Analysis
-
max time kernel
73s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 02:30
Static task
static1
Behavioral task
behavioral1
Sample
b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57.exe
Resource
win10v2004-20220414-en
General
-
Target
b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57.exe
-
Size
541KB
-
MD5
cf606a21fd97cb1fdb844526f9341167
-
SHA1
6526497f5fb86519bbe71b23f791187679e0b2e5
-
SHA256
b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57
-
SHA512
cd71158c321613c15bb7e2c5e15d5b92d3b9e9f003d0c86990497702c234418988917d09ebe595f38b65f9d1b1e81b52d2bd79a1e944699b6d5d0e66eb88ce5c
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4176-139-0x0000000000E50000-0x0000000001C5A000-memory.dmp family_redline behavioral2/memory/4176-151-0x0000000000E50000-0x0000000001C5A000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
lnchr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lnchr.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
lnchr.exepid process 4176 lnchr.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
lnchr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lnchr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lnchr.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\lnchr.exe themida C:\Users\Admin\AppData\Roaming\lnchr.exe themida behavioral2/memory/4176-139-0x0000000000E50000-0x0000000001C5A000-memory.dmp themida behavioral2/memory/4176-151-0x0000000000E50000-0x0000000001C5A000-memory.dmp themida -
Processes:
lnchr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lnchr.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
lnchr.exepid process 4176 lnchr.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1200 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
lnchr.exepid process 4176 lnchr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
lnchr.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4176 lnchr.exe Token: SeDebugPrivilege 1200 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57.exelnchr.execmd.exedescription pid process target process PID 2636 wrote to memory of 4176 2636 b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57.exe lnchr.exe PID 2636 wrote to memory of 4176 2636 b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57.exe lnchr.exe PID 2636 wrote to memory of 4176 2636 b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57.exe lnchr.exe PID 4176 wrote to memory of 3860 4176 lnchr.exe cmd.exe PID 4176 wrote to memory of 3860 4176 lnchr.exe cmd.exe PID 4176 wrote to memory of 3860 4176 lnchr.exe cmd.exe PID 3860 wrote to memory of 1200 3860 cmd.exe taskkill.exe PID 3860 wrote to memory of 1200 3860 cmd.exe taskkill.exe PID 3860 wrote to memory of 1200 3860 cmd.exe taskkill.exe PID 3860 wrote to memory of 4680 3860 cmd.exe choice.exe PID 3860 wrote to memory of 4680 3860 cmd.exe choice.exe PID 3860 wrote to memory of 4680 3860 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57.exe"C:\Users\Admin\AppData\Local\Temp\b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\lnchr.exeC:\Users\Admin\AppData\Roaming\lnchr.exe jdjsvbusje2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 4176 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\lnchr.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 41764⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\lnchr.exeFilesize
2.1MB
MD5a888775e94b3477988e4342e81fb4384
SHA1142f31918ac691851881b39a870e2a8c2f71ac76
SHA256612b4bf447ae37ff9677c9818f6a70833206ecddbd06246f4c9b3f2151d15302
SHA5120791fbbc4223e32c6854623676744d47ac3e4e53084fba19dcdc9968ef581aaaf1d8f190a42ee6e651d407ed9b9d7b3df57dc18fb55add967cca12ff4b257835
-
C:\Users\Admin\AppData\Roaming\lnchr.exeFilesize
2.1MB
MD5a888775e94b3477988e4342e81fb4384
SHA1142f31918ac691851881b39a870e2a8c2f71ac76
SHA256612b4bf447ae37ff9677c9818f6a70833206ecddbd06246f4c9b3f2151d15302
SHA5120791fbbc4223e32c6854623676744d47ac3e4e53084fba19dcdc9968ef581aaaf1d8f190a42ee6e651d407ed9b9d7b3df57dc18fb55add967cca12ff4b257835
-
memory/1200-149-0x0000000000000000-mapping.dmp
-
memory/2636-146-0x0000000140000000-0x0000000140168000-memory.dmpFilesize
1.4MB
-
memory/2636-153-0x0000000140000000-0x0000000140168000-memory.dmpFilesize
1.4MB
-
memory/2636-130-0x0000000140000000-0x0000000140168000-memory.dmpFilesize
1.4MB
-
memory/3860-148-0x0000000000000000-mapping.dmp
-
memory/4176-136-0x00000000773E0000-0x0000000077583000-memory.dmpFilesize
1.6MB
-
memory/4176-147-0x0000000006950000-0x0000000006A5A000-memory.dmpFilesize
1.0MB
-
memory/4176-142-0x0000000005D40000-0x0000000005DA6000-memory.dmpFilesize
408KB
-
memory/4176-143-0x0000000006E50000-0x0000000007468000-memory.dmpFilesize
6.1MB
-
memory/4176-144-0x0000000006140000-0x0000000006152000-memory.dmpFilesize
72KB
-
memory/4176-145-0x00000000061A0000-0x00000000061DC000-memory.dmpFilesize
240KB
-
memory/4176-140-0x0000000005BD0000-0x0000000005C62000-memory.dmpFilesize
584KB
-
memory/4176-141-0x0000000006280000-0x0000000006824000-memory.dmpFilesize
5.6MB
-
memory/4176-139-0x0000000000E50000-0x0000000001C5A000-memory.dmpFilesize
14.0MB
-
memory/4176-134-0x0000000000E50000-0x0000000001C5A000-memory.dmpFilesize
14.0MB
-
memory/4176-131-0x0000000000000000-mapping.dmp
-
memory/4176-151-0x0000000000E50000-0x0000000001C5A000-memory.dmpFilesize
14.0MB
-
memory/4176-152-0x00000000773E0000-0x0000000077583000-memory.dmpFilesize
1.6MB
-
memory/4680-150-0x0000000000000000-mapping.dmp