Analysis
-
max time kernel
128s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 09:10
Static task
static1
Behavioral task
behavioral1
Sample
af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe
Resource
win10v2004-20221111-en
General
-
Target
af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe
-
Size
337KB
-
MD5
6150810b4e431d83eee91e479ca2d066
-
SHA1
743a3c7a2807a5df285bae8fa8151e6c182945dc
-
SHA256
af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb
-
SHA512
d734c075aa4eb8f4e2610ea8efc8a868741f340c92711c6475afb9bda88a0affc5b88156dead1157c4904355d90b8bec7c7181c13966b83b7e192b139b6dda04
-
SSDEEP
6144:4hEN7+Lp0yN90QEyh7FDDiLg3bhhQrD8kUgLzx1lXcV3mixJyJj2LM:4G7/y90sVVWLche/mGtmWiO5W
Malware Config
Extracted
redline
france
193.233.20.5:4136
-
auth_value
827023aa27bcc1cc2382e4d111feec6f
Signatures
-
Processes:
loda.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" loda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" loda.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
Processes:
hook.exeloda.exenark.exepid process 1772 hook.exe 1452 loda.exe 660 nark.exe -
Loads dropped DLL 5 IoCs
Processes:
af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exehook.exenark.exepid process 1244 af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe 1772 hook.exe 1772 hook.exe 1772 hook.exe 660 nark.exe -
Processes:
loda.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features loda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" loda.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exehook.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce hook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" hook.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
loda.exepid process 1452 loda.exe 1452 loda.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
loda.exedescription pid process Token: SeDebugPrivilege 1452 loda.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exehook.exedescription pid process target process PID 1244 wrote to memory of 1772 1244 af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe hook.exe PID 1244 wrote to memory of 1772 1244 af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe hook.exe PID 1244 wrote to memory of 1772 1244 af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe hook.exe PID 1244 wrote to memory of 1772 1244 af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe hook.exe PID 1244 wrote to memory of 1772 1244 af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe hook.exe PID 1244 wrote to memory of 1772 1244 af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe hook.exe PID 1244 wrote to memory of 1772 1244 af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe hook.exe PID 1772 wrote to memory of 1452 1772 hook.exe loda.exe PID 1772 wrote to memory of 1452 1772 hook.exe loda.exe PID 1772 wrote to memory of 1452 1772 hook.exe loda.exe PID 1772 wrote to memory of 1452 1772 hook.exe loda.exe PID 1772 wrote to memory of 1452 1772 hook.exe loda.exe PID 1772 wrote to memory of 1452 1772 hook.exe loda.exe PID 1772 wrote to memory of 1452 1772 hook.exe loda.exe PID 1772 wrote to memory of 660 1772 hook.exe nark.exe PID 1772 wrote to memory of 660 1772 hook.exe nark.exe PID 1772 wrote to memory of 660 1772 hook.exe nark.exe PID 1772 wrote to memory of 660 1772 hook.exe nark.exe PID 1772 wrote to memory of 660 1772 hook.exe nark.exe PID 1772 wrote to memory of 660 1772 hook.exe nark.exe PID 1772 wrote to memory of 660 1772 hook.exe nark.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe"C:\Users\Admin\AppData\Local\Temp\af7d617cb4151d5e372d775b98fa96038cd317d1bf73bee6481987bdaf0aa1fb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hook.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hook.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\loda.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\loda.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nark.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nark.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hook.exeFilesize
