Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 10:46
Static task
static1
Behavioral task
behavioral1
Sample
54dc032c3503998eaa404dde9c677851856838e737edb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
54dc032c3503998eaa404dde9c677851856838e737edb.exe
Resource
win10v2004-en-20220113
General
-
Target
54dc032c3503998eaa404dde9c677851856838e737edb.exe
-
Size
490KB
-
MD5
a500638434b5108c1b21426c8d726509
-
SHA1
6847ba9b1cd63ac4ec14070b570753023efc2ea7
-
SHA256
54dc032c3503998eaa404dde9c677851856838e737edb3d198fb7c173562859e
-
SHA512
d24d2473d2ec64f551bd39ce5c577efa4e6c10148dda4bb6d6bfed95732c780f896a1cb68aaa112439b5ba81072913bbdc4e4686e224e41620680dba06cca282
Malware Config
Extracted
redline
mama
91.243.32.100:2358
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1760-60-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1760-61-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1760-62-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1760-63-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
bezadmin.exeservices.exepid process 1684 bezadmin.exe 1900 services.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
bezadmin.exeservices.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bezadmin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bezadmin.exe -
Loads dropped DLL 2 IoCs
Processes:
54dc032c3503998eaa404dde9c677851856838e737edb.execmd.exepid process 1760 54dc032c3503998eaa404dde9c677851856838e737edb.exe 1724 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\bezadmin.exe themida C:\Users\Admin\AppData\Local\Temp\bezadmin.exe themida behavioral1/memory/1684-71-0x000000013F7F0000-0x000000014074A000-memory.dmp themida behavioral1/memory/1684-72-0x000000013F7F0000-0x000000014074A000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\bezadmin.exe themida \Users\Admin\AppData\Roaming\Windows\services.exe themida C:\Users\Admin\AppData\Roaming\Windows\services.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
bezadmin.exeservices.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bezadmin.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
bezadmin.exepid process 1684 bezadmin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
54dc032c3503998eaa404dde9c677851856838e737edb.exedescription pid process target process PID 1196 set thread context of 1760 1196 54dc032c3503998eaa404dde9c677851856838e737edb.exe 54dc032c3503998eaa404dde9c677851856838e737edb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
54dc032c3503998eaa404dde9c677851856838e737edb.exebezadmin.exepid process 1760 54dc032c3503998eaa404dde9c677851856838e737edb.exe 1684 bezadmin.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
54dc032c3503998eaa404dde9c677851856838e737edb.exebezadmin.exedescription pid process Token: SeDebugPrivilege 1760 54dc032c3503998eaa404dde9c677851856838e737edb.exe Token: SeDebugPrivilege 1684 bezadmin.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
54dc032c3503998eaa404dde9c677851856838e737edb.exe54dc032c3503998eaa404dde9c677851856838e737edb.exebezadmin.execmd.execmd.exedescription pid process target process PID 1196 wrote to memory of 1760 1196 54dc032c3503998eaa404dde9c677851856838e737edb.exe 54dc032c3503998eaa404dde9c677851856838e737edb.exe PID 1196 wrote to memory of 1760 1196 54dc032c3503998eaa404dde9c677851856838e737edb.exe 54dc032c3503998eaa404dde9c677851856838e737edb.exe PID 1196 wrote to memory of 1760 1196 54dc032c3503998eaa404dde9c677851856838e737edb.exe 54dc032c3503998eaa404dde9c677851856838e737edb.exe PID 1196 wrote to memory of 1760 1196 54dc032c3503998eaa404dde9c677851856838e737edb.exe 54dc032c3503998eaa404dde9c677851856838e737edb.exe PID 1196 wrote to memory of 1760 1196 54dc032c3503998eaa404dde9c677851856838e737edb.exe 54dc032c3503998eaa404dde9c677851856838e737edb.exe PID 1196 wrote to memory of 1760 1196 54dc032c3503998eaa404dde9c677851856838e737edb.exe 54dc032c3503998eaa404dde9c677851856838e737edb.exe PID 1196 wrote to memory of 1760 1196 54dc032c3503998eaa404dde9c677851856838e737edb.exe 54dc032c3503998eaa404dde9c677851856838e737edb.exe PID 1196 wrote to memory of 1760 1196 54dc032c3503998eaa404dde9c677851856838e737edb.exe 54dc032c3503998eaa404dde9c677851856838e737edb.exe PID 1196 wrote to memory of 1760 1196 54dc032c3503998eaa404dde9c677851856838e737edb.exe 54dc032c3503998eaa404dde9c677851856838e737edb.exe PID 1760 wrote to memory of 1684 1760 54dc032c3503998eaa404dde9c677851856838e737edb.exe bezadmin.exe PID 1760 wrote to memory of 1684 1760 