Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 02:49
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
389KB
-
MD5
27923f661f1fcafca76b0d4acf4e3f50
-
SHA1
8229a8d9ceb303930534467d46322149265c4723
-
SHA256
581c8579e88b5cf136ec0ad2d061df9a4af395f253d33e570db2860623ea57d9
-
SHA512
d3088f7575ff666f38e711f2373d9e826a3201565834425a8653edf475f994da510e3bcb643b2ca436a6752adf6300c04e436247d94ab4841d8e5d08d0d52f0a
-
SSDEEP
6144:xdGYzso7zz7JlNPvAlSnaNnDhovpFhuMBuiGbD6J8ZrnF8iofrS/s3FL0TPo:xEYLlhySnAsnqzlnFuL0b
Malware Config
Extracted
redline
Lyla.22.11
185.215.113.216:21921
-
auth_value
4e1560b379e71c6ab6ae277b9d4c6895
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 1 IoCs
Processes:
Lyla2211.exepid process 560 Lyla2211.exe -
Loads dropped DLL 1 IoCs
Processes:
file.exepid process 1640 file.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Lyla2211.exepid process 560 Lyla2211.exe 560 Lyla2211.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file.exeLyla2211.exedescription pid process Token: SeDebugPrivilege 1640 file.exe Token: SeDebugPrivilege 560 Lyla2211.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
file.exedescription pid process target process PID 1640 wrote to memory of 560 1640 file.exe Lyla2211.exe PID 1640 wrote to memory of 560 1640 file.exe Lyla2211.exe PID 1640 wrote to memory of 560 1640 file.exe Lyla2211.exe PID 1640 wrote to memory of 560 1640 file.exe Lyla2211.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\Lyla2211.exe"C:\Windows\Temp\Lyla2211.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\Lyla2211.exeFilesize
199KB
MD5f3328099e8d1f53b20e4e59c0c2c0603
SHA17922e1a1365eeccb099a39f05b7cf23786130dd9
SHA2566d979cf2150d9fc4c694ea93c93d8a87aeccb541caec3003651f87f65b498154
SHA5126aac667a06c61e68d79ff08f319f7d234dded2dec75c5ffd5112b8f9a59859f37dc4d7fdbadfd8db40757e85eb64ef4044dac2ce66fb9e9a4c6131dd70a3d408
-
C:\Windows\Temp\Lyla2211.exeFilesize
199KB
MD5f3328099e8d1f53b20e4e59c0c2c0603
SHA17922e1a1365eeccb099a39f05b7cf23786130dd9
SHA2566d979cf2150d9fc4c694ea93c93d8a87aeccb541caec3003651f87f65b498154
SHA5126aac667a06c61e68d79ff08f319f7d234dded2dec75c5ffd5112b8f9a59859f37dc4d7fdbadfd8db40757e85eb64ef4044dac2ce66fb9e9a4c6131dd70a3d408
-
\Windows\Temp\Lyla2211.exeFilesize
199KB
MD5f3328099e8d1f53b20e4e59c0c2c0603
SHA17922e1a1365eeccb099a39f05b7cf23786130dd9
SHA2566d979cf2150d9fc4c694ea93c93d8a87aeccb541caec3003651f87f65b498154
SHA5126aac667a06c61e68d79ff08f319f7d234dded2dec75c5ffd5112b8f9a59859f37dc4d7fdbadfd8db40757e85eb64ef4044dac2ce66fb9e9a4c6131dd70a3d408
-
memory/560-58-0x0000000000000000-mapping.dmp
-
memory/560-61-0x0000000001170000-0x00000000011A8000-memory.dmpFilesize
224KB
-
memory/1640-54-0x0000000000AA0000-0x0000000000B08000-memory.dmpFilesize
416KB
-
memory/1640-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmpFilesize
8KB
-
memory/1640-56-0x0000000000C80000-0x0000000000CB8000-memory.dmpFilesize
224KB