Analysis
-
max time kernel
1800s -
max time network
1802s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
22-10-2021 14:39
Static task
static1
Behavioral task
behavioral1
Sample
keygen-step-4.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
keygen-step-4.exe
Resource
win7-en-20211014
Behavioral task
behavioral3
Sample
keygen-step-4.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
keygen-step-4.exe
Resource
win11
Behavioral task
behavioral5
Sample
keygen-step-4.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
keygen-step-4.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
keygen-step-4.exe
Resource
win10-de-20210920
General
-
Target
keygen-step-4.exe
-
Size
4.2MB
-
MD5
00ebc043e56f9f084116b06bdda236af
-
SHA1
5cd4266a7b4500f3c9bfa5174b535d52361167ed
-
SHA256
f6e16a4200c3510b4a0ddc031240495d36e9c1d47160e488606f0978e9bb0422
-
SHA512
03d5c4d62c09b18259d42168284b72eecb874e5ec12063edfb54637a833c376b0ab788fc20474f21969e674f29e135498aa46ddf1b62ef6f06c506037543ee67
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/920-75-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/920-76-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/920-77-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/920-78-0x0000000000418D3E-mapping.dmp family_redline behavioral2/memory/920-80-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
KiffAppE2.exePlsWnEU2.exePlsWnEU2.exepid process 1292 KiffAppE2.exe 1780 PlsWnEU2.exe 920 PlsWnEU2.exe -
Loads dropped DLL 4 IoCs
Processes:
keygen-step-4.exepid process 1088 keygen-step-4.exe 1088 keygen-step-4.exe 1088 keygen-step-4.exe 1088 keygen-step-4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PlsWnEU2.exedescription pid process target process PID 1780 set thread context of 920 1780 PlsWnEU2.exe PlsWnEU2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
KiffAppE2.exePlsWnEU2.exedescription pid process Token: SeDebugPrivilege 1292 KiffAppE2.exe Token: SeDebugPrivilege 920 PlsWnEU2.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
keygen-step-4.exeKiffAppE2.exePlsWnEU2.exedescription pid process target process PID 1088 wrote to memory of 1292 1088 keygen-step-4.exe KiffAppE2.exe PID 1088 wrote to memory of 1292 1088 keygen-step-4.exe KiffAppE2.exe PID 1088 wrote to memory of 1292 1088 keygen-step-4.exe KiffAppE2.exe PID 1088 wrote to memory of 1292 1088 keygen-step-4.exe KiffAppE2.exe PID 1292 wrote to memory of 1780 1292 KiffAppE2.exe PlsWnEU2.exe PID 1292 wrote to memory of 1780 1292 KiffAppE2.exe PlsWnEU2.exe PID 1292 wrote to memory of 1780 1292 KiffAppE2.exe PlsWnEU2.exe PID 1292 wrote to memory of 1780 1292 KiffAppE2.exe PlsWnEU2.exe PID 1780 wrote to memory of 920 1780 PlsWnEU2.exe PlsWnEU2.exe PID 1780 wrote to memory of 920 1780 PlsWnEU2.exe PlsWnEU2.exe PID 1780 wrote to memory of 920 1780 PlsWnEU2.exe PlsWnEU2.exe PID 1780 wrote to memory of 920 1780 PlsWnEU2.exe PlsWnEU2.exe PID 1780 wrote to memory of 920 1780 PlsWnEU2.exe PlsWnEU2.exe PID 1780 wrote to memory of 920 1780 PlsWnEU2.exe PlsWnEU2.exe PID 1780 wrote to memory of 920 1780 PlsWnEU2.exe PlsWnEU2.exe PID 1780 wrote to memory of 920 1780 PlsWnEU2.exe PlsWnEU2.exe PID 1780 wrote to memory of 920 1780 PlsWnEU2.exe PlsWnEU2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
9982548bcb150a3d3b5343dd94bf8aa8
SHA1fa2603eab815da449abff6622c47d95189ea5ef8
SHA256a3ff72dd984406d760a702399f5c0186bfd107677b4e8b7b1c4a1433eb0a106f
SHA5129aae28845c4a55ddf7b6a24aff34d1450e04e404afcb49787217d95253ccef99d09b0c2115786e1bffba26d0e368bfb3d7a39753e181e873bdf642ee0ee45e98
