Analysis
-
max time kernel
117s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
09-02-2023 17:42
Static task
static1
Behavioral task
behavioral1
Sample
ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe
Resource
win10v2004-20221111-en
General
-
Target
ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe
-
Size
766KB
-
MD5
9309efba2a7b7ac7f0cb727bf6df9ea2
-
SHA1
8434e86093fe1bfdcc7956cab3769d1d297e8586
-
SHA256
ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4
-
SHA512
b541e1498e2cacfad78a30ab5fb86f4fc7136110616f80c9abc6dc4598ac72dc38ae668dd7b5d7adaa4d2a72ca59de906da7bd2178f40d12ce23b29a733b77b2
-
SSDEEP
12288:mMrNy90XUIWIw/O5NCjxwNCvhzOAUAdf2YEh8NWl628SirVXsn:Tyu6WNAlvhUAgY3VSiVsn
Malware Config
Extracted
redline
dubna
193.233.20.11:4131
-
auth_value
f324b1269094b7462e56bab025f032f4
Extracted
redline
crypt
176.113.115.17:4132
-
auth_value
407e05c9b3a74d99a20f90b091547bd6
Signatures
-
Processes:
afs68.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" afs68.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection afs68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" afs68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" afs68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" afs68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" afs68.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
dkw69.exedhc65.exeafs68.exebCI01.execFS13.exedkt78.exepid process 4832 dkw69.exe 4776 dhc65.exe 1256 afs68.exe 4576 bCI01.exe 2876 cFS13.exe 5000 dkt78.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
afs68.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" afs68.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exedkw69.exedhc65.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce dkw69.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dkw69.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce dhc65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" dhc65.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
dkt78.exedescription pid process target process PID 5000 set thread context of 3512 5000 dkt78.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 112 2876 WerFault.exe cFS13.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
afs68.exebCI01.execFS13.exeAppLaunch.exepid process 1256 afs68.exe 1256 afs68.exe 4576 bCI01.exe 4576 bCI01.exe 2876 cFS13.exe 2876 cFS13.exe 3512 AppLaunch.exe 3512 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
afs68.exebCI01.execFS13.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 1256 afs68.exe Token: SeDebugPrivilege 4576 bCI01.exe Token: SeDebugPrivilege 2876 cFS13.exe Token: SeDebugPrivilege 3512 AppLaunch.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exedkw69.exedhc65.exedkt78.exedescription pid process target process PID 4876 wrote to memory of 4832 4876 ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe dkw69.exe PID 4876 wrote to memory of 4832 4876 ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe dkw69.exe PID 4876 wrote to memory of 4832 4876 ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe dkw69.exe PID 4832 wrote to memory of 4776 4832 dkw69.exe dhc65.exe PID 4832 wrote to memory of 4776 4832 dkw69.exe dhc65.exe PID 4832 wrote to memory of 4776 4832 dkw69.exe dhc65.exe PID 4776 wrote to memory of 1256 4776 dhc65.exe afs68.exe PID 4776 wrote to memory of 1256 4776 dhc65.exe afs68.exe PID 4776 wrote to memory of 4576 4776 dhc65.exe bCI01.exe PID 4776 wrote to memory of 4576 4776 dhc65.exe bCI01.exe PID 4776 wrote to memory of 4576 4776 dhc65.exe bCI01.exe PID 4832 wrote to memory of 2876 4832 dkw69.exe cFS13.exe PID 4832 wrote to memory of 2876 4832 dkw69.exe cFS13.exe PID 4832 wrote to memory of 2876 4832 dkw69.exe cFS13.exe PID 4876 wrote to memory of 