Overview

overview

10

Static

static

1

8ca2148c02...06.exe

windows7_x64

10

8ca2148c02...06.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    15-02-2022 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe

  • Size

    6.6MB

  • MD5

    b452aa6ee918ef55234a9caccdda8a9f

  • SHA1

    77b66ad9d4a85d240a5fbcb6a2d11b22166a91d9

  • SHA256

    8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306

  • SHA512

    cca3f888e8679eced767e7bd2021dfa50aa1278af7a54b487fad8d6222c0a3a0e67eac7187557017243a5974b0abd6c2d256a5ef0bc58e23e8d6e89845f56be8

Score
10/10
redlineevasioninfostealerthemidatrojan

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 4 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe
    "C:\Users\Admin\AppData\Local\Temp\8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Admin\AppData\Roaming\proliv031.exe
      C:\Users\Admin\AppData\Roaming\proliv031.exe
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1832
    • C:\Users\Admin\AppData\Roaming\Underdress.exe
      C:\Users\Admin\AppData\Roaming\Underdress.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe
        "C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"
        3⤵
        • Executes dropped EXE
        PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe
    MD5

    91f6b00edae795d78097a46fb95a9a6e

    SHA1

    cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

    SHA256

    06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

    SHA512

    7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe
    MD5

    91f6b00edae795d78097a46fb95a9a6e

    SHA1

    cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

    SHA256

    06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

    SHA512

    7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Underdress.exe
    MD5

    98f60434f7be5433b37cd47ec5029537

    SHA1

    1bb8e44edde75b6f346d8997106efe57eba9e3ef

    SHA256

    c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

    SHA512

    df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Underdress.exe
    MD5

    98f60434f7be5433b37cd47ec5029537

    SHA1

    1bb8e44edde75b6f346d8997106efe57eba9e3ef

    SHA256

    c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

    SHA512

    df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\proliv031.exe
    MD5

    4fcc07b3824852545b932d1e343629a4

    SHA1

    0fea4cecab722ae42167b2afdffda2c40ab43c35

    SHA256

    635a5757709bdf0b6d9174d8f05af91d9b253336bbc2319f4e6a570926ecc92d

    SHA512

    b3b2d1e39def9d2d807b56ae596f30309866bfe8043af8cd33b6ab471412784e44103327c0f35761f71c168d95c1c93cb2e5c9f572d2e028d3b595fa03185799

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Unseduceability.exe
    MD5

    91f6b00edae795d78097a46fb95a9a6e

    SHA1

    cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

    SHA256

    06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

    SHA512

    7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Unseduceability.exe
    MD5

    91f6b00edae795d78097a46fb95a9a6e

    SHA1

    cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

    SHA256

    06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

    SHA512

    7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

    Download Submit
  • \Users\Admin\AppData\Roaming\Underdress.exe
    MD5

    98f60434f7be5433b37cd47ec5029537

    SHA1

    1bb8e44edde75b6f346d8997106efe57eba9e3ef

    SHA256

    c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

    SHA512

    df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

    Download Submit
  • \Users\Admin\AppData\Roaming\proliv031.exe
    MD5

    4fcc07b3824852545b932d1e343629a4

    SHA1

    0fea4cecab722ae42167b2afdffda2c40ab43c35

    SHA256

    635a5757709bdf0b6d9174d8f05af91d9b253336bbc2319f4e6a570926ecc92d

    SHA512

    b3b2d1e39def9d2d807b56ae596f30309866bfe8043af8cd33b6ab471412784e44103327c0f35761f71c168d95c1c93cb2e5c9f572d2e028d3b595fa03185799

    Download Submit
  • memory/1704-55-0x0000000075F91000-0x0000000075F93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1816-78-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1816-79-0x0000000000910000-0x0000000000C78000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1816-80-0x000000001C450000-0x000000001C740000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/1816-81-0x00000000027D0000-0x00000000027D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1816-83-0x0000000000870000-0x000000000088A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1832-61-0x0000000076F14000-0x0000000076F15000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1832-73-0x0000000001370000-0x0000000001BCE000-memory.dmp
    Filesize

    8.4MB

    Download
  • memory/1832-72-0x00000000741EE000-0x00000000741EF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1832-67-0x0000000077690000-0x0000000077692000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1832-63-0x000000007701E000-0x000000007701F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1832-62-0x0000000076F11000-0x0000000076F12000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1832-60-0x0000000076F11000-0x0000000076F12000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1832-82-0x0000000005140000-0x0000000005141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1832-59-0x0000000076F14000-0x0000000076F15000-memory.dmp
    Filesize

    4KB

    Download