Overview

overview

10

Static

static

7

IlusionChecker.7z

windows7_x64

10

IlusionChecker.7z

windows10_x64

10

IlusionChecker.7z

windows7_x64

10

IlusionChecker.7z

windows10_x64

3

IlusionChecker.7z

windows7_x64

3

IlusionChecker.7z

windows10_x64

3

Analysis

  • max time kernel
    84s
  • max time network
    86s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    05-12-2021 21:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IlusionChecker.7z

  • Size

    3.6MB

  • MD5

    ffdcbdd06ed59b0c4a507cac8d575913

  • SHA1

    de5e9d4384db0866f083db001217373b34451ea6

  • SHA256

    eefc3d0a6af3df17b4c97f8404509550aa8eb99b3757a0ba4590c6bce88c96ca

  • SHA512

    09765eac9a6f6dd493a6907e20f07e756ae443bdb7a2e10233161e179fc46669fa5796b91df57a3e5cf3607d1f9fb4ab33e002e2b596699115b624f09b3dc5b5

Score
10/10
redlinediscoveryevasioninfostealerspywarestealerthemidatrojan

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\IlusionChecker.7z
    1⤵
    • Modifies registry class
    PID:2096
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2720
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:996
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\IlusionChecker\" -spe -an -ai#7zMap10841:106:7zEvent27451
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2400
    • C:\Users\Admin\AppData\Local\Temp\IlusionChecker\IlusionChecker.exe
      "C:\Users\Admin\AppData\Local\Temp\IlusionChecker\IlusionChecker.exe"
      1⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1432

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IlusionChecker\IlusionChecker.exe
      MD5

      75b074c809301513411b15669c3d2e35

      SHA1

      c19e02192b3c57844dff28fdb81830d5dd5e6eaf

      SHA256

      1369ca0bcd6a39f6fbe3b931d61b9b752704b5c43beede8a73a7ce7e0f8d43c6

      SHA512

      5bc40b27062b2f774e26b8fa2b7f58f9aa4d705ce583afbcac0761b40e25a7e555246f4bdf7ade8c6c299e404c85399b235a537d93624042d2a1f331b17a1a10

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IlusionChecker\IlusionChecker.exe
      MD5

      75b074c809301513411b15669c3d2e35

      SHA1

      c19e02192b3c57844dff28fdb81830d5dd5e6eaf

      SHA256

      1369ca0bcd6a39f6fbe3b931d61b9b752704b5c43beede8a73a7ce7e0f8d43c6

      SHA512

      5bc40b27062b2f774e26b8fa2b7f58f9aa4d705ce583afbcac0761b40e25a7e555246f4bdf7ade8c6c299e404c85399b235a537d93624042d2a1f331b17a1a10

      Download Submit
    • memory/1432-119-0x0000000077210000-0x000000007739E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1432-120-0x00000000003E0000-0x00000000003E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-122-0x0000000005C70000-0x0000000005C71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-123-0x0000000005700000-0x0000000005701000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-124-0x0000000005760000-0x0000000005761000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-125-0x00000000057A0000-0x00000000057A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-126-0x0000000003630000-0x0000000003631000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-127-0x0000000005A00000-0x0000000005A01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-128-0x0000000006B70000-0x0000000006B71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-129-0x0000000007270000-0x0000000007271000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-130-0x0000000006DF0000-0x0000000006DF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-131-0x0000000007CA0000-0x0000000007CA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-132-0x00000000070C0000-0x00000000070C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-133-0x0000000007160000-0x0000000007161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1432-134-0x0000000007240000-0x0000000007241000-memory.dmp
      Filesize

      4KB

      Download