Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
30-11-2021 10:50
Static task
static1
Behavioral task
behavioral1
Sample
63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe
Resource
win10-en-20211014
General
-
Target
63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe
-
Size
877KB
-
MD5
0b7cda3631ee14a0d0c3da4ec649bcc4
-
SHA1
c4ae4859b6aa6721da0ea6502e15e8f27d51ccca
-
SHA256
63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee
-
SHA512
2a9074b7ff70cbc922b89f39aeff5d9a0c5d1a21fa25b7eeedae07683b9359c3b3a2c1f2fa5bdb77860d26340690f11b52d8b0cc55d7bdae624a70e86d13defd
Malware Config
Extracted
redline
185.215.113.57:50723
Extracted
redline
LastLovely
95.181.152.177:21142
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1060-121-0x000000000041B78E-mapping.dmp family_redline behavioral1/memory/1060-122-0x0000000000600000-0x0000000000620000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\awsgfasg.exe family_redline C:\Users\Admin\AppData\Roaming\awsgfasg.exe family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2104 created 952 2104 WerFault.exe KadkaDK.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
KadkaDK.exeawsgfasg.exegweqg.exepid process 952 KadkaDK.exe 2216 awsgfasg.exe 3180 gweqg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exedescription pid process target process PID 3736 set thread context of 1060 3736 63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1500 3180 WerFault.exe gweqg.exe 2104 952 WerFault.exe KadkaDK.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
RegAsm.exeWerFault.exeWerFault.exepid process 1060 RegAsm.exe 1060 RegAsm.exe 1060 RegAsm.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
RegAsm.exeKadkaDK.exeawsgfasg.exegweqg.exeWerFault.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1060 RegAsm.exe Token: SeDebugPrivilege 952 KadkaDK.exe Token: SeDebugPrivilege 2216 awsgfasg.exe Token: SeDebugPrivilege 3180 gweqg.exe Token: SeDebugPrivilege 1500 WerFault.exe Token: SeRestorePrivilege 2104 WerFault.exe Token: SeBackupPrivilege 2104 WerFault.exe Token: SeBackupPrivilege 2104 WerFault.exe Token: SeDebugPrivilege 2104 WerFault.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exeRegAsm.exedescription pid process target process PID 3736 wrote to memory of 1060 3736 63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe RegAsm.exe PID 3736 wrote to memory of 1060 3736 63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe RegAsm.exe PID 3736 wrote to memory of 1060 3736 63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe RegAsm.exe PID 3736 wrote to memory of 1060 3736 63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe RegAsm.exe PID 3736 wrote to memory of 1060 3736 63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe RegAsm.exe PID 3736 wrote to memory of 1060 3736 63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe RegAsm.exe PID 3736 wrote to memory of 1060 3736 63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe RegAsm.exe PID 3736 wrote to memory of 1060 3736 63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe RegAsm.exe PID 1060 wrote to memory of 952 1060 RegAsm.exe KadkaDK.exe PID 1060 wrote to memory of 952 1060 RegAsm.exe KadkaDK.exe PID 1060 wrote to memory of 952 1060 RegAsm.exe KadkaDK.exe PID 1060 wrote to memory of 2216 1060 RegAsm.exe awsgfasg.exe PID 1060 wrote to memory of 2216 1060 RegAsm.exe awsgfasg.exe PID 1060 wrote to memory of 2216 1060 RegAsm.exe awsgfasg.exe PID 1060 wrote to memory of 3180 1060 RegAsm.exe gweqg.exe PID 1060 wrote to memory of 3180 1060 RegAsm.exe gweqg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe"C:\Users\Admin\AppData\Local\Temp\63782ba80479efb33857f5803dd7edcca86d44b817d2bfc6e6030131fe243eee.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\KadkaDK.exe"C:\Users\Admin\AppData\Roaming\KadkaDK.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 12404⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\awsgfasg.exe"C:\Users\Admin\AppData\Roaming\awsgfasg.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\gweqg.exe"C:\Users\Admin\AppData\Roaming\gweqg.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3180 -s 17444⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\KadkaDK.exeMD5
eabb876f62eff390575fdefbf1610b77
SHA177eb326354b51c47c365e6f962ac13927151c931
SHA2564eac12423a78201d89bf682621b5be5409f9667140f853115ed151c4af89abcb
