Analysis
-
max time kernel
84s -
max time network
86s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
05-12-2021 21:27
Static task
static1
Behavioral task
behavioral1
Sample
IlusionChecker.7z
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
IlusionChecker.7z
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
IlusionChecker.7z
Resource
win7-en-20211104
Behavioral task
behavioral4
Sample
IlusionChecker.7z
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
IlusionChecker.7z
Resource
win7-en-20211104
Behavioral task
behavioral6
Sample
IlusionChecker.7z
Resource
win10-en-20211104
General
-
Target
IlusionChecker.7z
-
Size
3.6MB
-
MD5
ffdcbdd06ed59b0c4a507cac8d575913
-
SHA1
de5e9d4384db0866f083db001217373b34451ea6
-
SHA256
eefc3d0a6af3df17b4c97f8404509550aa8eb99b3757a0ba4590c6bce88c96ca
-
SHA512
09765eac9a6f6dd493a6907e20f07e756ae443bdb7a2e10233161e179fc46669fa5796b91df57a3e5cf3607d1f9fb4ab33e002e2b596699115b624f09b3dc5b5
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
IlusionChecker.exepid process 1432 IlusionChecker.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
IlusionChecker.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IlusionChecker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IlusionChecker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IlusionChecker\IlusionChecker.exe themida C:\Users\Admin\AppData\Local\Temp\IlusionChecker\IlusionChecker.exe themida behavioral2/memory/1432-120-0x00000000003E0000-0x00000000003E1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
IlusionChecker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IlusionChecker.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
IlusionChecker.exepid process 1432 IlusionChecker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
IlusionChecker.exepid process 1432 IlusionChecker.exe 1432 IlusionChecker.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7zG.exeIlusionChecker.exedescription pid process Token: SeRestorePrivilege 2400 7zG.exe Token: 35 2400 7zG.exe Token: SeSecurityPrivilege 2400 7zG.exe Token: SeSecurityPrivilege 2400 7zG.exe Token: SeDebugPrivilege 1432 IlusionChecker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 2400 7zG.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 2720 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\IlusionChecker.7z1⤵
- Modifies registry class
PID:2096
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2720
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:996
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\IlusionChecker\" -spe -an -ai#7zMap10841:106:7zEvent274511⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2400
-
C:\Users\Admin\AppData\Local\Temp\IlusionChecker\IlusionChecker.exe"C:\Users\Admin\AppData\Local\Temp\IlusionChecker\IlusionChecker.exe"1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IlusionChecker\IlusionChecker.exeMD5
75b074c809301513411b15669c3d2e35
SHA1c19e02192b3c57844dff28fdb81830d5dd5e6eaf
SHA2561369ca0bcd6a39f6fbe3b931d61b9b752704b5c43beede8a73a7ce7e0f8d43c6
SHA5125bc40b27062b2f774e26b8fa2b7f58f9aa4d705ce583afbcac0761b40e25a7e555246f4bdf7ade8c6c299e404c85399b235a537d93624042d2a1f331b17a1a10
-
C:\Users\Admin\AppData\Local\Temp\IlusionChecker\IlusionChecker.exeMD5
75b074c809301513411b15669c3d2e35
SHA1c19e02192b3c57844dff28fdb81830d5dd5e6eaf
SHA2561369ca0bcd6a39f6fbe3b931d61b9b752704b5c43beede8a73a7ce7e0f8d43c6
SHA5125bc40b27062b2f774e26b8fa2b7f58f9aa4d705ce583afbcac0761b40e25a7e555246f4bdf7ade8c6c299e404c85399b235a537d93624042d2a1f331b17a1a10
-
memory/1432-119-0x0000000077210000-0x000000007739E000-memory.dmpFilesize
1.6MB
-
memory/1432-120-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1432-122-0x0000000005C70000-0x0000000005C71000-memory.dmpFilesize
4KB
-
memory/1432-123-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/1432-124-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/1432-125-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/1432-126-0x0000000003630000-0x0000000003631000-memory.dmpFilesize
4KB
-
memory/1432-127-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/1432-128-0x0000000006B70000-0x0000000006B71000-memory.dmpFilesize
4KB
-
memory/1432-129-0x0000000007270000-0x0000000007271000-memory.dmpFilesize
4KB
-
memory/1432-130-0x0000000006DF0000-0x0000000006DF1000-memory.dmpFilesize
4KB
-
memory/1432-131-0x0000000007CA0000-0x0000000007CA1000-memory.dmpFilesize
4KB
-
memory/1432-132-0x00000000070C0000-0x00000000070C1000-memory.dmpFilesize
4KB
-
memory/1432-133-0x0000000007160000-0x0000000007161000-memory.dmpFilesize
4KB
-
memory/1432-134-0x0000000007240000-0x0000000007241000-memory.dmpFilesize
4KB