Analysis
-
max time kernel
125s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
23-10-2021 06:32
Static task
static1
Behavioral task
behavioral1
Sample
eacbae9bdaa559182cf794986c6a10c1.exe
Resource
win7-en-20211014
General
-
Target
eacbae9bdaa559182cf794986c6a10c1.exe
-
Size
396KB
-
MD5
eacbae9bdaa559182cf794986c6a10c1
-
SHA1
6943b0ec8e128dd473010269b50b494b2cea1401
-
SHA256
6c35facea27417051d4ffccbffd9a353ce00b548b50944d3ef4a246298c037f1
-
SHA512
205b8b8c25ee6cab96a435bc4b9d4eb785c6824cf45ad6bb8d5d851f9dbd43afd313ed029c762a30559d4cdabba49a797ce48778e0fb312e91a479a238459bed
Malware Config
Extracted
redline
wincode
4life.longmusic.com:6640
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/804-125-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral2/memory/804-126-0x000000000041933E-mapping.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
eacbae9bdaa559182cf794986c6a10c1.exedescription pid process target process PID 2648 set thread context of 804 2648 eacbae9bdaa559182cf794986c6a10c1.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 804 RegAsm.exe 804 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
eacbae9bdaa559182cf794986c6a10c1.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2648 eacbae9bdaa559182cf794986c6a10c1.exe Token: SeDebugPrivilege 804 RegAsm.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
eacbae9bdaa559182cf794986c6a10c1.execmd.exedescription pid process target process PID 2648 wrote to memory of 804 2648 eacbae9bdaa559182cf794986c6a10c1.exe RegAsm.exe PID 2648 wrote to memory of 804 2648 eacbae9bdaa559182cf794986c6a10c1.exe RegAsm.exe PID 2648 wrote to memory of 804 2648 eacbae9bdaa559182cf794986c6a10c1.exe RegAsm.exe PID 2648 wrote to memory of 804 2648 eacbae9bdaa559182cf794986c6a10c1.exe RegAsm.exe PID 2648 wrote to memory of 804 2648 eacbae9bdaa559182cf794986c6a10c1.exe RegAsm.exe PID 2648 wrote to memory of 804 2648 eacbae9bdaa559182cf794986c6a10c1.exe RegAsm.exe PID 2648 wrote to memory of 804 2648 eacbae9bdaa559182cf794986c6a10c1.exe RegAsm.exe PID 2648 wrote to memory of 804 2648 eacbae9bdaa559182cf794986c6a10c1.exe RegAsm.exe PID 2648 wrote to memory of 3996 2648 eacbae9bdaa559182cf794986c6a10c1.exe cmd.exe PID 2648 wrote to memory of 3996 2648 eacbae9bdaa559182cf794986c6a10c1.exe cmd.exe PID 2648 wrote to memory of 3996 2648 eacbae9bdaa559182cf794986c6a10c1.exe cmd.exe PID 2648 wrote to memory of 1608 2648 eacbae9bdaa559182cf794986c6a10c1.exe cmd.exe PID 2648 wrote to memory of 1608 2648 eacbae9bdaa559182cf794986c6a10c1.exe cmd.exe PID 2648 wrote to memory of 1608 2648 eacbae9bdaa559182cf794986c6a10c1.exe cmd.exe PID 3996 wrote to memory of 2824 3996 cmd.exe schtasks.exe PID 3996 wrote to memory of 2824 3996 cmd.exe schtasks.exe PID 3996 wrote to memory of 2824 3996 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eacbae9bdaa559182cf794986c6a10c1.exe"C:\Users\Admin\AppData\Local\Temp\eacbae9bdaa559182cf794986c6a10c1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\fdert\fdert.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\fdert\fdert.exe'" /f3⤵
- Creates scheduled task(s)
PID:2824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\eacbae9bdaa559182cf794986c6a10c1.exe" "C:\Users\Admin\AppData\Roaming\fdert\fdert.exe"2⤵PID:1608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/804-136-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/804-137-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/804-131-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/804-144-0x0000000007260000-0x0000000007261000-memory.dmpFilesize
4KB
-
memory/804-143-0x0000000006F60000-0x0000000006F61000-memory.dmpFilesize
4KB
-
memory/804-139-0x0000000006A30000-0x0000000006A31000-memory.dmpFilesize
4KB
-
memory/804-125-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/804-126-0x000000000041933E-mapping.dmp
-
memory/804-129-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/804-130-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/804-138-0x0000000006330000-0x0000000006331000-memory.dmpFilesize
4KB
-
memory/804-134-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/1608-133-0x0000000000000000-mapping.dmp
-
memory/2648-122-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/2648-123-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/2648-118-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/2648-120-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/2648-121-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/2648-124-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/2824-135-0x0000000000000000-mapping.dmp
-
memory/3996-132-0x0000000000000000-mapping.dmp