Overview

overview

10

Static

static

096eb357e1...e9.exe

windows7-x64

10

096eb357e1...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    096eb357e1d8c5141282b72929ae77e9.exe

  • Size

    666KB

  • MD5

    096eb357e1d8c5141282b72929ae77e9

  • SHA1

    1eff9fa176bf1744c56f996442755221e3147427

  • SHA256

    f3f7fa2e6ad4bfa9c3ab22fbe8056d8d1d9cb8a2c0221dd094892027ce1fed4e

  • SHA512

    445985159f5d9a553c2591572f56faafdc1509b73a6e309d5ac58888eacabbf6633237771aacf16c4bb1d5bf06b8d11c7aa9324d09f74a3a9a69050391a651ae

  • SSDEEP

    6144:81KMo5oZQj/nnj6dWwsoyyQU/R8MqOwz14094BMDq+W9EE:87ij/nnch3yOjc1F94eiEE

Score
10/10
redlinelyla4.22.11discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

Lyla4.22.11

C2

185.215.113.216:21921

Attributes
  • auth_value

    f7fecd92e1cc04a774215731b3bf2e9a

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\096eb357e1d8c5141282b72929ae77e9.exe
    "C:\Users\Admin\AppData\Local\Temp\096eb357e1d8c5141282b72929ae77e9.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Windows\Temp\Lyla42211.exe
      "C:\Windows\Temp\Lyla42211.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\Lyla42211.exe
    Filesize

    200KB

    MD5

    396be02b5a8968f891420ecaf7831bcc

    SHA1

    27417d7d14690697ecaa8fb1ff51da860492946e

    SHA256

    2b20128923b2d4372e4f5c6a4803fef3fe26cd666e82598133d39088530b5e7f

    SHA512

    48314fd91396611f17440336d297f9aa9d7a6ffb2855100e3d91e3c656ed0dcc926c57e7f3929ea00e38d852c59641edb360713225273f9ba9250c1c7c5028d0

    Download Submit

  • C:\Windows\Temp\Lyla42211.exe
    Filesize

    200KB

    MD5

    396be02b5a8968f891420ecaf7831bcc

    SHA1

    27417d7d14690697ecaa8fb1ff51da860492946e

    SHA256

    2b20128923b2d4372e4f5c6a4803fef3fe26cd666e82598133d39088530b5e7f

    SHA512

    48314fd91396611f17440336d297f9aa9d7a6ffb2855100e3d91e3c656ed0dcc926c57e7f3929ea00e38d852c59641edb360713225273f9ba9250c1c7c5028d0

    Download Submit

  • memory/1780-140-0x0000000005660000-0x000000000569C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1780-141-0x0000000005990000-0x0000000005A22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1780-136-0x0000000000D60000-0x0000000000D96000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1780-137-0x0000000005B20000-0x0000000006138000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1780-138-0x00000000055C0000-0x00000000055D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1780-139-0x00000000056F0000-0x00000000057FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1780-148-0x0000000007860000-0x0000000007D8C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1780-133-0x0000000000000000-mapping.dmp

    Download

  • memory/1780-142-0x00000000066F0000-0x0000000006C94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1780-143-0x0000000005A30000-0x0000000005A96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1780-144-0x0000000006640000-0x00000000066B6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1780-145-0x00000000065C0000-0x00000000065DE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1780-146-0x0000000006E40000-0x0000000006E90000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1780-147-0x0000000007160000-0x0000000007322000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2564-132-0x0000000000620000-0x00000000006CC000-memory.dmp

    Filesize

    688KB

    Download