Overview

overview

10

Static

static

keygen-step-4.exe

windows7_x64

10

keygen-step-4.exe

windows7_x64

10

keygen-step-4.exe

windows7_x64

10

keygen-step-4.exe

windows11_x64

10

keygen-step-4.exe

windows10_x64

10

keygen-step-4.exe

windows10_x64

10

keygen-step-4.exe

windows10_x64

10

Analysis

  • max time kernel
    623s
  • max time network
    1558s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    22-10-2021 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keygen-step-4.exe

  • Size

    4.2MB

  • MD5

    00ebc043e56f9f084116b06bdda236af

  • SHA1

    5cd4266a7b4500f3c9bfa5174b535d52361167ed

  • SHA256

    f6e16a4200c3510b4a0ddc031240495d36e9c1d47160e488606f0978e9bb0422

  • SHA512

    03d5c4d62c09b18259d42168284b72eecb874e5ec12063edfb54637a833c376b0ab788fc20474f21969e674f29e135498aa46ddf1b62ef6f06c506037543ee67

Score
10/10
redlinediscoveryinfostealerpersistencespywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
    1⤵
      PID:664
    • C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Users\Admin\Documents\PlsWnEU2.exe
          "C:\Users\Admin\Documents\PlsWnEU2.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Users\Admin\Documents\PlsWnEU2.exe
            C:\Users\Admin\Documents\PlsWnEU2.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3512
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 65b1aa8d918c8d3f168629fc61765ea5 OzaWr/uu6kO2F/1/svXlhA.0.1.0.3.0
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4636
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4524
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
      1⤵
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
        C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
        2⤵
          PID:3712
        • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          2⤵
            PID:2152
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe 65b1aa8d918c8d3f168629fc61765ea5 OzaWr/uu6kO2F/1/svXlhA.0.1.0.3.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:3320

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Credentials in Files

        2
        T1081

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PlsWnEU2.exe.log
          MD5

          e07da89fc7e325db9d25e845e27027a8

          SHA1

          4b6a03bcdb46f325984cbbb6302ff79f33637e19

          SHA256

          94ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf

          SHA512

          1e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
          MD5

          6a9bf2c46a15d1fc9142e16aed31e8dd

          SHA1

          802024dc5b3b37d123dfaa05f2b3c19e82f1f83f

          SHA256

          fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb

          SHA512

          c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
          MD5

          6a9bf2c46a15d1fc9142e16aed31e8dd

          SHA1

          802024dc5b3b37d123dfaa05f2b3c19e82f1f83f

          SHA256

          fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb

          SHA512

          c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85

          Download Submit
        • C:\Users\Admin\Documents\PlsWnEU2.exe
          MD5

          00160e8ca109521d28a89daa08cc2cae

          SHA1

          3569f50e6a2fc500b4a7ee8c0e1a446d9766afa1

          SHA256

          d2e3a00472e772e4509e221ad732f3de0e0fb3fe4f788552e5f5382b1306b11e

          SHA512

          1b1ea39d615774935be107000f4d61b64f3a9760bad70f04dfd580a7e8ab6209ca3b8b55a250d89845fa8206b02c78187ea4613506a2634c56be27f1a4e3b309

          Download Submit
        • C:\Users\Admin\Documents\PlsWnEU2.exe
          MD5

          00160e8ca109521d28a89daa08cc2cae

          SHA1

          3569f50e6a2fc500b4a7ee8c0e1a446d9766afa1

          SHA256

          d2e3a00472e772e4509e221ad732f3de0e0fb3fe4f788552e5f5382b1306b11e

          SHA512

          1b1ea39d615774935be107000f4d61b64f3a9760bad70f04dfd580a7e8ab6209ca3b8b55a250d89845fa8206b02c78187ea4613506a2634c56be27f1a4e3b309

          Download Submit
        • C:\Users\Admin\Documents\PlsWnEU2.exe
          MD5

          00160e8ca109521d28a89daa08cc2cae

          SHA1

          3569f50e6a2fc500b4a7ee8c0e1a446d9766afa1

          SHA256

          d2e3a00472e772e4509e221ad732f3de0e0fb3fe4f788552e5f5382b1306b11e

          SHA512

          1b1ea39d615774935be107000f4d61b64f3a9760bad70f04dfd580a7e8ab6209ca3b8b55a250d89845fa8206b02c78187ea4613506a2634c56be27f1a4e3b309

          Download Submit
        • memory/1944-167-0x0000000002934000-0x0000000002935000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1944-155-0x0000000000620000-0x0000000000621000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1944-157-0x0000000002930000-0x0000000002932000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1944-151-0x0000000000000000-mapping.dmp
          Download
        • memory/1944-165-0x0000000002932000-0x0000000002934000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1944-166-0x0000000002935000-0x0000000002937000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2152-193-0x0000000000000000-mapping.dmp
          Download
        • memory/2848-169-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2848-158-0x0000000000000000-mapping.dmp
          Download
        • memory/2848-168-0x00000000054E0000-0x00000000054E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2848-161-0x00000000007D0000-0x00000000007D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2848-163-0x00000000052B0000-0x00000000052B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2848-164-0x0000000002DA0000-0x0000000002DA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-170-0x0000000000000000-mapping.dmp
          Download
        • memory/3512-182-0x00000000058D0000-0x00000000058D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-191-0x0000000007D00000-0x0000000007D01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-190-0x00000000084C0000-0x00000000084C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-171-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

          Download
        • memory/3512-189-0x0000000007DC0000-0x0000000007DC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-175-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-176-0x0000000005520000-0x0000000005521000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-177-0x0000000005650000-0x0000000005651000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-178-0x0000000005760000-0x0000000005761000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-179-0x0000000005580000-0x0000000005581000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-180-0x0000000006110000-0x0000000006111000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-181-0x0000000005860000-0x0000000005861000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-188-0x00000000073E0000-0x00000000073E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3512-183-0x00000000054D0000-0x0000000005AE8000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/3512-185-0x0000000006FF0000-0x0000000006FF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3712-152-0x0000000000000000-mapping.dmp
          Download
        • memory/4232-146-0x0000000002FA0000-0x0000000002FA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4232-147-0x0000000002FA0000-0x0000000002FA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4524-149-0x0000018DEF0A0000-0x0000018DEF0B0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4524-150-0x0000018DF17B0000-0x0000018DF17B4000-memory.dmp
          Filesize

          16KB

          Download
        • memory/4524-148-0x0000018DEF020000-0x0000018DEF030000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4524-194-0x0000018DF17D0000-0x0000018DF17D4000-memory.dmp
          Filesize

          16KB

          Download
        • memory/4524-195-0x0000018DF16F0000-0x0000018DF16F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4524-197-0x0000018DF16B0000-0x0000018DF16B1000-memory.dmp
          Filesize

          4KB

          Download