Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
God of War.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
God of War.exe
Resource
win10-en-20211208
General
-
Target
God of War.exe
-
Size
1.2MB
-
MD5
484c3ab4ae2795dce03be108c01ea316
-
SHA1
459b95db4341640c1c249bce55e74a39e256e2d4
-
SHA256
82b844c1e452640ba4bf4ef2ec6187d16673b3113af6a92ac684ca3ba6a82859
-
SHA512
956ebe3f1ddfb4aa565ccddf00184f787592b22aa548cdc82391bf1233b8ccd707aa90e6b9e73b42b28a9ddc637ca3ce79e070319445d35bcec907ae30477059
Malware Config
Extracted
redline
5.206.227.246:80
Extracted
redline
cheat
185.253.7.41:49508
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3280-122-0x0000000000400000-0x000000000046C000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\asf3r3.exe family_redline C:\Users\Admin\AppData\Roaming\asf3r3.exe family_redline behavioral2/memory/1980-134-0x00000000001D0000-0x00000000001F0000-memory.dmp family_redline -
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
asf3r3.exee3dwefw.exeoobeldr.exepid process 1980 asf3r3.exe 2200 e3dwefw.exe 848 oobeldr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
God of War.exedescription pid process target process PID 2620 set thread context of 3280 2620 God of War.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3188 schtasks.exe 2880 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
RegAsm.exepid process 3280 RegAsm.exe 3280 RegAsm.exe 3280 RegAsm.exe 3280 RegAsm.exe 3280 RegAsm.exe 3280 RegAsm.exe 3280 RegAsm.exe 3280 RegAsm.exe 3280 RegAsm.exe 3280 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3280 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
God of War.exeRegAsm.exee3dwefw.exeoobeldr.exedescription pid process target process PID 2620 wrote to memory of 3280 2620 God of War.exe RegAsm.exe PID 2620 wrote to memory of 3280 2620 God of War.exe RegAsm.exe PID 2620 wrote to memory of 3280 2620 God of War.exe RegAsm.exe PID 2620 wrote to memory of 3280 2620 God of War.exe RegAsm.exe PID 2620 wrote to memory of 3280 2620 God of War.exe RegAsm.exe PID 2620 wrote to memory of 3280 2620 God of War.exe RegAsm.exe PID 2620 wrote to memory of 3280 2620 God of War.exe RegAsm.exe PID 2620 wrote to memory of 3280 2620 God of War.exe RegAsm.exe PID 3280 wrote to memory of 1980 3280 RegAsm.exe asf3r3.exe PID 3280 wrote to memory of 1980 3280 RegAsm.exe asf3r3.exe PID 3280 wrote to memory of 1980 3280 RegAsm.exe asf3r3.exe PID 3280 wrote to memory of 2200 3280 RegAsm.exe e3dwefw.exe PID 3280 wrote to memory of 2200 3280 RegAsm.exe e3dwefw.exe PID 3280 wrote to memory of 2200 3280 RegAsm.exe e3dwefw.exe PID 2200 wrote to memory of 3188 2200 e3dwefw.exe schtasks.exe PID 2200 wrote to memory of 3188 2200 e3dwefw.exe schtasks.exe PID 2200 wrote to memory of 3188 2200 e3dwefw.exe schtasks.exe PID 848 wrote to memory of 2880 848 oobeldr.exe schtasks.exe PID 848 wrote to memory of 2880 848 oobeldr.exe schtasks.exe PID 848 wrote to memory of 2880 848 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\God of War.exe"C:\Users\Admin\AppData\Local\Temp\God of War.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\asf3r3.exe"C:\Users\Admin\AppData\Roaming\asf3r3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exe"C:\Users\Admin\AppData\Roaming\e3dwefw.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
C:\Users\Admin\AppData\Roaming\asf3r3.exeMD5
654b0fbc5f45e7aa0d208a9ae2352f30
SHA1d91b8b6a3d1815010973db6189fc1f7b73e98dd8
SHA256808bad1396611118abb83a7d09940c7c47d785511db2e5b652becf9ec67cdb19
SHA512807a471d51a5e7f22f19a7cd0775f852519c256b3592136b4f673dcc8b53488698c5830d75cfc461937a5a485963c37e1eb4e18c40446ac241df1b859a242234
-
C:\Users\Admin\AppData\Roaming\asf3r3.exeMD5
654b0fbc5f45e7aa0d208a9ae2352f30
SHA1d91b8b6a3d1815010973db6189fc1f7b73e98dd8
SHA256808bad1396611118abb83a7d09940c7c47d785511db2e5b652becf9ec67cdb19
SHA512807a471d51a5e7f22f19a7cd0775f852519c256b3592136b4f673dcc8b53488698c5830d75cfc461937a5a485963c37e1eb4e18c40446ac241df1b859a242234
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
memory/1980-137-0x0000000004930000-0x0000000004F36000-memory.dmpFilesize
6.0MB
-
memory/1980-134-0x00000000001D0000-0x00000000001F0000-memory.dmpFilesize
128KB
-
memory/2620-121-0x00000000051C0000-0x00000000051CA000-memory.dmpFilesize
40KB
-
memory/2620-115-0x0000000000370000-0x00000000004B6000-memory.dmpFilesize
1.3MB
-
memory/2620-116-0x0000000005300000-0x00000000057FE000-memory.dmpFilesize
5.0MB
-
memory/2620-117-0x0000000004E00000-0x0000000004E92000-memory.dmpFilesize
584KB
-
memory/2620-118-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/2620-119-0x0000000005220000-0x0000000005296000-memory.dmpFilesize
472KB
-
memory/2620-120-0x0000000004D50000-0x0000000004D6E000-memory.dmpFilesize
120KB
-
memory/3280-128-0x0000000006B50000-0x000000000707C000-memory.dmpFilesize
5.2MB
-
memory/3280-131-0x0000000006A70000-0x0000000006ABB000-memory.dmpFilesize
300KB
-
memory/3280-123-0x0000000005410000-0x0000000005A16000-memory.dmpFilesize
6.0MB
-
memory/3280-122-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/3280-130-0x0000000006A30000-0x0000000006A6E000-memory.dmpFilesize
248KB
-
memory/3280-129-0x0000000006780000-0x00000000067E6000-memory.dmpFilesize
408KB
-
memory/3280-124-0x0000000004E00000-0x0000000004E12000-memory.dmpFilesize
72KB
-
memory/3280-127-0x0000000004E00000-0x0000000005406000-memory.dmpFilesize
6.0MB
-
memory/3280-126-0x0000000005210000-0x00000000053D2000-memory.dmpFilesize
1.8MB
-
memory/3280-125-0x0000000004F30000-0x000000000503A000-memory.dmpFilesize
1.0MB