redline | 099e17bd1e39d88b14393f5b17023ca476677d3d907f1502384aa18a81a13edb

Analysis

max time kernel
149s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2023, 12:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

099e17bd1e39d88b14393f5b17023ca476677d3d907f1502384aa18a81a13edb.exe
Size

837KB
MD5

d57fb2d19fded7db4b6b0de2a45cb3d9
SHA1

3e74cbce408a6d5420e95d9ec5dcb5c942799625
SHA256

099e17bd1e39d88b14393f5b17023ca476677d3d907f1502384aa18a81a13edb
SHA512

133f383807ff19c92dadc439a42f56a6cfe56d46b63cce152c89c4de16d2aa87bec6773a18d89193217b77c15ad5dc7efc2cfcdc30ad5cc4af4760013610f18c
SSDEEP

24576:yyvBxPDAkMSF5ZdeVOgsgIWWVy4BCFluBwTPa+UJmV:ZvBxPkGg4jgIWEy4BCFo4FU

Score

10^/10

redline crypt1 dunm discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

crypt1

176.113.115.17:4132

Attributes

auth_value
2e2ca7bbceaa9f98252a6f9fc0e6fa86

Extracted

Family

redline

Botnet

dunm

193.233.20.12:4132

Attributes

auth_value
352959e3707029296ec94306d74e2334

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	skj76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	skj76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	skj76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	skj76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	skj76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	skj76.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4144	vfq58.exe
4744	vVd45.exe
3388	dco57.exe
2640	lAu09.exe
2616	nPB30.exe
4680	skj76.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	skj76.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vVd45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vVd45.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	099e17bd1e39d88b14393f5b17023ca476677d3d907f1502384aa18a81a13edb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	099e17bd1e39d88b14393f5b17023ca476677d3d907f1502384aa18a81a13edb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vfq58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vfq58.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2640 set thread context of 3668	2640	lAu09.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4872	3388	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3388	dco57.exe
3388	dco57.exe
3668	AppLaunch.exe
3668	AppLaunch.exe
2616	nPB30.exe
2616	nPB30.exe
4680	skj76.exe
4680	skj76.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3388	dco57.exe
Token: SeDebugPrivilege	3668	AppLaunch.exe
Token: SeDebugPrivilege	2616	nPB30.exe
Token: SeDebugPrivilege	4680	skj76.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 4144	932	099e17bd1e39d88b14393f5b17023ca476677d3d907f1502384aa18a81a13edb.exe	83
PID 932 wrote to memory of 4144	932	099e17bd1e39d88b14393f5b17023ca476677d3d907f1502384aa18a81a13edb.exe	83
PID 932 wrote to memory of 4144	932	099e17bd1e39d88b14393f5b17023ca476677d3d907f1502384aa18a81a13edb.exe	83
PID 4144 wrote to memory of 4744	4144	vfq58.exe	84
PID 4144 wrote to memory of 4744	4144	vfq58.exe	84
PID 4144 wrote to memory of 4744	4144	vfq58.exe	84
PID 4744 wrote to memory of 3388	4744	vVd45.exe	85
PID 4744 wrote to memory of 3388	4744	vVd45.exe	85
PID 4744 wrote to memory of 3388	4744	vVd45.exe	85
PID 4744 wrote to memory of 2640	4744	vVd45.exe	93
PID 4744 wrote to memory of 2640	4744	vVd45.exe	93
PID 4744 wrote to memory of 2640	4744	vVd45.exe	93
PID 2640 wrote to memory of 3668	2640	lAu09.exe	95
PID 2640 wrote to memory of 3668	2640	lAu09.exe	95
PID 2640 wrote to memory of 3668	2640	lAu09.exe	95
PID 2640 wrote to memory of 3668	2640	lAu09.exe	95
PID 2640 wrote to memory of 3668	2640	lAu09.exe	95
PID 4144 wrote to memory of 2616	4144	vfq58.exe	96
PID 4144 wrote to memory of 2616	4144	vfq58.exe	96
PID 4144 wrote to memory of 2616	4144	vfq58.exe	96
PID 932 wrote to memory of 4680	932	099e17bd1e39d88b14393f5b17023ca476677d3d907f1502384aa18a81a13edb.exe	104
PID 932 wrote to memory of 4680	932	099e17bd1e39d88b14393f5b17023ca476677d3d907f1502384aa18a81a13edb.exe	104

C:\Users\Admin\AppData\Local\Temp\099e17bd1e39d88b14393f5b17023ca476677d3d907f1502384aa18a81a13edb.exe
"C:\Users\Admin\AppData\Local\Temp\099e17bd1e39d88b14393f5b17023ca476677d3d907f1502384aa18a81a13edb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vfq58.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vfq58.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vVd45.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vVd45.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dco57.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dco57.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1380
        5⤵
        Program crash
        
        PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lAu09.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lAu09.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nPB30.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nPB30.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skj76.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skj76.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3388 -ip 3388
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skj76.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skj76.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vfq58.exe

Filesize
733KB

MD5
2860676871fcd2c6c0d1fccfe0610c7d

SHA1
a919c3a1f6a576b72ec8ffab6b6f12551fcbc47d

SHA256
d8d110ea52e2835dae9e006b301315876131bf60d1e4c76c65db57189686ad89

SHA512
3e5a2cbda0c793745cf946dbc7476f7998232208a841ad6abe6a9ad1b4619a64258c63b9b84b1019b32885467ecef67e4098aa116dd7ebc02e336703d1e4a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vfq58.exe

