Analysis
-
max time kernel
54s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
10-02-2023 10:07
Static task
static1
Behavioral task
behavioral1
Sample
bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85.exe
Resource
win10v2004-20220901-en
General
-
Target
bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85.exe
-
Size
821KB
-
MD5
9284733b6227f09652a10e836eda0744
-
SHA1
8d72067381604ddb934d5809c04ff76a20009932
-
SHA256
bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85
-
SHA512
a5124682cde46412994e3476af0c6889ae639d62c153a569597d6320b9a199675d9887cce20611f8081ef5ebadce712c4ac6345a5a1c41eab42a08ed57fe911d
-
SSDEEP
12288:NMruy900xJmWiVLycOrggqq69zek680OBMuLUfZApYj9dP05e+GKfdaAIH7DTU:ryfm5VODV769zb6Sm9fWpexpfAB
Malware Config
Extracted
redline
dubna
193.233.20.11:4131
-
auth_value
f324b1269094b7462e56bab025f032f4
Extracted
redline
crypt1
176.113.115.17:4132
-
auth_value
2e2ca7bbceaa9f98252a6f9fc0e6fa86
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aQP33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aQP33.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection aQP33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aQP33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aQP33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aQP33.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 2168 duL82.exe 2976 dFC00.exe 3944 aQP33.exe 2292 bPy39.exe 1412 cvY94.exe 936 dUG31.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" aQP33.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce duL82.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" duL82.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce dFC00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" dFC00.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 936 set thread context of 1124 936 dUG31.exe 92 -
Program crash 1 IoCs
pid pid_target Process procid_target 1260 1412 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3944 aQP33.exe 3944 aQP33.exe 2292 bPy39.exe 2292 bPy39.exe 1412 cvY94.exe 1412 cvY94.exe 1124 AppLaunch.exe 1124 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3944 aQP33.exe Token: SeDebugPrivilege 2292 bPy39.exe Token: SeDebugPrivilege 1412 cvY94.exe Token: SeDebugPrivilege 1124 AppLaunch.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4964 wrote to memory of 2168 4964 bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85.exe 81 PID 4964 wrote to memory of 2168 4964 bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85.exe 81 PID 4964 wrote to memory of 2168 4964 bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85.exe 81 PID 2168 wrote to memory of 2976 2168 duL82.exe 82 PID 2168 wrote to memory of 2976 2168 duL82.exe 82 PID 2168 wrote to memory of 2976 2168 duL82.exe 82 PID 2976 wrote to memory of 3944 2976 dFC00.exe 83 PID 2976 wrote to memory of 3944 2976 dFC00.exe 83 PID 2976 wrote to memory of 2292 2976 dFC00.exe 84 PID 2976 wrote to memory of 2292 2976 dFC00.exe 84 PID 2976 wrote to memory of 2292 2976 dFC00.exe 84 PID 2168 wrote to memory of 1412 2168 duL82.exe 86 PID 2168 wrote to memory of 1412 2168 duL82.exe 86 PID 2168 wrote to memory of 1412 2168 duL82.exe 86 PID 4964 wrote to memory of 936 4964 bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85.exe 90 PID 4964 wrote to memory of 936 4964 bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85.exe 90 PID 4964 wrote to memory of 936 4964 bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85.exe 90 PID 936 wrote to memory of 1124 936 dUG31.exe 92 PID 936 wrote to memory of 1124 936 dUG31.exe 92 PID 936 wrote to memory of 1124 936 dUG31.exe 92 PID 936 wrote to memory of 1124 936 dUG31.exe 92 PID 936 wrote to memory of 1124 936 dUG31.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85.exe"C:\Users\Admin\AppData\Local\Temp\bd3261071ffb8d7922c53337733228a1abac9746ccc2147cc713f9fe234c0d85.