5000 4876 ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe dkt78.exe PID 4876 wrote to memory of 5000 4876 ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe dkt78.exe PID 4876 wrote to memory of 5000 4876 ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe dkt78.exe PID 5000 wrote to memory of 3512 5000 dkt78.exe AppLaunch.exe PID 5000 wrote to memory of 3512 5000 dkt78.exe AppLaunch.exe PID 5000 wrote to memory of 3512 5000 dkt78.exe AppLaunch.exe PID 5000 wrote to memory of 3512 5000 dkt78.exe AppLaunch.exe PID 5000 wrote to memory of 3512 5000 dkt78.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe"C:\Users\Admin\AppData\Local\Temp\ecfc9574a8374cbcb50a05df9af0ac5ac4d6247e0434548867e18a467fdda2f4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkw69.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkw69.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dhc65.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dhc65.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\afs68.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\afs68.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bCI01.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bCI01.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFS13.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFS13.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 13204⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkt78.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkt78.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2876 -ip 28761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkt78.exeFilesize
283KB
MD5457dcca2cfa8e1592521e4bc580d2097
SHA1de855fa7934126fd1cde834b752999ebe79e367f
SHA25654ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc
SHA512d15709dd44e184612a86e7201c78887771e7cc062e8b4daf83c5bbf1d6dd74320e8c5058cde295d412d8e5b135f8686f8ed56aa9aa2a439b022319e6723bb752
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkt78.exeFilesize
283KB
MD5457dcca2cfa8e1592521e4bc580d2097
SHA1de855fa7934126fd1cde834b752999ebe79e367f
SHA25654ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc
SHA512d15709dd44e184612a86e7201c78887771e7cc062e8b4daf83c5bbf1d6dd74320e8c5058cde295d412d8e5b135f8686f8ed56aa9aa2a439b022319e6723bb752
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkw69.exeFilesize
533KB
MD5e01375023cf173027afed87a31a236a2
SHA1c34f08fb74a9c65880281930feb42331dbe0cc41
SHA256816fbd0d96481e375d9c459dc6facfb3258c033745e9ec9bc0df45555e7d1ed4
SHA51280418091b09b0568abc293e759bcbe5fdf49678fe51ac2f943e10f9007be26958401ab405bff246e930fe7a3cdbfc3a72f23fd1bd73c69ed4022485823b53ffd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkw69.exeFilesize
533KB
MD5e01375023cf173027afed87a31a236a2
SHA1c34f08fb74a9c65880281930feb42331dbe0cc41
SHA256816fbd0d96481e375d9c459dc6facfb3258c033745e9ec9bc0df45555e7d1ed4
SHA51280418091b09b0568abc293e759bcbe5fdf49678fe51ac2f943e10f9007be26958401ab405bff246e930fe7a3cdbfc3a72f23fd1bd73c69ed4022485823b53ffd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFS13.exeFilesize
294KB
MD59cb6d089c5dbcb55ff923bd6284fbcb7
SHA18c7b12dba74c380b009a0709ecc916bd724b2958
SHA256b574767f81c77eee3e648805547b525692645f122b6bfd2461790c506ba7e339
SHA512f9cdc7f8272ab230056534c587de70ecd41e62814c44f6861b50218237ab0142a3d2451cd1ab9058866eca5ca29db4558b76d2bbc668a333043b8e31bee5dfe3
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFS13.exeFilesize
294KB
MD59cb6d089c5dbcb55ff923bd6284fbcb7
SHA18c7b12dba74c380b009a0709ecc916bd724b2958
SHA256b574767f81c77eee3e648805547b525692645f122b6bfd2461790c506ba7e339
SHA512f9cdc7f8272ab230056534c587de70ecd41e62814c44f6861b50218237ab0142a3d2451cd1ab9058866eca5ca29db4558b76d2bbc668a333043b8e31bee5dfe3
