Overview
overview
10Static
static
3Kiddions_m...nu.exe
windows7-x64
10Kiddions_m...nu.exe
windows10-2004-x64
10Kiddions_m...d.html
windows7-x64
1Kiddions_m...d.html
windows10-2004-x64
1Kiddions_m...typing
ubuntu-18.04-amd64
1Kiddions_m...typing
debian-9-armhf
1Kiddions_m...typing
debian-9-mips
1Kiddions_m...typing
debian-9-mipsel
1Kiddions_m...ry.pdf
windows7-x64
1Kiddions_m...ry.pdf
windows10-2004-x64
1Kiddions_m...ck.exe
windows7-x64
7Kiddions_m...ck.exe
windows10-2004-x64
7Kiddions_m...ng.pdf
windows7-x64
1Kiddions_m...ng.pdf
windows10-2004-x64
1Kiddions_m...er.pdf
windows7-x64
1Kiddions_m...er.pdf
windows10-2004-x64
1Kiddions_m...er.pdf
windows7-x64
1Kiddions_m...er.pdf
windows10-2004-x64
1Kiddions_m...ic.pdf
windows7-x64
1Kiddions_m...ic.pdf
windows10-2004-x64
1Kiddions_m...ne.pdf
windows7-x64
1Kiddions_m...ne.pdf
windows10-2004-x64
1Kiddions_m...rt.pdf
windows7-x64
1Kiddions_m...rt.pdf
windows10-2004-x64
1Kiddions_m...ed.pdf
windows7-x64
1Kiddions_m...ed.pdf
windows10-2004-x64
1Kiddions_m...an.pdf
windows7-x64
1Kiddions_m...an.pdf
windows10-2004-x64
1Kiddions_m...on.pdf
windows7-x64
1Kiddions_m...on.pdf
windows10-2004-x64
1Kiddions_m...ne.pdf
windows7-x64
1Kiddions_m...ne.pdf
windows10-2004-x64
1Analysis
-
max time kernel
144s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 06:51
Behavioral task
behavioral1
Sample
Kiddions_menu/Kiddions_menu.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Kiddions_menu/Kiddions_menu.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Kiddions_menu/Readme.md/lib/pdf/reader/afm/MustRead.html
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Kiddions_menu/Readme.md/lib/pdf/reader/afm/MustRead.html
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
Kiddions_menu/Readme.md/scripts/require-strict-typing
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral6
Sample
Kiddions_menu/Readme.md/scripts/require-strict-typing
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral7
Sample
Kiddions_menu/Readme.md/scripts/require-strict-typing
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral8
Sample
Kiddions_menu/Readme.md/scripts/require-strict-typing
Resource
debian9-mipsel-20221111-en
Behavioral task
behavioral9
Sample
Kiddions_menu/Readme.md/spec/data/20070313 - 2nd Laptop Battery.pdf
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
Kiddions_menu/Readme.md/spec/data/20070313 - 2nd Laptop Battery.pdf
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
Kiddions_menu/Readme.md/spec/data/Genshin Impact hack.exe
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
Kiddions_menu/Readme.md/spec/data/Genshin Impact hack.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral13
Sample
Kiddions_menu/Readme.md/spec/data/TJ_and_char_spacing.pdf
Resource
win7-20221111-en
Behavioral task
behavioral14
Sample
Kiddions_menu/Readme.md/spec/data/TJ_and_char_spacing.pdf
Resource
win10v2004-20221111-en
Behavioral task
behavioral15
Sample
Kiddions_menu/Readme.md/spec/data/TJ_starts_with_a_number.pdf
Resource
win7-20221111-en
Behavioral task
behavioral16
Sample
Kiddions_menu/Readme.md/spec/data/TJ_starts_with_a_number.pdf
Resource
win10v2004-20221111-en
Behavioral task
behavioral17
Sample
Kiddions_menu/Readme.md/spec/data/ascii85_filter.pdf
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
Kiddions_menu/Readme.md/spec/data/ascii85_filter.pdf
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
Kiddions_menu/Readme.md/spec/data/cairo-basic.pdf
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
Kiddions_menu/Readme.md/spec/data/cairo-basic.pdf
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
Kiddions_menu/Readme.md/spec/data/cairo-multiline.pdf
Resource
win7-20220901-en
Behavioral task
behavioral22
Sample
Kiddions_menu/Readme.md/spec/data/cairo-multiline.pdf
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
Kiddions_menu/Readme.md/spec/data/cairo-unicode-short.pdf
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
Kiddions_menu/Readme.md/spec/data/cairo-unicode-short.pdf
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
Kiddions_menu/Readme.md/spec/data/clearscan-with-image-removed.pdf
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
Kiddions_menu/Readme.md/spec/data/clearscan-with-image-removed.pdf
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
Kiddions_menu/Readme.md/spec/data/clearscan.pdf
Resource
win7-20220812-en
Behavioral task
behavioral28
Sample
Kiddions_menu/Readme.md/spec/data/clearscan.pdf
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
Kiddions_menu/Readme.md/spec/data/column_integration.pdf
Resource
win7-20221111-en
Behavioral task
behavioral30
Sample
Kiddions_menu/Readme.md/spec/data/column_integration.pdf
Resource
win10v2004-20220812-en
Behavioral task
behavioral31
Sample
Kiddions_menu/Readme.md/spec/data/content_stream_begins_with_newline.pdf
Resource
win7-20220812-en
Behavioral task
behavioral32
Sample
Kiddions_menu/Readme.md/spec/data/content_stream_begins_with_newline.pdf
Resource
win10v2004-20220812-en
General
-
Target
Kiddions_menu/Kiddions_menu.exe
-
Size
218KB
-
MD5
a6ada6ba29f4fbf8c20cceddadcff9b8
-
SHA1
d90b28467760b83cf30ebba26c9cd87737efa488
-
SHA256
cff44386905033da5a33ea46b174af26fbf8f8ad02de7eebbb3d59c33bec0f7d
-
SHA512
0d007923f753af84b20f1ac1585c6892abecb8f7694069f7ff6abacdb2178d065bd8dd94cc7479dcf8add7918d9d32221513b2e24821dd07f260a0eb7cebf0ca
-
SSDEEP
6144:MuBvroUuFpBnLgf+NkUeP8TcmTzajX8M6EOudI:MCcUWjnLZ/ePicmTz+8MjOue
Malware Config
Extracted
redline
193.106.191.160:8673
-
auth_value
e90ee6e281f917587c9bc282e17aa665
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1516-56-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1516-61-0x000000000042281E-mapping.dmp family_redline behavioral1/memory/1516-62-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1516-63-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Kiddions_menu.exedescription pid process target process PID 1536 set thread context of 1516 1536 Kiddions_menu.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 988 1536 WerFault.exe Kiddions_menu.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1516 vbc.exe 1516 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1516 vbc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Kiddions_menu.exedescription pid process target process PID 1536 wrote to memory of 1516 1536 Kiddions_menu.exe vbc.exe PID 1536 wrote to memory of 1516 1536 Kiddions_menu.exe vbc.exe PID 1536 wrote to memory of 1516 1536 Kiddions_menu.exe vbc.exe PID 1536 wrote to memory of 1516 1536 Kiddions_menu.exe vbc.exe PID 1536 wrote to memory of 1516 1536 Kiddions_menu.exe vbc.exe PID 1536 wrote to memory of 1516 1536 Kiddions_menu.exe vbc.exe PID 1536 wrote to memory of 988 1536 Kiddions_menu.exe WerFault.exe PID 1536 wrote to memory of 988 1536 Kiddions_menu.exe WerFault.exe PID 1536 wrote to memory of 988 1536 Kiddions_menu.exe WerFault.exe PID 1536 wrote to memory of 988 1536 Kiddions_menu.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kiddions_menu\Kiddions_menu.exe"C:\Users\Admin\AppData\Local\Temp\Kiddions_menu\Kiddions_menu.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 362⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/988-64-0x0000000000000000-mapping.dmp
-
memory/1516-54-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1516-56-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1516-61-0x000000000042281E-mapping.dmp
-
memory/1516-62-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1516-63-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1516-65-0x0000000075CF1000-0x0000000075CF3000-memory.dmpFilesize
8KB