Filesize
733KB

MD5
2860676871fcd2c6c0d1fccfe0610c7d

SHA1
a919c3a1f6a576b72ec8ffab6b6f12551fcbc47d

SHA256
d8d110ea52e2835dae9e006b301315876131bf60d1e4c76c65db57189686ad89

SHA512
3e5a2cbda0c793745cf946dbc7476f7998232208a841ad6abe6a9ad1b4619a64258c63b9b84b1019b32885467ecef67e4098aa116dd7ebc02e336703d1e4a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nPB30.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nPB30.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vVd45.exe

Filesize
588KB

MD5
d6ae912c28de7449d7908646238d484f

SHA1
0da3e231b362a1a02fa3d48e82b562634fa937c3

SHA256
2425e35775d76ed5bcc7fc0752fbc3128a408b1650ef9bf981053a758c0e1fd9

SHA512
347363ac1162c013ecaf74960cab295e919fb3b47dca545296a6848bce8f401450fef381cf590a59035257f4983fccb3d5ee2ec71f63f5efa8a00b185163c002

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vVd45.exe

Filesize
588KB

MD5
d6ae912c28de7449d7908646238d484f

SHA1
0da3e231b362a1a02fa3d48e82b562634fa937c3

SHA256
2425e35775d76ed5bcc7fc0752fbc3128a408b1650ef9bf981053a758c0e1fd9

SHA512
347363ac1162c013ecaf74960cab295e919fb3b47dca545296a6848bce8f401450fef381cf590a59035257f4983fccb3d5ee2ec71f63f5efa8a00b185163c002

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dco57.exe

Filesize
479KB

MD5
a6585ad170bfd18ad0de954142ddb550

SHA1
793142dec6e802fb71e71a40e33de69d2cb1f2f3

SHA256
040342454dfb02ce78a14893c1a2a02f60662d48070e6ab5e5cb6035a20a4cb1

SHA512
00b6323325f1670829ba81db494bba3916d37702f41607500fd50ea7ed78fdd642ec5abb98cd04bcb335052326b38054496908b4c914d664dfcda6d2895f44fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dco57.exe

Filesize
479KB

MD5
a6585ad170bfd18ad0de954142ddb550

SHA1
793142dec6e802fb71e71a40e33de69d2cb1f2f3

SHA256
040342454dfb02ce78a14893c1a2a02f60662d48070e6ab5e5cb6035a20a4cb1

SHA512
00b6323325f1670829ba81db494bba3916d37702f41607500fd50ea7ed78fdd642ec5abb98cd04bcb335052326b38054496908b4c914d664dfcda6d2895f44fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lAu09.exe

Filesize
277KB

MD5
3bc6ecb7d1f35f3171383f88879659b7

SHA1
e82887b3d6ab38ae3b8880d6c904244495dcf0cc

SHA256
c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068

SHA512
709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lAu09.exe

Filesize
277KB

MD5
3bc6ecb7d1f35f3171383f88879659b7

SHA1
e82887b3d6ab38ae3b8880d6c904244495dcf0cc

SHA256
c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068

SHA512
709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c

Download Submit
memory/2616-170-0x0000000000890000-0x00000000008C2000-memory.dmp

Filesize
200KB

Download
memory/3388-152-0x00000000067A0000-0x0000000006816000-memory.dmp

Filesize
472KB

Download
memory/3388-145-0x00000000052D0000-0x00000000058E8000-memory.dmp

Filesize
6.1MB

Download
memory/3388-149-0x0000000000993000-0x00000000009C2000-memory.dmp

Filesize
188KB

Download
memory/3388-150-0x0000000006180000-0x0000000006212000-memory.dmp

Filesize
584KB

Download
memory/3388-151-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/3388-153-0x0000000006830000-0x0000000006880000-memory.dmp

Filesize
320KB

Download
memory/3388-154-0x00000000068A0000-0x0000000006A62000-memory.dmp

Filesize
1.8MB

Download
memory/3388-155-0x0000000006A80000-0x0000000006FAC000-memory.dmp

Filesize
5.2MB

Download
memory/3388-156-0x0000000000993000-0x00000000009C2000-memory.dmp

Filesize
188KB

Download
memory/3388-157-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/3388-147-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

Filesize
72KB

Download
memory/3388-146-0x0000000005970000-0x0000000005A7A000-memory.dmp

Filesize
1.0MB

Download
memory/3388-148-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

Filesize
240KB

Download
memory/3388-141-0x0000000000993000-0x00000000009C2000-memory.dmp

Filesize
188KB

Download
memory/3388-142-0x0000000000840000-0x000000000088B000-memory.dmp

Filesize
300KB

Download
memory/3388-144-0x0000000004CC0000-0x0000000005264000-memory.dmp

Filesize
5.6MB

Download
memory/3388-143-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/3668-162-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4680-174-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download
memory/4680-175-0x00007FF9C08E0000-0x00007FF9C13A1000-memory.dmp

Filesize
10.8MB

Download
memory/4680-176-0x00007FF9C08E0000-0x00007FF9C13A1000-memory.dmp

Filesize
10.8MB

Download
memory/4680-177-0x00007FF9C08E0000-0x00007FF9C13A1000-memory.dmp

Filesize
10.8MB

Download