Analysis

  • max time kernel
    73s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 02:30

General

  • Target

    b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57.exe

  • Size

    541KB

  • MD5

    cf606a21fd97cb1fdb844526f9341167

  • SHA1

    6526497f5fb86519bbe71b23f791187679e0b2e5

  • SHA256

    b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57

  • SHA512

    cd71158c321613c15bb7e2c5e15d5b92d3b9e9f003d0c86990497702c234418988917d09ebe595f38b65f9d1b1e81b52d2bd79a1e944699b6d5d0e66eb88ce5c

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57.exe
    "C:\Users\Admin\AppData\Local\Temp\b2eb3021cbedb92df73aaf960a14c73f01ffc9b07f39e4052f679414ae983b57.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Users\Admin\AppData\Roaming\lnchr.exe
      C:\Users\Admin\AppData\Roaming\lnchr.exe jdjsvbusje
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C taskkill /F /PID 4176 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\lnchr.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3860
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /PID 4176
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1200
        • C:\Windows\SysWOW64\choice.exe
          choice /C Y /N /D Y /T 3
          4⤵
            PID:4680

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Discovery

    Query Registry

    2
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    2
    T1082

    Command and Control

    Web Service

    1
    T1102

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\lnchr.exe
      Filesize

      2.1MB

      MD5

      a888775e94b3477988e4342e81fb4384

      SHA1

      142f31918ac691851881b39a870e2a8c2f71ac76

      SHA256

      612b4bf447ae37ff9677c9818f6a70833206ecddbd06246f4c9b3f2151d15302

      SHA512

      0791fbbc4223e32c6854623676744d47ac3e4e53084fba19dcdc9968ef581aaaf1d8f190a42ee6e651d407ed9b9d7b3df57dc18fb55add967cca12ff4b257835

    • C:\Users\Admin\AppData\Roaming\lnchr.exe
      Filesize

      2.1MB

      MD5

      a888775e94b3477988e4342e81fb4384

      SHA1

      142f31918ac691851881b39a870e2a8c2f71ac76

      SHA256

      612b4bf447ae37ff9677c9818f6a70833206ecddbd06246f4c9b3f2151d15302

      SHA512

      0791fbbc4223e32c6854623676744d47ac3e4e53084fba19dcdc9968ef581aaaf1d8f190a42ee6e651d407ed9b9d7b3df57dc18fb55add967cca12ff4b257835

    • memory/1200-149-0x0000000000000000-mapping.dmp
    • memory/2636-146-0x0000000140000000-0x0000000140168000-memory.dmp
      Filesize

      1.4MB

    • memory/2636-153-0x0000000140000000-0x0000000140168000-memory.dmp
      Filesize

      1.4MB

    • memory/2636-130-0x0000000140000000-0x0000000140168000-memory.dmp
      Filesize

      1.4MB

    • memory/3860-148-0x0000000000000000-mapping.dmp
    • memory/4176-136-0x00000000773E0000-0x0000000077583000-memory.dmp
      Filesize

      1.6MB

    • memory/4176-147-0x0000000006950000-0x0000000006A5A000-memory.dmp
      Filesize

      1.0MB

    • memory/4176-142-0x0000000005D40000-0x0000000005DA6000-memory.dmp
      Filesize

      408KB

    • memory/4176-143-0x0000000006E50000-0x0000000007468000-memory.dmp
      Filesize

      6.1MB

    • memory/4176-144-0x0000000006140000-0x0000000006152000-memory.dmp
      Filesize

      72KB

    • memory/4176-145-0x00000000061A0000-0x00000000061DC000-memory.dmp
      Filesize

      240KB

    • memory/4176-140-0x0000000005BD0000-0x0000000005C62000-memory.dmp
      Filesize

      584KB

    • memory/4176-141-0x0000000006280000-0x0000000006824000-memory.dmp
      Filesize

      5.6MB

    • memory/4176-139-0x0000000000E50000-0x0000000001C5A000-memory.dmp
      Filesize

      14.0MB

    • memory/4176-134-0x0000000000E50000-0x0000000001C5A000-memory.dmp
      Filesize

      14.0MB

    • memory/4176-131-0x0000000000000000-mapping.dmp
    • memory/4176-151-0x0000000000E50000-0x0000000001C5A000-memory.dmp
      Filesize

      14.0MB

    • memory/4176-152-0x00000000773E0000-0x0000000077583000-memory.dmp
      Filesize

      1.6MB

    • memory/4680-150-0x0000000000000000-mapping.dmp