Analysis
-
max time kernel
142s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 07:41
Behavioral task
behavioral1
Sample
3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exe
Resource
win7-20220414-en
General
-
Target
3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exe
-
Size
7.1MB
-
MD5
a776b0fb7cc1b3870f6234a12fbfb377
-
SHA1
7b3f180a2af62f06b8162e7290287202d6d80b41
-
SHA256
3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2
-
SHA512
f95909227004c610c52ca1d65ed3e8aff27dd5750c55b6a31f931e5c3e4089f305e648cb33f3be94e350625feaf7716f58b99bb541c60292ea7dd1d7d17b4f42
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/844-58-0x0000000000F00000-0x00000000019FA000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exe -
Processes:
resource yara_rule behavioral1/memory/844-57-0x0000000000F00000-0x00000000019FA000-memory.dmp vmprotect behavioral1/memory/844-58-0x0000000000F00000-0x00000000019FA000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exe -
Processes:
resource yara_rule behavioral1/memory/844-57-0x0000000000F00000-0x00000000019FA000-memory.dmp themida behavioral1/memory/844-58-0x0000000000F00000-0x00000000019FA000-memory.dmp themida -
Processes:
3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exepid process 844 3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exepid process 844 3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exe 844 3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exe 844 3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exe"C:\Users\Admin\AppData\Local\Temp\3239ffaad610ff9934720350efe132dd9ca3fd8d1d812a67d1449c531e5782f2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/844-54-0x0000000076431000-0x0000000076433000-memory.dmpFilesize
8KB
-
memory/844-57-0x0000000000F00000-0x00000000019FA000-memory.dmpFilesize
11.0MB
-
memory/844-60-0x0000000077480000-0x0000000077600000-memory.dmpFilesize
1.5MB
-
memory/844-59-0x0000000000F00000-0x00000000019FA000-memory.dmpFilesize
11.0MB
-
memory/844-58-0x0000000000F00000-0x00000000019FA000-memory.dmpFilesize
11.0MB