Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
06-12-2021 07:50
Static task
static1
Behavioral task
behavioral1
Sample
eabb876f62eff390575fdefbf1610b77.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
eabb876f62eff390575fdefbf1610b77.exe
Resource
win10-en-20211014
General
-
Target
eabb876f62eff390575fdefbf1610b77.exe
-
Size
11KB
-
MD5
eabb876f62eff390575fdefbf1610b77
-
SHA1
77eb326354b51c47c365e6f962ac13927151c931
-
SHA256
4eac12423a78201d89bf682621b5be5409f9667140f853115ed151c4af89abcb
-
SHA512
29b3be38eb22c036e09d7547db8d8e448fd77d674a85b3054ff428c6f28c57353e3980b058f976314836c07b544735383d3da48dbf72c33acf29ed37ae5fcebd
Malware Config
Extracted
redline
LastLovely
95.181.152.177:21142
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\UniversalSoftware\B2342A85F77B8E254BF882E15921E911.exe family_redline C:\Users\Admin\AppData\Roaming\UniversalSoftware\B2342A85F77B8E254BF882E15921E911.exe family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
E18BB068D9586EFCD389AA2D35539BB9.exeB2342A85F77B8E254BF882E15921E911.exepid process 644 E18BB068D9586EFCD389AA2D35539BB9.exe 2820 B2342A85F77B8E254BF882E15921E911.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
eabb876f62eff390575fdefbf1610b77.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\KinoMaster = "C:\\Users\\Admin\\AppData\\Roaming\\KinoMaster.exe" eabb876f62eff390575fdefbf1610b77.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 372 644 WerFault.exe E18BB068D9586EFCD389AA2D35539BB9.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe 372 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
eabb876f62eff390575fdefbf1610b77.exeB2342A85F77B8E254BF882E15921E911.exeE18BB068D9586EFCD389AA2D35539BB9.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3760 eabb876f62eff390575fdefbf1610b77.exe Token: SeDebugPrivilege 2820 B2342A85F77B8E254BF882E15921E911.exe Token: SeDebugPrivilege 644 E18BB068D9586EFCD389AA2D35539BB9.exe Token: SeDebugPrivilege 372 WerFault.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
eabb876f62eff390575fdefbf1610b77.exedescription pid process target process PID 3760 wrote to memory of 644 3760 eabb876f62eff390575fdefbf1610b77.exe E18BB068D9586EFCD389AA2D35539BB9.exe PID 3760 wrote to memory of 644 3760 eabb876f62eff390575fdefbf1610b77.exe E18BB068D9586EFCD389AA2D35539BB9.exe PID 3760 wrote to memory of 2820 3760 eabb876f62eff390575fdefbf1610b77.exe B2342A85F77B8E254BF882E15921E911.exe PID 3760 wrote to memory of 2820 3760 eabb876f62eff390575fdefbf1610b77.exe B2342A85F77B8E254BF882E15921E911.exe PID 3760 wrote to memory of 2820 3760 eabb876f62eff390575fdefbf1610b77.exe B2342A85F77B8E254BF882E15921E911.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eabb876f62eff390575fdefbf1610b77.exe"C:\Users\Admin\AppData\Local\Temp\eabb876f62eff390575fdefbf1610b77.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UniversalSoftware\E18BB068D9586EFCD389AA2D35539BB9.exe"C:\Users\Admin\AppData\Roaming\UniversalSoftware\E18BB068D9586EFCD389AA2D35539BB9.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 644 -s 17363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\UniversalSoftware\B2342A85F77B8E254BF882E15921E911.exe"C:\Users\Admin\AppData\Roaming\UniversalSoftware\B2342A85F77B8E254BF882E15921E911.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\UniversalSoftware\B2342A85F77B8E254BF882E15921E911.exeMD5