SHA51229b3be38eb22c036e09d7547db8d8e448fd77d674a85b3054ff428c6f28c57353e3980b058f976314836c07b544735383d3da48dbf72c33acf29ed37ae5fcebd
-
C:\Users\Admin\AppData\Roaming\KadkaDK.exeMD5
eabb876f62eff390575fdefbf1610b77
SHA177eb326354b51c47c365e6f962ac13927151c931
SHA2564eac12423a78201d89bf682621b5be5409f9667140f853115ed151c4af89abcb
SHA51229b3be38eb22c036e09d7547db8d8e448fd77d674a85b3054ff428c6f28c57353e3980b058f976314836c07b544735383d3da48dbf72c33acf29ed37ae5fcebd
-
C:\Users\Admin\AppData\Roaming\awsgfasg.exeMD5
bc10fe4be5e059a43d1e3f011a954887
SHA180c4bfd50e61e2a26b627b7408665e1780235f76
SHA256a164764cbb99eecc87860d4b8e8be71bc2e6094b243cc36946eaa573f2d34dc3
SHA5121174fe72eb161e2c1f31c4e6dbe5e6bb45585e34c68b38db122d83b47b0c34ad4d763703bd5606bf07d7d0e1b43b51f5447a480915633626898e26c4026c679a
-
C:\Users\Admin\AppData\Roaming\awsgfasg.exeMD5
bc10fe4be5e059a43d1e3f011a954887
SHA180c4bfd50e61e2a26b627b7408665e1780235f76
SHA256a164764cbb99eecc87860d4b8e8be71bc2e6094b243cc36946eaa573f2d34dc3
SHA5121174fe72eb161e2c1f31c4e6dbe5e6bb45585e34c68b38db122d83b47b0c34ad4d763703bd5606bf07d7d0e1b43b51f5447a480915633626898e26c4026c679a
-
C:\Users\Admin\AppData\Roaming\gweqg.exeMD5
eb8c7dbf71a662e3771496a956e6a973
SHA1e6badc656d030610c6135e46f93078d67c49a61f
SHA25686ceeed4cf1642869ac16d1089e68244bb2b7612f943519e0adf94e284fdd99a
SHA5125fe92baee6ef14491d3771330dc6f591d0557adb7b616b32838819ba738cf7c4351546e6a693c37c23079f18c7ca7a45c10e6a07708bf4c4c0ca86419af57c42
-
C:\Users\Admin\AppData\Roaming\gweqg.exeMD5
eb8c7dbf71a662e3771496a956e6a973
SHA1e6badc656d030610c6135e46f93078d67c49a61f
SHA25686ceeed4cf1642869ac16d1089e68244bb2b7612f943519e0adf94e284fdd99a
SHA5125fe92baee6ef14491d3771330dc6f591d0557adb7b616b32838819ba738cf7c4351546e6a693c37c23079f18c7ca7a45c10e6a07708bf4c4c0ca86419af57c42
-
memory/952-158-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/952-138-0x0000000000000000-mapping.dmp
-
memory/952-142-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/1060-121-0x000000000041B78E-mapping.dmp
-
memory/1060-130-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/1060-125-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/1060-128-0x00000000049C0000-0x0000000004FC6000-memory.dmpFilesize
6.0MB
-
memory/1060-131-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/1060-132-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/1060-133-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/1060-134-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/1060-135-0x0000000006F10000-0x0000000006F11000-memory.dmpFilesize
4KB
-
memory/1060-136-0x0000000007130000-0x0000000007131000-memory.dmpFilesize
4KB
-
memory/1060-137-0x0000000007830000-0x0000000007831000-memory.dmpFilesize
4KB
-
memory/1060-127-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/1060-124-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/1060-122-0x0000000000600000-0x0000000000620000-memory.dmpFilesize
128KB
-
memory/1060-126-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/1060-129-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/2216-157-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/2216-159-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/2216-141-0x0000000000000000-mapping.dmp
-
memory/2216-147-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/3180-166-0x000001DF25650000-0x000001DF2593B000-memory.dmpFilesize
2.9MB
-
memory/3180-167-0x000001DF25940000-0x000001DF25B5A000-memory.dmpFilesize
2.1MB
-
memory/3180-155-0x000001DF07630000-0x000001DF07631000-memory.dmpFilesize
4KB
-
memory/3180-171-0x00007FFD6B560000-0x00007FFD6B73B000-memory.dmpFilesize
1.9MB
-
memory/3180-169-0x000001DF26030000-0x000001DF26031000-memory.dmpFilesize
4KB
-
memory/3180-161-0x000001DF220C0000-0x000001DF223B6000-memory.dmpFilesize
3.0MB
-
memory/3180-150-0x0000000000000000-mapping.dmp
-
memory/3180-168-0x000001DF21F80000-0x000001DF21F81000-memory.dmpFilesize
4KB
-
memory/3180-164-0x000001DF22072000-0x000001DF22074000-memory.dmpFilesize
8KB
-
memory/3180-163-0x000001DF22074000-0x000001DF22075000-memory.dmpFilesize
4KB
-
memory/3180-165-0x000001DF22075000-0x000001DF22077000-memory.dmpFilesize
8KB
-
memory/3180-162-0x000001DF22070000-0x000001DF22072000-memory.dmpFilesize
8KB
-
memory/3736-115-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/3736-119-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/3736-117-0x0000000000C10000-0x0000000000C12000-memory.dmpFilesize
8KB
-
memory/3736-118-0x000000001CF40000-0x000000001CF41000-memory.dmpFilesize
4KB