Overview

overview

10

Static

static

8

c41c4f0e05...71.exe

windows10_x64

10

Analysis

  • max time kernel
    56s
  • max time network
    58s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    06-10-2021 05:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe

  • Size

    173KB

  • MD5

    a15cfab138e8757a1f15de1bb54f304b

  • SHA1

    3e4b076de410be96d02076b927f47be45c3968e7

  • SHA256

    c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771

  • SHA512

    6199040c478bed5bb8f844d27bcb6b64386c0648cf25886b53e771c868ba9bb8d92fcc30d9831761e3af90aacc9ac67118ba1b3d47dd30ebb70fa9e1588c8670

Score
10/10
redlinecoreentityevasioninfostealerpersistencetrojanupx

Malware Config

Signatures

  • CoreEntity .NET Packer 2 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe
    "C:\Users\Admin\AppData\Local\Temp\c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Users\Admin\AppData\Roaming\laecdym.exe
      C:\Users\Admin\AppData\Roaming\laecdym.exe -copystart
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:60
      • \??\c:\windows\syswow64\svchost.exe
        "c:\windows\syswow64\svchost.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1536
      • \??\c:\windows\syswow64\svchost.exe
        "c:\windows\syswow64\svchost.exe"
        3⤵
          PID:3128
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 92
            4⤵
            • Program crash
            PID:2980
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\laecdym.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3104
          • C:\Users\Admin\AppData\Roaming\laecdym.exe
            "C:\Users\Admin\AppData\Roaming\laecdym.exe"
            4⤵
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3232
            • \??\c:\windows\syswow64\svchost.exe
              "c:\windows\syswow64\svchost.exe"
              5⤵
                PID:624
              • \??\c:\windows\syswow64\svchost.exe
                "c:\windows\syswow64\svchost.exe"
                5⤵
                • Suspicious use of SetWindowsHookEx
                PID:1396
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\hherslht.bat
          2⤵
            PID:1232

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\123cook.dat
          MD5

          974ffbca5bbd42034497785811c21aa4

          SHA1

          970444eafe20858171db647df9ad7dc22364dc95

          SHA256

          9b8b72587e35e3e887571532b3257ebcd28e79b2ef8aa705bc97d1ec18f5967c

          SHA512

          0e2889de4acf1e9486e245b6ec6901f58323785956857bbbef6ac611243e030dc4ec3a71869c3fdd74223fc193d3a7ca60f880a5a1558b9dcd3c4ae1c6ed26be

          Download Submit
        • C:\Users\Admin\AppData\Roaming\dnsfix9.dat
          MD5

          23ec2f4d3c628f818d837b8185dc77d8

          SHA1

          d8beebfc53a348c4fa06277b625473735686d240

          SHA256

          2dddcbab5f4a269eaead1bcab3612f409f04a1a1e5bd8cc63e02ff452ac9b240

          SHA512

          806be85fb3ecc5f3501cbdfac2eb5c4310d6614605e6db91ce0f0b080121b51e616efcd44880fb829c4c092023d1d9edbbae5169e560f0d5d612dde950b714e3

          Download Submit
        • C:\Users\Admin\AppData\Roaming\hherslht.bat
          MD5

          b082368cbee1f32f19a7e56efd1186af

          SHA1

          68dd18e7bcb185f094ee17ccfcbcdcc7d012b44f

          SHA256

          f21dd9765ced43566c417062ed542d5e3d73adbfdc5e153c338a686c95bceb78

          SHA512

          6cef1fabba685a08e53d90ca12510a6201d2736f222514f9774ffbe8863dd3857c42c0ce658c0fbbadeb7be0cce9101df801106c5511e3d83f577c4a623c5bc0

          Download Submit
        • C:\Users\Admin\AppData\Roaming\laecdym.bat
          MD5

          215e9c23809a33afcfa6ba0c7a8f2432

          SHA1

          403605c75316ff763f559d2b01ce4e0102c08eca

          SHA256

          50892731df1a36551bb5feba4739773acc210628ca679dcbecb32c8e6e7c3cde

          SHA512

          6de9d3f613c410aa2f8d91b5021194f7c61afb40051ec1761ce3f6cf3128661fbbf954077f9073931fcee304a1150210853c918ff322b01116c67f7d22ad2b25

          Download Submit
        • C:\Users\Admin\AppData\Roaming\laecdym.exe
          MD5

          2444e03117e660583838d48a661ae932

          SHA1

          572526db445f2f02b2e6d1c8dd82a870f60d9c5d

          SHA256

          b56d41d4181b040371c30b41ddbc4ef6eb25b735b5d789cc2f2033b1774293f2

          SHA512

          307d8c9b2d830c75cb0877af73752731e2523e7523b97a2a610d4a4fac817cf1a7402970951cbbba609346761c6f76535c3eb4e78ddf79e885db47d788a8f78e

          Download Submit
        • C:\Users\Admin\AppData\Roaming\laecdym.exe
          MD5

          a15cfab138e8757a1f15de1bb54f304b

          SHA1

          3e4b076de410be96d02076b927f47be45c3968e7

          SHA256

          c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771

          SHA512

          6199040c478bed5bb8f844d27bcb6b64386c0648cf25886b53e771c868ba9bb8d92fcc30d9831761e3af90aacc9ac67118ba1b3d47dd30ebb70fa9e1588c8670

          Download Submit
        • C:\Users\Admin\AppData\Roaming\laecdym.exe
          MD5

          a15cfab138e8757a1f15de1bb54f304b

          SHA1

          3e4b076de410be96d02076b927f47be45c3968e7

          SHA256

          c41c4f0e050c1985f10c47f82b1104b49c13f17a9da8feebaf2b444c01c30771

          SHA512

          6199040c478bed5bb8f844d27bcb6b64386c0648cf25886b53e771c868ba9bb8d92fcc30d9831761e3af90aacc9ac67118ba1b3d47dd30ebb70fa9e1588c8670

          Download Submit
        • C:\Users\Admin\AppData\Roaming\laecdym.tmp
          MD5

          a7b4da75b991105c78e556a179e92379

          SHA1

          80f5cb6ee26acb8201903e1808343c339854fc6d

          SHA256

          403bdfdd7e789f73d463b8259481fc6744739edeadb0111124bc5743ab9e25ac

          SHA512

          bacf63303ae58b837fa62dece83ee85b592b24d3e419daf5495582c4b61da5e72434aec76328aed3a7db0e973cbec2c2fbde3520bdbb2a82721f91b6979633c2

          Download Submit
        • memory/60-116-0x0000000000000000-mapping.dmp
          Download
        • memory/624-139-0x00000000004065F0-mapping.dmp
          Download
        • memory/624-142-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1232-121-0x0000000000000000-mapping.dmp
          Download
        • memory/1396-144-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1396-145-0x000000000041A630-mapping.dmp
          Download
        • memory/1396-150-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1536-127-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1536-124-0x00000000004065F0-mapping.dmp
          Download
        • memory/1536-123-0x0000000000400000-0x000000000041C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/3104-130-0x0000000000000000-mapping.dmp
          Download
        • memory/3128-129-0x000000000041A630-mapping.dmp
          Download
        • memory/3232-133-0x0000000000000000-mapping.dmp
          Download