Analysis
-
max time kernel
110s -
max time network
120s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
14-11-2021 07:16
Static task
static1
Behavioral task
behavioral1
Sample
GenshinPublic.exe
Resource
win7-en-20211104
General
-
Target
GenshinPublic.exe
-
Size
391KB
-
MD5
2e2142cc8d63b932ca33fc58662b6693
-
SHA1
d67631fb8c4d25f0a8e4b6ac48fba728f03023ad
-
SHA256
fc353994c7c21ec405bd5ea01c1082f56b7e2404d163f9a5a69d593070507911
-
SHA512
240bb50a29466c74381bbe7bd4f77b0f7f0cbe03bbdffecfb85225b162aef5a19291ac8659f8d960d9dfd832562469da7e55953d8d0a41e60c3dfb41289db0ab
Malware Config
Extracted
redline
185.215.113.109:44059
Extracted
redline
xxluchxx1
212.86.102.63:62907
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2708-119-0x0000000000890000-0x00000000008AA000-memory.dmp family_redline behavioral2/memory/856-134-0x00000000013E0000-0x00000000013F8000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
asfasf.exeMemo.exeLogeer.exepid process 856 asfasf.exe 3948 Memo.exe 724 Logeer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 708 3948 WerFault.exe Memo.exe 60 724 WerFault.exe Logeer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
GenshinPublic.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GenshinPublic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GenshinPublic.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
GenshinPublic.exeWerFault.exeWerFault.exeasfasf.exepid process 2708 GenshinPublic.exe 2708 GenshinPublic.exe 60 WerFault.exe 708 WerFault.exe 60 WerFault.exe 708 WerFault.exe 60 WerFault.exe 708 WerFault.exe 60 WerFault.exe 708 WerFault.exe 708 WerFault.exe 60 WerFault.exe 708 WerFault.exe 60 WerFault.exe 708 WerFault.exe 60 WerFault.exe 708 WerFault.exe 60 WerFault.exe 708 WerFault.exe 60 WerFault.exe 708 WerFault.exe 60 WerFault.exe 708 WerFault.exe 60 WerFault.exe 708 WerFault.exe 60 WerFault.exe 708 WerFault.exe 60 WerFault.exe 856 asfasf.exe 856 asfasf.exe 2708 GenshinPublic.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
GenshinPublic.exeasfasf.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2708 GenshinPublic.exe Token: SeDebugPrivilege 856 asfasf.exe Token: SeDebugPrivilege 60 WerFault.exe Token: SeDebugPrivilege 708 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
GenshinPublic.exedescription pid process target process PID 2708 wrote to memory of 856 2708 GenshinPublic.exe asfasf.exe PID 2708 wrote to memory of 856 2708 GenshinPublic.exe asfasf.exe PID 2708 wrote to memory of 3948 2708 GenshinPublic.exe Memo.exe PID 2708 wrote to memory of 3948 2708 GenshinPublic.exe Memo.exe PID 2708 wrote to memory of 724 2708 GenshinPublic.exe Logeer.exe PID 2708 wrote to memory of 724 2708 GenshinPublic.exe Logeer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GenshinPublic.exe"C:\Users\Admin\AppData\Local\Temp\GenshinPublic.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\asfasf.exe"C:\Users\Admin\AppData\Roaming\asfasf.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Memo.exe"C:\Users\Admin\AppData\Roaming\Memo.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3948 -s 9483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Logeer.exe"C:\Users\Admin\AppData\Roaming\Logeer.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 724 -s 9483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Logeer.exeMD5
4108f630579979cfb8ca2bc73dcbdc07
SHA15d3e9ee3e462dbcf826aa3996c46378effc736a5
SHA2562776a758c38bf9f909a46c0e58dc62a2b5f620e487a06f43aca79ca61d110fe6