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\duL82.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\duL82.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dFC00.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dFC00.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aQP33.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aQP33.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bPy39.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bPy39.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvY94.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvY94.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 13324⤵
- Program crash
PID:1260
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dUG31.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dUG31.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1412 -ip 14121⤵PID:4040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
277KB
MD53bc6ecb7d1f35f3171383f88879659b7
SHA1e82887b3d6ab38ae3b8880d6c904244495dcf0cc
SHA256c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068
SHA512709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c
-
Filesize
277KB
MD53bc6ecb7d1f35f3171383f88879659b7
SHA1e82887b3d6ab38ae3b8880d6c904244495dcf0cc
SHA256c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068
SHA512709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c
-
Filesize
591KB
MD5eb7cb8d86e906d4197da6c7e40e28862
SHA1cab5f9f7461a7cf2640ecab016861a17c878bebc
SHA256bed694272ca529607b5ff8096af80d5365ecb1603eef09697cf4e2354297427e
SHA5129c83d0b8859df3ec288c43b4d5933fda5c60378ca103de1039d6c62f485ee1b4df20e8b24a0f4086c88c229f8c0ba8433a88d88a05265c805db3bd6fc0a84c04
-
Filesize
591KB
MD5eb7cb8d86e906d4197da6c7e40e28862
SHA1cab5f9f7461a7cf2640ecab016861a17c878bebc
SHA256bed694272ca529607b5ff8096af80d5365ecb1603eef09697cf4e2354297427e
SHA5129c83d0b8859df3ec288c43b4d5933fda5c60378ca103de1039d6c62f485ee1b4df20e8b24a0f4086c88c229f8c0ba8433a88d88a05265c805db3bd6fc0a84c04
-
Filesize
445KB
MD5049e437c4cb9bf8e8494cf8d5948c8e8
SHA18e2edd3b16db80dff51a00b137767b7b5f10749f
SHA25632d5081370c5d1bd8f22f7fb01f093a6fc794099ea8878f833a039577db3e315
SHA5123d33f49f8d9d7ee999f597439458141eaf2c8034387a0481feb9a569f132a6916a6f79460007db360c2b0d7ecacdc1337721a10567103cb400f88fe2fd706053
-
Filesize
445KB
MD5049e437c4cb9bf8e8494cf8d5948c8e8
SHA18e2edd3b16db80dff51a00b137767b7b5f10749f
SHA25632d5081370c5d1bd8f22f7fb01f093a6fc794099ea8878f833a039577db3e315
SHA5123d33f49f8d9d7ee999f597439458141eaf2c8034387a0481feb9a569f132a6916a6f79460007db360c2b0d7ecacdc1337721a10567103cb400f88fe2fd706053
-
Filesize
202KB
MD54fa73396a0e6fff829467d44b7fe872f
SHA1b72039fc239dd1c2b57b73939ad43fbb79bde3ec
SHA256194a616e9fc50f76acb10d032a6ca875088f9c7117698ed97be53b64c36550c8
SHA51205733a93ee2691b4bfc4e6b2adf553d063445f46b8dab223d41961af5b2c499ffc023694d45313600bb040175eeb37178262701a25059c84ff010a105204c2a5
-
Filesize
202KB
MD54fa73396a0e6fff829467d44b7fe872f
SHA1b72039fc239dd1c2b57b73939ad43fbb79bde3ec
SHA256194a616e9fc50f76acb10d032a6ca875088f9c7117698ed97be53b64c36550c8
SHA51205733a93ee2691b4bfc4e6b2adf553d063445f46b8dab223d41961af5b2c499ffc023694d45313600bb040175eeb37178262701a25059c84ff010a105204c2a5
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
175KB
MD5ef8079cf160510d0da7162bc08f753d8
SHA1e786cc8bee83e4a37433ddccf9d3540e1f6533fe
SHA256a6416ca607f03e7d02dd9c8b546113c71f421c0ba8438dafb941d25f8cf2c9e6
SHA512959b08126358527b794a276f6e9f818250f888d9f108b46766f6c2e50186acc8f406acbeb94ca97b5f0e329b27f3851003446715d5d040b5c0fef4010011a2c3
-
Filesize
175KB
MD5ef8079cf160510d0da7162bc08f753d8
SHA1e786cc8bee83e4a37433ddccf9d3540e1f6533fe
SHA256a6416ca607f03e7d02dd9c8b546113c71f421c0ba8438dafb941d25f8cf2c9e6
SHA512959b08126358527b794a276f6e9f818250f888d9f108b46766f6c2e50186acc8f406acbeb94ca97b5f0e329b27f3851003446715d5d040b5c0fef4010011a2c3