192KB
MD5d8028bbb7acea0336f7a6460afc91ef9
SHA188e29390d07fe9e146b4c1cf1167ec0079c0ac61
SHA25611ccf4ee0cb1a1883267f31068a7b6c1e05c0c1068d5731b543cde26f66fe3df
SHA512096cad1701bac9eb50b1a16c6ad98a5f488561bccd122f49b662cd6e23d1405839d4c1421dfa64dccf67966e4c0eabe71c9dce200267877fb1e58760a0f6ff87
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hook.exeFilesize
192KB
MD5d8028bbb7acea0336f7a6460afc91ef9
SHA188e29390d07fe9e146b4c1cf1167ec0079c0ac61
SHA25611ccf4ee0cb1a1883267f31068a7b6c1e05c0c1068d5731b543cde26f66fe3df
SHA512096cad1701bac9eb50b1a16c6ad98a5f488561bccd122f49b662cd6e23d1405839d4c1421dfa64dccf67966e4c0eabe71c9dce200267877fb1e58760a0f6ff87
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\loda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\loda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nark.exeFilesize
175KB
MD56991818e08082c4c140db502d2aff79f
SHA1020ee1da61473dcd090805343601c1ae3d265032
SHA256aa0a99779ffa4aa30aa23c9dc9db17b250457c5902e7d06aa785be97d764c3d0
SHA5123f02448363aabe7515f1225a3291fb1fa0185ca78a302d70dd611b7f73b1b317a486eef61c2a7489a0d4e43301fa20c5fa48cb62d26f3e20d87aaeceb8a82d3e
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nark.exeFilesize
175KB
MD56991818e08082c4c140db502d2aff79f
SHA1020ee1da61473dcd090805343601c1ae3d265032
SHA256aa0a99779ffa4aa30aa23c9dc9db17b250457c5902e7d06aa785be97d764c3d0
SHA5123f02448363aabe7515f1225a3291fb1fa0185ca78a302d70dd611b7f73b1b317a486eef61c2a7489a0d4e43301fa20c5fa48cb62d26f3e20d87aaeceb8a82d3e
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\hook.exeFilesize
192KB
MD5d8028bbb7acea0336f7a6460afc91ef9
SHA188e29390d07fe9e146b4c1cf1167ec0079c0ac61
SHA25611ccf4ee0cb1a1883267f31068a7b6c1e05c0c1068d5731b543cde26f66fe3df
SHA512096cad1701bac9eb50b1a16c6ad98a5f488561bccd122f49b662cd6e23d1405839d4c1421dfa64dccf67966e4c0eabe71c9dce200267877fb1e58760a0f6ff87
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\hook.exeFilesize
192KB
MD5d8028bbb7acea0336f7a6460afc91ef9
SHA188e29390d07fe9e146b4c1cf1167ec0079c0ac61
SHA25611ccf4ee0cb1a1883267f31068a7b6c1e05c0c1068d5731b543cde26f66fe3df
SHA512096cad1701bac9eb50b1a16c6ad98a5f488561bccd122f49b662cd6e23d1405839d4c1421dfa64dccf67966e4c0eabe71c9dce200267877fb1e58760a0f6ff87
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\loda.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\nark.exeFilesize
175KB
MD56991818e08082c4c140db502d2aff79f
SHA1020ee1da61473dcd090805343601c1ae3d265032
SHA256aa0a99779ffa4aa30aa23c9dc9db17b250457c5902e7d06aa785be97d764c3d0
SHA5123f02448363aabe7515f1225a3291fb1fa0185ca78a302d70dd611b7f73b1b317a486eef61c2a7489a0d4e43301fa20c5fa48cb62d26f3e20d87aaeceb8a82d3e
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\nark.exeFilesize
175KB
MD56991818e08082c4c140db502d2aff79f
SHA1020ee1da61473dcd090805343601c1ae3d265032
SHA256aa0a99779ffa4aa30aa23c9dc9db17b250457c5902e7d06aa785be97d764c3d0
SHA5123f02448363aabe7515f1225a3291fb1fa0185ca78a302d70dd611b7f73b1b317a486eef61c2a7489a0d4e43301fa20c5fa48cb62d26f3e20d87aaeceb8a82d3e
-
memory/660-67-0x0000000000000000-mapping.dmp
-
memory/660-72-0x0000000001020000-0x0000000001052000-memory.dmpFilesize
200KB
-
memory/1244-54-0x0000000075291000-0x0000000075293000-memory.dmpFilesize
8KB
-
memory/1452-65-0x0000000000DE0000-0x0000000000DEA000-memory.dmpFilesize
40KB
-
memory/1452-62-0x0000000000000000-mapping.dmp
-
memory/1772-56-0x0000000000000000-mapping.dmp