bc10fe4be5e059a43d1e3f011a954887
SHA180c4bfd50e61e2a26b627b7408665e1780235f76
SHA256a164764cbb99eecc87860d4b8e8be71bc2e6094b243cc36946eaa573f2d34dc3
SHA5121174fe72eb161e2c1f31c4e6dbe5e6bb45585e34c68b38db122d83b47b0c34ad4d763703bd5606bf07d7d0e1b43b51f5447a480915633626898e26c4026c679a
-
C:\Users\Admin\AppData\Roaming\UniversalSoftware\B2342A85F77B8E254BF882E15921E911.exeMD5
bc10fe4be5e059a43d1e3f011a954887
SHA180c4bfd50e61e2a26b627b7408665e1780235f76
SHA256a164764cbb99eecc87860d4b8e8be71bc2e6094b243cc36946eaa573f2d34dc3
SHA5121174fe72eb161e2c1f31c4e6dbe5e6bb45585e34c68b38db122d83b47b0c34ad4d763703bd5606bf07d7d0e1b43b51f5447a480915633626898e26c4026c679a
-
C:\Users\Admin\AppData\Roaming\UniversalSoftware\E18BB068D9586EFCD389AA2D35539BB9.exeMD5
eb8c7dbf71a662e3771496a956e6a973
SHA1e6badc656d030610c6135e46f93078d67c49a61f
SHA25686ceeed4cf1642869ac16d1089e68244bb2b7612f943519e0adf94e284fdd99a
SHA5125fe92baee6ef14491d3771330dc6f591d0557adb7b616b32838819ba738cf7c4351546e6a693c37c23079f18c7ca7a45c10e6a07708bf4c4c0ca86419af57c42
-
C:\Users\Admin\AppData\Roaming\UniversalSoftware\E18BB068D9586EFCD389AA2D35539BB9.exeMD5
eb8c7dbf71a662e3771496a956e6a973
SHA1e6badc656d030610c6135e46f93078d67c49a61f
SHA25686ceeed4cf1642869ac16d1089e68244bb2b7612f943519e0adf94e284fdd99a
SHA5125fe92baee6ef14491d3771330dc6f591d0557adb7b616b32838819ba738cf7c4351546e6a693c37c23079f18c7ca7a45c10e6a07708bf4c4c0ca86419af57c42
-
memory/644-136-0x0000029FA43C0000-0x0000029FA43C2000-memory.dmpFilesize
8KB
-
memory/644-135-0x0000029FA43D0000-0x0000029FA46C6000-memory.dmpFilesize
3.0MB
-
memory/644-122-0x0000029F899C0000-0x0000029F899C1000-memory.dmpFilesize
4KB
-
memory/644-145-0x00007FFC3B960000-0x00007FFC3BB3B000-memory.dmpFilesize
1.9MB
-
memory/644-143-0x0000029FA7F10000-0x0000029FA7F11000-memory.dmpFilesize
4KB
-
memory/644-142-0x0000029FA7A20000-0x0000029FA7A21000-memory.dmpFilesize
4KB
-
memory/644-119-0x0000000000000000-mapping.dmp
-
memory/644-141-0x0000029FA7800000-0x0000029FA7A1A000-memory.dmpFilesize
2.1MB
-
memory/644-140-0x0000029FA7510000-0x0000029FA77FB000-memory.dmpFilesize
2.9MB
-
memory/644-139-0x0000029FA43C5000-0x0000029FA43C7000-memory.dmpFilesize
8KB
-
memory/644-137-0x0000029FA43C2000-0x0000029FA43C4000-memory.dmpFilesize
8KB
-
memory/644-138-0x0000029FA43C4000-0x0000029FA43C5000-memory.dmpFilesize
4KB
-
memory/2820-127-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/2820-134-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/2820-133-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/2820-132-0x00000000053B0000-0x00000000053B1000-memory.dmpFilesize
4KB
-
memory/2820-131-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/2820-130-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/2820-129-0x0000000005940000-0x0000000005941000-memory.dmpFilesize
4KB
-
memory/2820-124-0x0000000000000000-mapping.dmp
-
memory/3760-115-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/3760-117-0x0000000005C40000-0x0000000005C41000-memory.dmpFilesize
4KB
-
memory/3760-118-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB