Analysis
-
max time kernel
138s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
11/02/2023, 23:50
Static task
static1
General
-
Target
a7f60f90697ed9a34887a4eb4aeb2bf13ebd732ea0d7f52961bb58101f747b29.exe
-
Size
724KB
-
MD5
dbc9cc45f9009fe151bdeae3f842a413
-
SHA1
1bd492a48fe4aab9a80d03d54fa7609e4ff7807c
-
SHA256
a7f60f90697ed9a34887a4eb4aeb2bf13ebd732ea0d7f52961bb58101f747b29
-
SHA512
2ca80cb4f8e1463a17a383efe6c25e4510521b1d4747840e06ff167d97eca11ec5912b885d4f2b3ee9c375bcd87d75c817dc813248c0933c447b0ba26d285eda
-
SSDEEP
12288:BMr4py90uAMX7d1AZL89t416F+188Zg8IPRO9T1WQy+e5tSGRGbiq/2:5pylAMrcpE+/88Zg8IZOjWQy+eCGRGWd
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" rnQ19xk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" rnQ19xk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" rnQ19xk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" rnQ19xk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" rnQ19xk.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/1184-721-0x0000000004C80000-0x0000000004CC6000-memory.dmp family_redline behavioral1/memory/1184-734-0x0000000005220000-0x0000000005264000-memory.dmp family_redline -
Executes dropped EXE 9 IoCs
pid Process 1624 sSw35oH.exe 4896 sFR70Mw.exe 5004 kpY11Ss.exe 4504 mHO25.exe 1356 mnolyk.exe 1184 nzd80EB.exe 4908 rnQ19xk.exe 2196 mnolyk.exe 4796 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 1420 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" rnQ19xk.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a7f60f90697ed9a34887a4eb4aeb2bf13ebd732ea0d7f52961bb58101f747b29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a7f60f90697ed9a34887a4eb4aeb2bf13ebd732ea0d7f52961bb58101f747b29.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce sSw35oH.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sSw35oH.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce sFR70Mw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sFR70Mw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1432 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5004 kpY11Ss.exe 5004 kpY11Ss.exe 1184 nzd80EB.exe 1184 nzd80EB.exe 4908 rnQ19xk.exe 4908 rnQ19xk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5004 kpY11Ss.exe Token: SeDebugPrivilege 1184 nzd80EB.exe Token: SeDebugPrivilege 4908 rnQ19xk.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 520 wrote to memory of 1624 520 a7f60f90697ed9a34887a4eb4aeb2bf13ebd732ea0d7f52961bb58101f747b29.exe 66 PID 520 wrote to memory of 1624 520 a7f60f90697ed9a34887a4eb4aeb2bf13ebd732ea0d7f52961bb58101f747b29.exe 66 PID 520 wrote to memory of 1624 520 a7f60f90697ed9a34887a4eb4aeb2bf13ebd732ea0d7f52961bb58101f747b29.exe 66 PID 1624 wrote to memory of 4896 1624 sSw35oH.exe 67 PID 1624 wrote to memory of 4896 1624 sSw35oH.exe 67 PID 1624 wrote to memory of 4896 1624 sSw35oH.exe 67 PID 4896 wrote to memory of 5004 4896 sFR70Mw.exe 68 PID 4896 wrote to memory of 5004 4896 sFR70Mw.exe 68 PID 4896 wrote to memory of 5004 4896 sFR70Mw.exe 68 PID 4896 wrote to memory of 4504 4896 sFR70Mw.exe 70 PID 4896 wrote to memory of 4504 4896 sFR70Mw.exe 70 PID 4896 wrote to memory of 4504 4896 sFR70Mw.exe 70 PID 4504 wrote to memory of 1356 4504 mHO25.exe 71 PID 4504 wrote to memory of 1356 4504 mHO25.exe 71 PID 4504 wrote to memory of 1356 4504 mHO25.exe 71 PID 1624 wrote to memory of 1184 1624 sSw35oH.exe 72 PID 1624 wrote to memory of 1184 1624 sSw35oH.exe 72 PID 1624 wrote to memory of 1184 1624 sSw35oH.exe 72 PID 1356 wrote to memory of 1432 1356 mnolyk.exe 73 PID 1356 wrote to memory of 1432 1356 mnolyk.exe 73 PID 1356 wrote to memory of 1432 1356 mnolyk.exe 73 PID 1356 wrote to memory of 412 1356 mnolyk.exe 74 PID 1356 wrote to memory of 412 1356 mnolyk.exe 74 PID 1356 wrote to memory of 412 1356 mnolyk.exe 74 PID 412 wrote to memory of 2984 412 cmd.exe 77 PID 412 wrote to memory of 2984 412 cmd.exe 77 PID 412 wrote to memory of 2984 412 cmd.exe 77 PID 412 wrote to memory of 4316 412 cmd.exe 78 PID 412 wrote to memory of 4316 412 cmd.exe 78 PID 412 wrote to memory of 4316 412 cmd.exe 78 PID 412 wrote to memory of 4352 412 cmd.exe 79 PID 412 wrote to memory of 4352 412 cmd.exe 79 PID 412 wrote to memory of 4352 412 cmd.exe 79 PID 412 wrote to memory of 3308 412 cmd.exe 80 PID 412 wrote to memory of 3308 412 cmd.exe 