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exeMD5
6a9bf2c46a15d1fc9142e16aed31e8dd
SHA1802024dc5b3b37d123dfaa05f2b3c19e82f1f83f
SHA256fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb
SHA512c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exeMD5
6a9bf2c46a15d1fc9142e16aed31e8dd
SHA1802024dc5b3b37d123dfaa05f2b3c19e82f1f83f
SHA256fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb
SHA512c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exeMD5
00160e8ca109521d28a89daa08cc2cae
SHA13569f50e6a2fc500b4a7ee8c0e1a446d9766afa1
SHA256d2e3a00472e772e4509e221ad732f3de0e0fb3fe4f788552e5f5382b1306b11e
SHA5121b1ea39d615774935be107000f4d61b64f3a9760bad70f04dfd580a7e8ab6209ca3b8b55a250d89845fa8206b02c78187ea4613506a2634c56be27f1a4e3b309
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exeMD5
00160e8ca109521d28a89daa08cc2cae
SHA13569f50e6a2fc500b4a7ee8c0e1a446d9766afa1
SHA256d2e3a00472e772e4509e221ad732f3de0e0fb3fe4f788552e5f5382b1306b11e
SHA5121b1ea39d615774935be107000f4d61b64f3a9760bad70f04dfd580a7e8ab6209ca3b8b55a250d89845fa8206b02c78187ea4613506a2634c56be27f1a4e3b309
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exeMD5
00160e8ca109521d28a89daa08cc2cae
SHA13569f50e6a2fc500b4a7ee8c0e1a446d9766afa1
SHA256d2e3a00472e772e4509e221ad732f3de0e0fb3fe4f788552e5f5382b1306b11e
SHA5121b1ea39d615774935be107000f4d61b64f3a9760bad70f04dfd580a7e8ab6209ca3b8b55a250d89845fa8206b02c78187ea4613506a2634c56be27f1a4e3b309
-
\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exeMD5
6a9bf2c46a15d1fc9142e16aed31e8dd
SHA1802024dc5b3b37d123dfaa05f2b3c19e82f1f83f
SHA256fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb
SHA512c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85
-
\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exeMD5
6a9bf2c46a15d1fc9142e16aed31e8dd
SHA1802024dc5b3b37d123dfaa05f2b3c19e82f1f83f
SHA256fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb
SHA512c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85
-
\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exeMD5
6a9bf2c46a15d1fc9142e16aed31e8dd
SHA1802024dc5b3b37d123dfaa05f2b3c19e82f1f83f
SHA256fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb
SHA512c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85
-
\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exeMD5
6a9bf2c46a15d1fc9142e16aed31e8dd
SHA1802024dc5b3b37d123dfaa05f2b3c19e82f1f83f
SHA256fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb
SHA512c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85
-
memory/920-75-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/920-77-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/920-82-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/920-80-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/920-78-0x0000000000418D3E-mapping.dmp
-
memory/920-76-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/920-73-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/920-74-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1088-55-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/1292-72-0x0000000000536000-0x0000000000555000-memory.dmpFilesize
124KB
-
memory/1292-63-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1292-65-0x0000000000530000-0x0000000000532000-memory.dmpFilesize
8KB
-
memory/1292-60-0x0000000000000000-mapping.dmp
-
memory/1780-66-0x0000000000000000-mapping.dmp
-
memory/1780-71-0x0000000002250000-0x0000000002251000-memory.dmpFilesize
4KB
-
memory/1780-69-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB