Analysis
-
max time kernel
45s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
29-04-2022 18:01
Static task
static1
Behavioral task
behavioral1
Sample
SkyBlade/StartGame.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SkyBlade/StartGame.exe
Resource
win10v2004-20220414-en
General
-
Target
SkyBlade/StartGame.exe
-
Size
3.3MB
-
MD5
6cc724aeb4a4b65ec4c162f88bcd251c
-
SHA1
1eabb1cdb279a90518654f58071674bc8db62511
-
SHA256
e5963aca74fd4fca8fbd1f4189cb726f4c1acffd39fe28626e8eafdf82e147a9
-
SHA512
e9703dd68996474eaf17fbc992e766bcac89523cfc8598d180a417bdbbed832d05e01cb5fc8907ff478bc6adc020e819297a5154ad1025c9377918f1683d0186
Malware Config
Extracted
redline
1
65.108.5.252:43673
-
auth_value
95517c2a2f56575288c35d9dfde4a6aa
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1684-60-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1684-65-0x000000000041BC2E-mapping.dmp family_redline behavioral1/memory/1684-66-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1684-67-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
esss.exeOneDrive.exepid process 1964 esss.exe 272 OneDrive.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
StartGame.exeesss.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion StartGame.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion StartGame.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion esss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion esss.exe -
Loads dropped DLL 9 IoCs
Processes:
AppLaunch.exeAppLaunch.exeOneDrive.exeWerFault.exepid process 1684 AppLaunch.exe 1492 AppLaunch.exe 272 OneDrive.exe 480 WerFault.exe 480 WerFault.exe 480 WerFault.exe 480 WerFault.exe 480 WerFault.exe 480 WerFault.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
REG.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" REG.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run REG.exe -
Processes:
StartGame.exeesss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StartGame.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA esss.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ipinfo.io -
Suspicious use of SetThreadContext 2 IoCs
Processes:
StartGame.exeesss.exedescription pid process target process PID 756 set thread context of 1684 756 StartGame.exe AppLaunch.exe PID 1964 set thread context of 1492 1964 esss.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 480 272 WerFault.exe OneDrive.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exeAppLaunch.exepid process 1684 AppLaunch.exe 1492 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 1684 AppLaunch.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
StartGame.exeAppLaunch.exeesss.exeAppLaunch.exeOneDrive.exedescription pid process target process PID 756 wrote to memory of 1684 756 StartGame.exe AppLaunch.exe PID 756 wrote to memory of 1684 756 StartGame.exe AppLaunch.exe PID 756 wrote to memory of 1684 756 StartGame.exe AppLaunch.exe PID 756 wrote to memory of 1684 756 StartGame.exe AppLaunch.exe PID 756 wrote to memory of 1684 756 StartGame.exe AppLaunch.exe PID 756 wrote to memory of 1684 756 StartGame.exe AppLaunch.exe PID 756 wrote to memory of 1684 756 StartGame.exe AppLaunch.exe PID 756 wrote to memory of 1684 756 StartGame.exe AppLaunch.exe PID 756 wrote to memory of 1684 756 StartGame.exe AppLaunch.exe PID 1684 wrote to memory of 1964 1684 AppLaunch.exe esss.exe PID 1684 wrote to memory of 1964 1684 AppLaunch.exe esss.exe PID 1684 wrote to memory of 1964 1684 AppLaunch.exe esss.exe PID 1684 wrote to memory of 1964 1684 AppLaunch.exe esss.exe PID 1684 wrote to memory of 1964 1684 AppLaunch.exe esss.exe PID 1684 wrote to memory of 1964 1684 AppLaunch.exe esss.exe PID 1684 wrote to memory of 1964 1684 AppLaunch.exe esss.exe PID 1964 wrote to memory of 1492 1964 esss.exe AppLaunch.exe PID 1964 wrote to memory of 1492 1964 esss.exe AppLaunch.exe PID 1964 wrote to memory of 1492 1964 esss.exe AppLaunch.exe PID 1964 wrote to memory of 1492 1964 esss.exe AppLaunch.exe PID 1964 wrote to memory of 1492 1964 esss.exe AppLaunch.exe PID 1964 wrote to memory of 1492 1964 esss.exe AppLaunch.exe PID 1964 wrote to memory of 1492 1964 esss.exe AppLaunch.exe PID 1964 wrote to memory of 1492 1964 esss.exe AppLaunch.exe PID 1964 wrote to memory of 1492 1964 esss.exe AppLaunch.exe PID 1492 wrote to memory of 272 1492 AppLaunch.exe OneDrive.exe PID 1492 wrote to memory of 272 1492 AppLaunch.exe OneDrive.exe PID 1492 wrote to memory of 272 1492 AppLaunch.exe OneDrive.exe PID 1492 wrote to memory of 272 1492 AppLaunch.exe OneDrive.exe PID 1492 wrote to memory of 872 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 872 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 872 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 872 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 872 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 872 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 872 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 2040 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 2040 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 2040 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 2040 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 2040 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 2040 1492 AppLaunch.exe REG.exe PID 1492 wrote to memory of 2040 1492 AppLaunch.exe REG.exe PID 272 wrote to memory of 480 272 OneDrive.exe WerFault.exe PID 272 wrote to memory of 480 272 OneDrive.exe WerFault.exe PID 272 wrote to memory of 480 272 OneDrive.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SkyBlade\StartGame.exe"C:\Users\Admin\AppData\Local\Temp\SkyBlade\StartGame.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\esss.exe"C:\Users\Admin\AppData\Roaming\esss.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 272 -s 7526⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe5⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 0200000000000000000000005⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\0j4sCQ0iw4s3SZ_sFilesize
