Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 05:28
Behavioral task
behavioral1
Sample
562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe
Resource
win10v2004-20220721-en
General
-
Target
562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe
-
Size
2.9MB
-
MD5
63668401a2060becb1b30dd29a3e5902
-
SHA1
dbc2b76ffefad19270bcf27211332445f06c051f
-
SHA256
562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0
-
SHA512
172ea86dd06e1ab54097ca495adead976504fc02a477de8ffa3b7a7fd4a8311210405db0cec3724ac71c9f1e59bb2a89f53669a96f3ad059f75af11c49bb715c
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1652-133-0x00000000002C0000-0x0000000000956000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe -
Processes:
resource yara_rule behavioral2/memory/1652-133-0x00000000002C0000-0x0000000000956000-memory.dmp themida -
Processes:
562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exepid process 1652 562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exepid process 1652 562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe 1652 562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe"C:\Users\Admin\AppData\Local\Temp\562497367bdb4891a14d99b34a41bfa6ae56aa0c4f1514691f5c089c852953d0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1652-130-0x00000000002C0000-0x0000000000956000-memory.dmpFilesize
6.6MB
-
memory/1652-133-0x00000000002C0000-0x0000000000956000-memory.dmpFilesize
6.6MB
-
memory/1652-134-0x00000000776D0000-0x0000000077873000-memory.dmpFilesize
1.6MB
-
memory/1652-135-0x0000000005FB0000-0x00000000065C8000-memory.dmpFilesize
6.1MB
-
memory/1652-136-0x0000000005800000-0x0000000005812000-memory.dmpFilesize
72KB
-
memory/1652-137-0x0000000005990000-0x0000000005A9A000-memory.dmpFilesize
1.0MB
-
memory/1652-138-0x0000000005860000-0x000000000589C000-memory.dmpFilesize
240KB
-
memory/1652-139-0x00000000002C0000-0x0000000000956000-memory.dmpFilesize
6.6MB
-
memory/1652-140-0x00000000776D0000-0x0000000077873000-memory.dmpFilesize
1.6MB