80 PID 412 wrote to memory of 3308 412 cmd.exe 80 PID 412 wrote to memory of 4860 412 cmd.exe 81 PID 412 wrote to memory of 4860 412 cmd.exe 81 PID 412 wrote to memory of 4860 412 cmd.exe 81 PID 412 wrote to memory of 4520 412 cmd.exe 82 PID 412 wrote to memory of 4520 412 cmd.exe 82 PID 412 wrote to memory of 4520 412 cmd.exe 82 PID 520 wrote to memory of 4908 520 a7f60f90697ed9a34887a4eb4aeb2bf13ebd732ea0d7f52961bb58101f747b29.exe 83 PID 520 wrote to memory of 4908 520 a7f60f90697ed9a34887a4eb4aeb2bf13ebd732ea0d7f52961bb58101f747b29.exe 83 PID 1356 wrote to memory of 1420 1356 mnolyk.exe 85 PID 1356 wrote to memory of 1420 1356 mnolyk.exe 85 PID 1356 wrote to memory of 1420 1356 mnolyk.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7f60f90697ed9a34887a4eb4aeb2bf13ebd732ea0d7f52961bb58101f747b29.exe"C:\Users\Admin\AppData\Local\Temp\a7f60f90697ed9a34887a4eb4aeb2bf13ebd732ea0d7f52961bb58101f747b29.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sSw35oH.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sSw35oH.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sFR70Mw.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sFR70Mw.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kpY11Ss.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kpY11Ss.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mHO25.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mHO25.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F6⤵
- Creates scheduled task(s)
PID:1432
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:2984
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"7⤵PID:4316
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E7⤵PID:4352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:3308
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"7⤵PID:4860
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E7⤵PID:4520
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
PID:1420
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nzd80EB.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nzd80EB.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rnQ19xk.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rnQ19xk.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:2196
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:4796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
620KB
MD541e8f55d5b431580b41ac38bb636bf2d
SHA16dfe67916dae266430c3f5cd1efd725927a20fb1
SHA25623940114099c58ea7d4f5f1ed37fec6765405f18ecce61f2a9ee59c24154d554
SHA512531d910403aac40ac0ea10d63f89328a27c17d72dd92d47f4cd7f4619edd7d6b060d2cd08b541bc68fd7733358add541512823b9520360cf1da9c406e52842a7
-
Filesize
620KB
MD541e8f55d5b431580b41ac38bb636bf2d
SHA16dfe67916dae266430c3f5cd1efd725927a20fb1
SHA25623940114099c58ea7d4f5f1ed37fec6765405f18ecce61f2a9ee59c24154d554
SHA512531d910403aac40ac0ea10d63f89328a27c17d72dd92d47f4cd7f4619edd7d6b060d2cd08b541bc68fd7733358add541512823b9520360cf1da9c406e52842a7
-
Filesize
297KB
MD5977257b3567e148686e088ba34ffc116
SHA1e81b28487fc9a9b9f856819647e377bd713f0b0c
SHA256a0b0252b79b2e27f0e594fce5e2eb40e9557e23305f756554ea428deb5c19017
SHA512afced5adbca67c56a46c23c1804e620bea330ccbac58b3a77e7f7abdbc5ca9b2accaf0608d3738046cb3905962ab7262533934dc07601c7a59558d783484a2cc
-
Filesize
297KB
MD5977257b3567e148686e088ba34ffc116
SHA1e81b28487fc9a9b9f856819647e377bd713f0b0c
SHA256a0b0252b79b2e27f0e594fce5e2eb40e9557e23305f756554ea428deb5c19017
SHA512afced5adbca67c56a46c23c1804e620bea330ccbac58b3a77e7f7abdbc5ca9b2accaf0608d3738046cb3905962ab7262533934dc07601c7a59558d783484a2cc
-
Filesize
286KB
MD57e74b2386be760d96240e0c4afd61366
SHA14f6963e37379ad9dd5cad4a2e6e2b8aff011acda
SHA25613f294c644fea6c52eecf752a52bbca51f1ee54676db881e7734e583f37f20f2
SHA512b90959c8fecf85456eb1e4d7a717d45719b7cdb27933b4a42f699b286c9d3fdad5c193d45d6b9e350a99ee09b1fcc91e7b46e26b3ce55e4e4cc2aca5c7cf6ec0
-
Filesize
286KB
MD57e74b2386be760d96240e0c4afd61366
SHA14f6963e37379ad9dd5cad4a2e6e2b8aff011acda
SHA25613f294c644fea6c52eecf752a52bbca51f1ee54676db881e7734e583f37f20f2
SHA512b90959c8fecf85456eb1e4d7a717d45719b7cdb27933b4a42f699b286c9d3fdad5c193d45d6b9e350a99ee09b1fcc91e7b46e26b3ce55e4e4cc2aca5c7cf6ec0
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
Filesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3