218B
MD58dc5b7046db57f21d6c4c7e39ada4631
SHA159942aa96975d3f583e324488707dd22d5e27082
SHA2566368f5373ac8fe89c9485daa15367139e4a4ea816f120567e90b1b06c43e1e15
SHA51263ac9ab88f540e71f4298422c11acc7417d8af0f3429b21323915622716a3253769d8ef130ddd2a974ba364ba768e85c3b870b877eb7058c2b14d926671d105b
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeFilesize
175KB
MD5f3af73070387fb75b19286826cc3126c
SHA17774854137d7ada89f3b4bdf67631456a1e74853
SHA256974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610
SHA512a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dllFilesize
316KB
MD5fed6517a5f84eecc29edee5586d7feeb
SHA156df244bf73c7ec7b59c98e1f5d47b379b58a06b
SHA2565075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6
SHA51245cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642
-
C:\Users\Admin\AppData\Roaming\esss.exeFilesize
8.0MB
MD599c2d57233f41cb45777a2f33e0960b8
SHA1844a49a3859a5bef060a8e1182b3fee59934af27
SHA256454ec9fcacc3d0a2b8a4e3854dc309a64ab75dfced472f0d41b33763b7eb72b8
SHA512cc2e91120b41ef2047418175601422da48d5c5fc9cf69ce54792d109bd867bc152bbae998b9db0370d76f8b1a6c548e714031f60390d0b0419c7feb668e22aa5
-
\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeFilesize
175KB
MD5f3af73070387fb75b19286826cc3126c
SHA17774854137d7ada89f3b4bdf67631456a1e74853
SHA256974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610
SHA512a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a
-
\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeFilesize
175KB
MD5f3af73070387fb75b19286826cc3126c
SHA17774854137d7ada89f3b4bdf67631456a1e74853
SHA256974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610
SHA512a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a
-
\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeFilesize
175KB
MD5f3af73070387fb75b19286826cc3126c
SHA17774854137d7ada89f3b4bdf67631456a1e74853
SHA256974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610
SHA512a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a
-
\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeFilesize
175KB
MD5f3af73070387fb75b19286826cc3126c
SHA17774854137d7ada89f3b4bdf67631456a1e74853
SHA256974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610
SHA512a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a
-
\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeFilesize
175KB
MD5f3af73070387fb75b19286826cc3126c
SHA17774854137d7ada89f3b4bdf67631456a1e74853
SHA256974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610
SHA512a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a
-
\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeFilesize
175KB
MD5f3af73070387fb75b19286826cc3126c
SHA17774854137d7ada89f3b4bdf67631456a1e74853
SHA256974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610
SHA512a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a
-
\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dllFilesize
316KB
MD5fed6517a5f84eecc29edee5586d7feeb
SHA156df244bf73c7ec7b59c98e1f5d47b379b58a06b
SHA2565075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6
SHA51245cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642
-
\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dllFilesize
316KB
MD5fed6517a5f84eecc29edee5586d7feeb
SHA156df244bf73c7ec7b59c98e1f5d47b379b58a06b
SHA2565075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6
SHA51245cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642
-
\Users\Admin\AppData\Roaming\esss.exeFilesize
8.0MB
MD599c2d57233f41cb45777a2f33e0960b8
SHA1844a49a3859a5bef060a8e1182b3fee59934af27
SHA256454ec9fcacc3d0a2b8a4e3854dc309a64ab75dfced472f0d41b33763b7eb72b8
SHA512cc2e91120b41ef2047418175601422da48d5c5fc9cf69ce54792d109bd867bc152bbae998b9db0370d76f8b1a6c548e714031f60390d0b0419c7feb668e22aa5
-
memory/272-89-0x0000000000000000-mapping.dmp
-
memory/480-98-0x0000000000000000-mapping.dmp
-
memory/756-56-0x0000000000A20000-0x0000000000D63000-memory.dmpFilesize
3.3MB
-
memory/756-54-0x0000000075941000-0x0000000075943000-memory.dmpFilesize
8KB
-
memory/756-57-0x0000000000A20000-0x0000000000D63000-memory.dmpFilesize
3.3MB
-
memory/756-55-0x0000000000A20000-0x0000000000D63000-memory.dmpFilesize
3.3MB
-
memory/872-93-0x0000000000000000-mapping.dmp
-
memory/1492-78-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1492-87-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1492-86-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1492-84-0x0000000000424BD3-mapping.dmp
-
memory/1492-76-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1684-67-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1684-66-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1684-65-0x000000000041BC2E-mapping.dmp
-
memory/1684-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1684-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1964-75-0x0000000000140000-0x0000000000937000-memory.dmpFilesize
8.0MB
-
memory/1964-73-0x0000000000140000-0x0000000000937000-memory.dmpFilesize
8.0MB
-
memory/1964-70-0x0000000000000000-mapping.dmp
-
memory/1964-74-0x0000000000140000-0x0000000000937000-memory.dmpFilesize
8.0MB
-
memory/2040-94-0x0000000000000000-mapping.dmp