SHA51229aba2fb144957696d55a4c5b753057ed8a829299da23fc8d48820248cefac43068c2ddd36543c8d208460efb0caae6e2beff087ada937849f1ab51e9520d6b5
-
C:\Users\Admin\AppData\Roaming\Logeer.exeMD5
4108f630579979cfb8ca2bc73dcbdc07
SHA15d3e9ee3e462dbcf826aa3996c46378effc736a5
SHA2562776a758c38bf9f909a46c0e58dc62a2b5f620e487a06f43aca79ca61d110fe6
SHA51229aba2fb144957696d55a4c5b753057ed8a829299da23fc8d48820248cefac43068c2ddd36543c8d208460efb0caae6e2beff087ada937849f1ab51e9520d6b5
-
C:\Users\Admin\AppData\Roaming\Memo.exeMD5
d663f5a1f4c8bf1bacb90324e7a38b64
SHA1da0de378bcb909cf82a6a2b5766aff961c9b6bf5
SHA2561791d0763a544911852e4ecde3ea6a0e3cb72aaec45bfae7cea2b1780f285c9d
SHA51249189e9a346f785071bf51c391264dd303c74411c4bf258d9f34d64d197db00f28b2fd1f0c451e9c5b1aa44199bfb876c6b3470dd9e435387b55d630330d9563
-
C:\Users\Admin\AppData\Roaming\Memo.exeMD5
d663f5a1f4c8bf1bacb90324e7a38b64
SHA1da0de378bcb909cf82a6a2b5766aff961c9b6bf5
SHA2561791d0763a544911852e4ecde3ea6a0e3cb72aaec45bfae7cea2b1780f285c9d
SHA51249189e9a346f785071bf51c391264dd303c74411c4bf258d9f34d64d197db00f28b2fd1f0c451e9c5b1aa44199bfb876c6b3470dd9e435387b55d630330d9563
-
C:\Users\Admin\AppData\Roaming\asfasf.exeMD5
9a9120e7087d20b64a15693c53c4a9a4
SHA1190ace4b886f2d5de5526234b40e7186952d771d
SHA256b30a0a7e75cca6ec22a4628567fb057dfc22bfd04381bc97b1a1da6f05769ea2
SHA5122a62e17df72e9ef31a68231ba8b949e02ca4b518c5f5836878203f8c46ce689bfa7de700b6eba38a309b2c30cf862621907e9ab2cf1e7b2d31039a64465db5fe
-
C:\Users\Admin\AppData\Roaming\asfasf.exeMD5
9a9120e7087d20b64a15693c53c4a9a4
SHA1190ace4b886f2d5de5526234b40e7186952d771d
SHA256b30a0a7e75cca6ec22a4628567fb057dfc22bfd04381bc97b1a1da6f05769ea2
SHA5122a62e17df72e9ef31a68231ba8b949e02ca4b518c5f5836878203f8c46ce689bfa7de700b6eba38a309b2c30cf862621907e9ab2cf1e7b2d31039a64465db5fe
-
memory/724-147-0x0000026F7CAC0000-0x0000026F7CAC2000-memory.dmpFilesize
8KB
-
memory/724-145-0x0000026F7CAD0000-0x0000026F7CDFC000-memory.dmpFilesize
3.2MB
-
memory/724-137-0x0000026F61FF0000-0x0000026F61FF1000-memory.dmpFilesize
4KB
-
memory/724-131-0x0000000000000000-mapping.dmp
-
memory/856-134-0x00000000013E0000-0x00000000013F8000-memory.dmpFilesize
96KB
-
memory/856-132-0x00000000013D0000-0x00000000013D2000-memory.dmpFilesize
8KB
-
memory/856-151-0x00000000013D2000-0x00000000013D4000-memory.dmpFilesize
8KB
-
memory/856-124-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/856-150-0x000000001CC20000-0x000000001CC21000-memory.dmpFilesize
4KB
-
memory/856-121-0x0000000000000000-mapping.dmp
-
memory/856-149-0x000000001C520000-0x000000001C521000-memory.dmpFilesize
4KB
-
memory/2708-140-0x000000001C2D0000-0x000000001C2D1000-memory.dmpFilesize
4KB
-
memory/2708-119-0x0000000000890000-0x00000000008AA000-memory.dmpFilesize
104KB
-
memory/2708-141-0x000000001B3F0000-0x000000001B3F1000-memory.dmpFilesize
4KB
-
memory/2708-143-0x000000001B450000-0x000000001B451000-memory.dmpFilesize
4KB
-
memory/2708-118-0x000000001AF40000-0x000000001AF41000-memory.dmpFilesize
4KB
-
memory/2708-117-0x000000001AE30000-0x000000001AE32000-memory.dmpFilesize
8KB
-
memory/2708-120-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/2708-115-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2708-152-0x000000001C210000-0x000000001C211000-memory.dmpFilesize
4KB
-
memory/3948-126-0x0000000000000000-mapping.dmp
-
memory/3948-146-0x0000028F9B920000-0x0000028F9BC03000-memory.dmpFilesize
2.9MB
-
memory/3948-148-0x0000028F9B8E0000-0x0000028F9B8E2000-memory.dmpFilesize
8KB
-
memory/3948-129-0x0000028F80FE0000-0x0000028F80FE1000-memory.dmpFilesize
4KB