Analysis
-
max time kernel
162s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
29-01-2022 08:01
Static task
static1
Behavioral task
behavioral1
Sample
3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exe
Resource
win10v2004-en-20220112
General
-
Target
3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exe
-
Size
458KB
-
MD5
a03ee84873f31ecee95290104f4e678f
-
SHA1
af01efe138ae278621b49724ece9b0bac60b1f10
-
SHA256
3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e
-
SHA512
278d7f253a9ee40344fd0e2459b6e4b6edbaeb512a29e33653ec53242820498429a449b3293728ab17243744b82311a65572987822a64716361011e556c93b87
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1832-133-0x0000000002280000-0x00000000023C0000-memory.dmp family_redline behavioral1/memory/1832-134-0x0000000002280000-0x00000000023C0000-memory.dmp family_redline behavioral1/memory/1832-135-0x0000000002280000-0x00000000023C0000-memory.dmp family_redline behavioral1/memory/1832-140-0x0000000002280000-0x00000000023C0000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2632 created 1832 2632 WerFault.exe 3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exe -
Sets service image path in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1952 1832 WerFault.exe 3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 1952 WerFault.exe 1952 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1832 3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exe Token: SeRestorePrivilege 1952 WerFault.exe Token: SeBackupPrivilege 1952 WerFault.exe Token: SeBackupPrivilege 1952 WerFault.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WerFault.exedescription pid process target process PID 2632 wrote to memory of 1832 2632 WerFault.exe 3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exe PID 2632 wrote to memory of 1832 2632 WerFault.exe 3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exe"C:\Users\Admin\AppData\Local\Temp\3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 15242⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 3360a024ee8731b602a9a9f798c4a613 m1LUVBdGck63P0D30X+vRQ.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1832 -ip 18321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1832-130-0x0000000000610000-0x000000000063B000-memory.dmpFilesize
172KB
-
memory/1832-131-0x0000000000640000-0x0000000000679000-memory.dmpFilesize
228KB
-
memory/1832-132-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/1832-133-0x0000000002280000-0x00000000023C0000-memory.dmpFilesize
1.2MB
-
memory/1832-134-0x0000000002280000-0x00000000023C0000-memory.dmpFilesize
1.2MB
-
memory/1832-135-0x0000000002280000-0x00000000023C0000-memory.dmpFilesize
1.2MB
-
memory/1832-136-0x0000000004D50000-0x00000000052F4000-memory.dmpFilesize
5.6MB
-
memory/1832-137-0x0000000005300000-0x0000000005918000-memory.dmpFilesize
6.1MB
-
memory/1832-138-0x0000000002710000-0x0000000002722000-memory.dmpFilesize
72KB
-
memory/1832-139-0x0000000005920000-0x0000000005A2A000-memory.dmpFilesize
1.0MB
-
memory/1832-140-0x0000000002280000-0x00000000023C0000-memory.dmpFilesize
1.2MB
-
memory/1832-141-0x0000000002860000-0x000000000289C000-memory.dmpFilesize
240KB
-
memory/1832-142-0x0000000005CB0000-0x0000000005D16000-memory.dmpFilesize
408KB
-
memory/1832-143-0x00000000060D0000-0x0000000006146000-memory.dmpFilesize
472KB
-
memory/1832-144-0x00000000061B0000-0x0000000006242000-memory.dmpFilesize
584KB
-
memory/1832-145-0x00000000063B0000-0x00000000063CE000-memory.dmpFilesize
120KB
-
memory/1832-146-0x0000000006460000-0x0000000006622000-memory.dmpFilesize
1.8MB
-
memory/1832-147-0x0000000006630000-0x0000000006B5C000-memory.dmpFilesize
5.2MB