Analysis
-
max time kernel
110s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 17:18
Static task
static1
General
-
Target
e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exe
-
Size
2.2MB
-
MD5
0680fd1ef21a489b3812b4ef2f9a8f40
-
SHA1
d44346e505d925bd5f423606298e267716f7d64f
-
SHA256
e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8
-
SHA512
e7b7ed92d6e2fa36256c67bb2d45164b6ef1be41c1827341754273a4125781838a8e9bc2068b3669e36e88c7303f167c9df57c3d28f9f9fc6e42d7dea05826cb
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/4176-118-0x0000000000D70000-0x0000000000D71000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exepid process 4176 e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exepid process 4176 e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exe 4176 e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exe 4176 e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exedescription pid process Token: SeDebugPrivilege 4176 e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exe"C:\Users\Admin\AppData\Local\Temp\e7074780e695f4ee45a1999d5035e3a8c799fe647c7464ca85375dd9d18a3ac8.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176