Analysis
-
max time kernel
156s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 08:16
Static task
static1
Behavioral task
behavioral1
Sample
8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe
Resource
win10v2004-en-20220112
General
-
Target
8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe
-
Size
6.6MB
-
MD5
b452aa6ee918ef55234a9caccdda8a9f
-
SHA1
77b66ad9d4a85d240a5fbcb6a2d11b22166a91d9
-
SHA256
8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306
-
SHA512
cca3f888e8679eced767e7bd2021dfa50aa1278af7a54b487fad8d6222c0a3a0e67eac7187557017243a5974b0abd6c2d256a5ef0bc58e23e8d6e89845f56be8
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1832-73-0x0000000001370000-0x0000000001BCE000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 3 IoCs
Processes:
proliv031.exeUnderdress.exeUnseduceability.exepid process 1832 proliv031.exe 1484 Underdress.exe 1816 Unseduceability.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
proliv031.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion proliv031.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion proliv031.exe -
Loads dropped DLL 4 IoCs
Processes:
8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exeUnderdress.exepid process 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe 1484 Underdress.exe 1484 Underdress.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\proliv031.exe themida C:\Users\Admin\AppData\Roaming\proliv031.exe themida behavioral1/memory/1832-73-0x0000000001370000-0x0000000001BCE000-memory.dmp themida -
Processes:
proliv031.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA proliv031.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
proliv031.exepid process 1832 proliv031.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
proliv031.exepid process 1832 proliv031.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exeUnderdress.exedescription pid process target process PID 1704 wrote to memory of 1832 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe proliv031.exe PID 1704 wrote to memory of 1832 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe proliv031.exe PID 1704 wrote to memory of 1832 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe proliv031.exe PID 1704 wrote to memory of 1832 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe proliv031.exe PID 1704 wrote to memory of 1484 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe Underdress.exe PID 1704 wrote to memory of 1484 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe Underdress.exe PID 1704 wrote to memory of 1484 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe Underdress.exe PID 1704 wrote to memory of 1484 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe Underdress.exe PID 1704 wrote to memory of 1484 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe Underdress.exe PID 1704 wrote to memory of 1484 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe Underdress.exe PID 1704 wrote to memory of 1484 1704 8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe Underdress.exe PID 1484 wrote to memory of 1816 1484 Underdress.exe Unseduceability.exe PID 1484 wrote to memory of 1816 1484 Underdress.exe Unseduceability.exe PID 1484 wrote to memory of 1816 1484 Underdress.exe Unseduceability.exe PID 1484 wrote to memory of 1816 1484 Underdress.exe Unseduceability.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe"C:\Users\Admin\AppData\Local\Temp\8ca2148c028fa80f102a0366bb03f8de2ea6572b00c5bdb1842c3fc090bfe306.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\proliv031.exeC:\Users\Admin\AppData\Roaming\proliv031.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Underdress.exeC:\Users\Admin\AppData\Roaming\Underdress.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exeMD5
91f6b00edae795d78097a46fb95a9a6e
SHA1cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb
SHA25606dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8
SHA5127853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975
-
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exeMD5
91f6b00edae795d78097a46fb95a9a6e
SHA1cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb
SHA25606dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8
SHA5127853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975
-
C:\Users\Admin\AppData\Roaming\Underdress.exeMD5
98f60434f7be5433b37cd47ec5029537
SHA11bb8e44edde75b6f346d8997106efe57eba9e3ef
SHA256c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766
SHA512df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7
-
C:\Users\Admin\AppData\Roaming\Underdress.exeMD5
98f60434f7be5433b37cd47ec5029537
SHA11bb8e44edde75b6f346d8997106efe57eba9e3ef
SHA256c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766
SHA512df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7
-
C:\Users\Admin\AppData\Roaming\proliv031.exeMD5
4fcc07b3824852545b932d1e343629a4
SHA10fea4cecab722ae42167b2afdffda2c40ab43c35
SHA256635a5757709bdf0b6d9174d8f05af91d9b253336bbc2319f4e6a570926ecc92d
SHA512b3b2d1e39def9d2d807b56ae596f30309866bfe8043af8cd33b6ab471412784e44103327c0f35761f71c168d95c1c93cb2e5c9f572d2e028d3b595fa03185799
-
\Users\Admin\AppData\Local\Temp\Unseduceability.exeMD5
91f6b00edae795d78097a46fb95a9a6e
SHA1cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb
SHA25606dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8
SHA5127853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975
-
\Users\Admin\AppData\Local\Temp\Unseduceability.exeMD5
91f6b00edae795d78097a46fb95a9a6e
SHA1cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb
SHA25606dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8
SHA5127853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975
-
\Users\Admin\AppData\Roaming\Underdress.exeMD5
98f60434f7be5433b37cd47ec5029537
SHA11bb8e44edde75b6f346d8997106efe57eba9e3ef
SHA256c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766
SHA512df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7
-
\Users\Admin\AppData\Roaming\proliv031.exeMD5
4fcc07b3824852545b932d1e343629a4
SHA10fea4cecab722ae42167b2afdffda2c40ab43c35
SHA256635a5757709bdf0b6d9174d8f05af91d9b253336bbc2319f4e6a570926ecc92d
SHA512b3b2d1e39def9d2d807b56ae596f30309866bfe8043af8cd33b6ab471412784e44103327c0f35761f71c168d95c1c93cb2e5c9f572d2e028d3b595fa03185799
-
memory/1704-55-0x0000000075F91000-0x0000000075F93000-memory.dmpFilesize
8KB
-
memory/1816-78-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmpFilesize
4KB
-
memory/1816-79-0x0000000000910000-0x0000000000C78000-memory.dmpFilesize
3.4MB
-
memory/1816-80-0x000000001C450000-0x000000001C740000-memory.dmpFilesize
2.9MB
-
memory/1816-81-0x00000000027D0000-0x00000000027D2000-memory.dmpFilesize
8KB
-
memory/1816-83-0x0000000000870000-0x000000000088A000-memory.dmpFilesize
104KB
-
memory/1832-61-0x0000000076F14000-0x0000000076F15000-memory.dmpFilesize
4KB
-
memory/1832-73-0x0000000001370000-0x0000000001BCE000-memory.dmpFilesize
8.4MB
-
memory/1832-72-0x00000000741EE000-0x00000000741EF000-memory.dmpFilesize
4KB
-
memory/1832-67-0x0000000077690000-0x0000000077692000-memory.dmpFilesize
8KB
-
memory/1832-63-0x000000007701E000-0x000000007701F000-memory.dmpFilesize
4KB
-
memory/1832-62-0x0000000076F11000-0x0000000076F12000-memory.dmpFilesize
4KB
-
memory/1832-60-0x0000000076F11000-0x0000000076F12000-memory.dmpFilesize
4KB
-
memory/1832-82-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/1832-59-0x0000000076F14000-0x0000000076F15000-memory.dmpFilesize
4KB