Analysis
-
max time kernel
87s -
max time network
86s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
09-02-2022 06:08
Static task
static1
General
-
Target
Lucky SkinChanger.exe
-
Size
2.1MB
-
MD5
795a68d97113af5bfe54e3b0250ee2d4
-
SHA1
65d1bd69f7fb761ffe0831548b41af9d107692db
-
SHA256
1800e21eac1384cd70ce9edc4b58301eb632eb01489481034a3cd292314dc9ff
-
SHA512
b87ecd159a781b83fb1e59c6e2aa372f364047832081920c2f8cb1699793536066b5e9150ec447dc280540bb5032aca5da0a1302892d561820009f95ae747990
Malware Config
Extracted
redline
sapphire
185.230.143.237:2548
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
resource yara_rule behavioral1/memory/4420-136-0x0000000000CE0000-0x0000000001064000-memory.dmp family_redline -
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Executes dropped EXE 1 IoCs
pid Process 4420 Decoder.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Lucky SkinChanger.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 api.ipify.org 14 api.ipify.org 19 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 4420 Decoder.exe 4420 Decoder.exe 4420 Decoder.exe 4420 Decoder.exe 4420 Decoder.exe 4420 Decoder.exe 4420 Decoder.exe 4420 Decoder.exe 4420 Decoder.exe 4420 Decoder.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 2164 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4052 Lucky SkinChanger.exe 4052 Lucky SkinChanger.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4052 Lucky SkinChanger.exe Token: SeDebugPrivilege 4420 Decoder.exe Token: SeShutdownPrivilege 2836 svchost.exe Token: SeCreatePagefilePrivilege 2836 svchost.exe Token: SeShutdownPrivilege 2836 svchost.exe Token: SeCreatePagefilePrivilege 2836 svchost.exe Token: SeShutdownPrivilege 2836 svchost.exe Token: SeCreatePagefilePrivilege 2836 svchost.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe Token: SeSecurityPrivilege 2600 TiWorker.exe Token: SeBackupPrivilege 2600 TiWorker.exe Token: SeRestorePrivilege 2600 TiWorker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4420 Decoder.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4052 wrote to memory of 4420 4052 Lucky SkinChanger.exe 84 PID 4052 wrote to memory of 4420 4052 Lucky SkinChanger.exe 84 PID 4052 wrote to memory of 4420 4052 Lucky SkinChanger.exe 84 PID 4052 wrote to memory of 1292 4052 Lucky SkinChanger.exe 85 PID 4052 wrote to memory of 1292 4052 Lucky SkinChanger.exe 85 PID 1292 wrote to memory of 2164 1292 cmd.exe 88 PID 1292 wrote to memory of 2164 1292 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lucky SkinChanger.exe"C:\Users\Admin\AppData\Local\Temp\Lucky SkinChanger.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:2164
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2600