
memory/1396-144-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1396-145-0x000000000041A630-mapping.dmp
-
memory/1396-150-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1536-127-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1536-124-0x00000000004065F0-mapping.dmp
-
memory/1536-123-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3104-130-0x0000000000000000-mapping.dmp
-
memory/3128-129-0x000000000041A630-mapping.dmp
-
memory/3232-133-0x0000000000000000-mapping.dmp