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dhc65.exeFilesize
202KB
MD51cf1aa71c805152b1e49d65fa15502b0
SHA1c8cbe4faca8f10efe62d64b8c52edf4d84b8b9d2
SHA256303a6ffa2e0f8e0a0db12ef102064970ec575a44ae3480d427695ab845d6867e
SHA512d469e7b0e02b2b350fab8f8e67a084dd6756e7da88c056b37b762a381cf35f8654945423aed2bd4bdc8dbc8e41cddf26aa7c5cc026406a75862af3f27c786beb
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dhc65.exeFilesize
202KB
MD51cf1aa71c805152b1e49d65fa15502b0
SHA1c8cbe4faca8f10efe62d64b8c52edf4d84b8b9d2
SHA256303a6ffa2e0f8e0a0db12ef102064970ec575a44ae3480d427695ab845d6867e
SHA512d469e7b0e02b2b350fab8f8e67a084dd6756e7da88c056b37b762a381cf35f8654945423aed2bd4bdc8dbc8e41cddf26aa7c5cc026406a75862af3f27c786beb
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\afs68.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\afs68.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bCI01.exeFilesize
175KB
MD5ef8079cf160510d0da7162bc08f753d8
SHA1e786cc8bee83e4a37433ddccf9d3540e1f6533fe
SHA256a6416ca607f03e7d02dd9c8b546113c71f421c0ba8438dafb941d25f8cf2c9e6
SHA512959b08126358527b794a276f6e9f818250f888d9f108b46766f6c2e50186acc8f406acbeb94ca97b5f0e329b27f3851003446715d5d040b5c0fef4010011a2c3
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bCI01.exeFilesize
175KB
MD5ef8079cf160510d0da7162bc08f753d8
SHA1e786cc8bee83e4a37433ddccf9d3540e1f6533fe
SHA256a6416ca607f03e7d02dd9c8b546113c71f421c0ba8438dafb941d25f8cf2c9e6
SHA512959b08126358527b794a276f6e9f818250f888d9f108b46766f6c2e50186acc8f406acbeb94ca97b5f0e329b27f3851003446715d5d040b5c0fef4010011a2c3
-
memory/1256-142-0x00007FFB80490000-0x00007FFB80F51000-memory.dmpFilesize
10.8MB
-
memory/1256-138-0x0000000000000000-mapping.dmp
-
memory/1256-141-0x0000000000D00000-0x0000000000D0A000-memory.dmpFilesize
40KB
-
memory/1256-143-0x00007FFB80490000-0x00007FFB80F51000-memory.dmpFilesize
10.8MB
-
memory/1256-144-0x00007FFB80490000-0x00007FFB80F51000-memory.dmpFilesize
10.8MB
-
memory/2876-165-0x0000000000400000-0x0000000000579000-memory.dmpFilesize
1.5MB
-
memory/2876-168-0x0000000000400000-0x0000000000579000-memory.dmpFilesize
1.5MB
-
memory/2876-167-0x00000000005C4000-0x00000000005F3000-memory.dmpFilesize
188KB
-
memory/2876-166-0x00000000005C4000-0x00000000005F3000-memory.dmpFilesize
188KB
-
memory/2876-160-0x0000000000000000-mapping.dmp
-
memory/2876-164-0x00000000021F0000-0x000000000223B000-memory.dmpFilesize
300KB
-
memory/2876-163-0x00000000005C4000-0x00000000005F3000-memory.dmpFilesize
188KB
-
memory/3512-172-0x0000000000000000-mapping.dmp
-
memory/3512-173-0x0000000000510000-0x0000000000542000-memory.dmpFilesize
200KB
-
memory/4576-152-0x0000000004E80000-0x0000000004EBC000-memory.dmpFilesize
240KB
-
memory/4576-154-0x0000000006380000-0x0000000006924000-memory.dmpFilesize
5.6MB
-
memory/4576-158-0x0000000006930000-0x0000000006AF2000-memory.dmpFilesize
1.8MB
-
memory/4576-145-0x0000000000000000-mapping.dmp
-
memory/4576-157-0x0000000006050000-0x00000000060A0000-memory.dmpFilesize
320KB
-
memory/4576-156-0x0000000005FD0000-0x0000000006046000-memory.dmpFilesize
472KB
-
memory/4576-155-0x0000000005EB0000-0x0000000005F42000-memory.dmpFilesize
584KB
-
memory/4576-159-0x0000000007030000-0x000000000755C000-memory.dmpFilesize
5.2MB
-
memory/4576-153-0x0000000005C60000-0x0000000005CC6000-memory.dmpFilesize
408KB
-
memory/4576-151-0x0000000004E00000-0x0000000004E12000-memory.dmpFilesize
72KB
-
memory/4576-150-0x0000000004ED0000-0x0000000004FDA000-memory.dmpFilesize
1.0MB
-
memory/4576-148-0x0000000000430000-0x0000000000462000-memory.dmpFilesize
200KB
-
memory/4576-149-0x0000000005370000-0x0000000005988000-memory.dmpFilesize
6.1MB
-
memory/4776-135-0x0000000000000000-mapping.dmp
-
memory/4832-132-0x0000000000000000-mapping.dmp
-
memory/5000-169-0x0000000000000000-mapping.dmp