54dc032c3503998eaa404dde9c677851856838e737edb.exe bezadmin.exe PID 1760 wrote to memory of 1684 1760 54dc032c3503998eaa404dde9c677851856838e737edb.exe bezadmin.exe PID 1760 wrote to memory of 1684 1760 54dc032c3503998eaa404dde9c677851856838e737edb.exe bezadmin.exe PID 1684 wrote to memory of 1028 1684 bezadmin.exe cmd.exe PID 1684 wrote to memory of 1028 1684 bezadmin.exe cmd.exe PID 1684 wrote to memory of 1028 1684 bezadmin.exe cmd.exe PID 1028 wrote to memory of 1080 1028 cmd.exe schtasks.exe PID 1028 wrote to memory of 1080 1028 cmd.exe schtasks.exe PID 1028 wrote to memory of 1080 1028 cmd.exe schtasks.exe PID 1684 wrote to memory of 1724 1684 bezadmin.exe cmd.exe PID 1684 wrote to memory of 1724 1684 bezadmin.exe cmd.exe PID 1684 wrote to memory of 1724 1684 bezadmin.exe cmd.exe PID 1724 wrote to memory of 1900 1724 cmd.exe services.exe PID 1724 wrote to memory of 1900 1724 cmd.exe services.exe PID 1724 wrote to memory of 1900 1724 cmd.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\54dc032c3503998eaa404dde9c677851856838e737edb.exe"C:\Users\Admin\AppData\Local\Temp\54dc032c3503998eaa404dde9c677851856838e737edb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\54dc032c3503998eaa404dde9c677851856838e737edb.exeC:\Users\Admin\AppData\Local\Temp\54dc032c3503998eaa404dde9c677851856838e737edb.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bezadmin.exe"C:\Users\Admin\AppData\Local\Temp\bezadmin.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Windows\services.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Windows\services.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Windows\services.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows\services.exeC:\Users\Admin\AppData\Roaming\Windows\services.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bezadmin.exeMD5
9eeb85895541741733214875920d6307
SHA1745a7e4adb17d680666df4e5d488b825217b675d
SHA256ce1d97d434074b7de7f002a97a918b4524d8485216fec3cf3a3e60bbb721c9b9
SHA5122407871d3b9fe9a821f45ccf91823addaad92fd9166faac99392bcbe8280a9543ade23284b522ff5b71d16a2dd61e14c036bf30846355a25b4bef8fb94b86b95
-
C:\Users\Admin\AppData\Local\Temp\bezadmin.exeMD5
9eeb85895541741733214875920d6307
SHA1745a7e4adb17d680666df4e5d488b825217b675d
SHA256ce1d97d434074b7de7f002a97a918b4524d8485216fec3cf3a3e60bbb721c9b9
SHA5122407871d3b9fe9a821f45ccf91823addaad92fd9166faac99392bcbe8280a9543ade23284b522ff5b71d16a2dd61e14c036bf30846355a25b4bef8fb94b86b95
-
C:\Users\Admin\AppData\Roaming\Windows\services.exeMD5
9eeb85895541741733214875920d6307
SHA1745a7e4adb17d680666df4e5d488b825217b675d
SHA256ce1d97d434074b7de7f002a97a918b4524d8485216fec3cf3a3e60bbb721c9b9
SHA5122407871d3b9fe9a821f45ccf91823addaad92fd9166faac99392bcbe8280a9543ade23284b522ff5b71d16a2dd61e14c036bf30846355a25b4bef8fb94b86b95
-
\Users\Admin\AppData\Local\Temp\bezadmin.exeMD5
9eeb85895541741733214875920d6307
SHA1745a7e4adb17d680666df4e5d488b825217b675d
SHA256ce1d97d434074b7de7f002a97a918b4524d8485216fec3cf3a3e60bbb721c9b9
SHA5122407871d3b9fe9a821f45ccf91823addaad92fd9166faac99392bcbe8280a9543ade23284b522ff5b71d16a2dd61e14c036bf30846355a25b4bef8fb94b86b95
-
\Users\Admin\AppData\Roaming\Windows\services.exeMD5
9eeb85895541741733214875920d6307
SHA1745a7e4adb17d680666df4e5d488b825217b675d
SHA256ce1d97d434074b7de7f002a97a918b4524d8485216fec3cf3a3e60bbb721c9b9
SHA5122407871d3b9fe9a821f45ccf91823addaad92fd9166faac99392bcbe8280a9543ade23284b522ff5b71d16a2dd61e14c036bf30846355a25b4bef8fb94b86b95
-
memory/1196-56-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/1196-57-0x0000000074B21000-0x0000000074B23000-memory.dmpFilesize
8KB
-
memory/1196-55-0x0000000000F30000-0x0000000000FB2000-memory.dmpFilesize
520KB
-
memory/1684-72-0x000000013F7F0000-0x000000014074A000-memory.dmpFilesize
15.4MB
-
memory/1684-68-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1684-69-0x000007FE80010000-0x000007FE80011000-memory.dmpFilesize
4KB
-
memory/1684-71-0x000000013F7F0000-0x000000014074A000-memory.dmpFilesize
15.4MB
-
memory/1684-73-0x00000000028F0000-0x00000000028F2000-memory.dmpFilesize
8KB
-
memory/1760-65-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/1760-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1760-62-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1760-61-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1760-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1760-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1760-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB