Overview

overview

10

Static

static

keygen-step-4.exe

windows7_x64

10

keygen-step-4.exe

windows7_x64

10

keygen-step-4.exe

windows7_x64

10

keygen-step-4.exe

windows11_x64

10

keygen-step-4.exe

windows10_x64

10

keygen-step-4.exe

windows10_x64

10

keygen-step-4.exe

windows10_x64

10

Analysis

  • max time kernel
    1800s
  • max time network
    1802s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    22-10-2021 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keygen-step-4.exe

  • Size

    4.2MB

  • MD5

    00ebc043e56f9f084116b06bdda236af

  • SHA1

    5cd4266a7b4500f3c9bfa5174b535d52361167ed

  • SHA256

    f6e16a4200c3510b4a0ddc031240495d36e9c1d47160e488606f0978e9bb0422

  • SHA512

    03d5c4d62c09b18259d42168284b72eecb874e5ec12063edfb54637a833c376b0ab788fc20474f21969e674f29e135498aa46ddf1b62ef6f06c506037543ee67

Score
10/10
redlinediscoveryinfostealerspywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
    "C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    9982548bcb150a3d3b5343dd94bf8aa8

    SHA1

    fa2603eab815da449abff6622c47d95189ea5ef8

    SHA256

    a3ff72dd984406d760a702399f5c0186bfd107677b4e8b7b1c4a1433eb0a106f

    SHA512

    9aae28845c4a55ddf7b6a24aff34d1450e04e404afcb49787217d95253ccef99d09b0c2115786e1bffba26d0e368bfb3d7a39753e181e873bdf642ee0ee45e98

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
    MD5

    6a9bf2c46a15d1fc9142e16aed31e8dd

    SHA1

    802024dc5b3b37d123dfaa05f2b3c19e82f1f83f

    SHA256

    fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb

    SHA512

    c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
    MD5

    6a9bf2c46a15d1fc9142e16aed31e8dd

    SHA1

    802024dc5b3b37d123dfaa05f2b3c19e82f1f83f

    SHA256

    fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb

    SHA512

    c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe
    MD5

    00160e8ca109521d28a89daa08cc2cae

    SHA1

    3569f50e6a2fc500b4a7ee8c0e1a446d9766afa1

    SHA256

    d2e3a00472e772e4509e221ad732f3de0e0fb3fe4f788552e5f5382b1306b11e

    SHA512

    1b1ea39d615774935be107000f4d61b64f3a9760bad70f04dfd580a7e8ab6209ca3b8b55a250d89845fa8206b02c78187ea4613506a2634c56be27f1a4e3b309

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe
    MD5

    00160e8ca109521d28a89daa08cc2cae

    SHA1

    3569f50e6a2fc500b4a7ee8c0e1a446d9766afa1

    SHA256

    d2e3a00472e772e4509e221ad732f3de0e0fb3fe4f788552e5f5382b1306b11e

    SHA512

    1b1ea39d615774935be107000f4d61b64f3a9760bad70f04dfd580a7e8ab6209ca3b8b55a250d89845fa8206b02c78187ea4613506a2634c56be27f1a4e3b309

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe
    MD5

    00160e8ca109521d28a89daa08cc2cae

    SHA1

    3569f50e6a2fc500b4a7ee8c0e1a446d9766afa1

    SHA256

    d2e3a00472e772e4509e221ad732f3de0e0fb3fe4f788552e5f5382b1306b11e

    SHA512

    1b1ea39d615774935be107000f4d61b64f3a9760bad70f04dfd580a7e8ab6209ca3b8b55a250d89845fa8206b02c78187ea4613506a2634c56be27f1a4e3b309

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
    MD5

    6a9bf2c46a15d1fc9142e16aed31e8dd

    SHA1

    802024dc5b3b37d123dfaa05f2b3c19e82f1f83f

    SHA256

    fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb

    SHA512

    c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
    MD5

    6a9bf2c46a15d1fc9142e16aed31e8dd

    SHA1

    802024dc5b3b37d123dfaa05f2b3c19e82f1f83f

    SHA256

    fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb

    SHA512

    c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
    MD5

    6a9bf2c46a15d1fc9142e16aed31e8dd

    SHA1

    802024dc5b3b37d123dfaa05f2b3c19e82f1f83f

    SHA256

    fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb

    SHA512

    c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
    MD5

    6a9bf2c46a15d1fc9142e16aed31e8dd

    SHA1

    802024dc5b3b37d123dfaa05f2b3c19e82f1f83f

    SHA256

    fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb

    SHA512

    c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85

    Download Submit
  • memory/920-75-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/920-77-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/920-82-0x0000000004A90000-0x0000000004A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/920-80-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/920-78-0x0000000000418D3E-mapping.dmp
    Download
  • memory/920-76-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/920-73-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/920-74-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1088-55-0x0000000075B71000-0x0000000075B73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1292-72-0x0000000000536000-0x0000000000555000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1292-63-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1292-65-0x0000000000530000-0x0000000000532000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1292-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-71-0x0000000002250000-0x0000000002251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-69-0x0000000000B70000-0x0000000000B71000-memory.dmp
    Filesize

    4KB

    Download