redline | 73689f35e5c3314666769cea1523915f725ff953c247be0da22a1023bd51a42c

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2023 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73689f35e5c3314666769cea1523915f725ff953c247be0da22a1023bd51a42c.exe
Size

766KB
MD5

57c92001d59f347842f452b4ffb17b13
SHA1

c1b371e447108cdc859f5a20a35bb5560b6f8693
SHA256

73689f35e5c3314666769cea1523915f725ff953c247be0da22a1023bd51a42c
SHA512

b06824afd8921058f02112e9715d94f949f9d78638169ee778a24203711980459db7643d52d11ac76ac9b7b6c644f26a309f18809fc4e571c003557fad8ad6a5
SSDEEP

12288:BMrxy90ywN7VDo6QlfnYWCIOvstTrkjss4BFDhDlOzMaTc0EfySngPuPfVA:4ydwJVc6QxYvDgrkj8Nn4jTctfySnvV

Score

10^/10

redline crypt1 dunm discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

crypt1

176.113.115.17:4132

Attributes

auth_value
2e2ca7bbceaa9f98252a6f9fc0e6fa86

Extracted

Family

redline

Botnet

dunm

193.233.20.12:4132

Attributes

auth_value
352959e3707029296ec94306d74e2334

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	szC90.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	szC90.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	szC90.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	szC90.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	szC90.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	szC90.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
3640	vjr68.exe
2276	vnT73.exe
3356	dSp38.exe
796	lbx59.exe
3788	nMy29.exe
3616	szC90.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	szC90.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	73689f35e5c3314666769cea1523915f725ff953c247be0da22a1023bd51a42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	73689f35e5c3314666769cea1523915f725ff953c247be0da22a1023bd51a42c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vjr68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vjr68.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vnT73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vnT73.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 796 set thread context of 4268	796	lbx59.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1196	3356	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3356	dSp38.exe
3356	dSp38.exe
4268	AppLaunch.exe
3788	nMy29.exe
4268	AppLaunch.exe
3788	nMy29.exe
3616	szC90.exe
3616	szC90.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	dSp38.exe
Token: SeDebugPrivilege	4268	AppLaunch.exe
Token: SeDebugPrivilege	3788	nMy29.exe
Token: SeDebugPrivilege	3616	szC90.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 3640	1048	73689f35e5c3314666769cea1523915f725ff953c247be0da22a1023bd51a42c.exe	80
PID 1048 wrote to memory of 3640	1048	73689f35e5c3314666769cea1523915f725ff953c247be0da22a1023bd51a42c.exe	80
PID 1048 wrote to memory of 3640	1048	73689f35e5c3314666769cea1523915f725ff953c247be0da22a1023bd51a42c.exe	80
PID 3640 wrote to memory of 2276	3640	vjr68.exe	81
PID 3640 wrote to memory of 2276	3640	vjr68.exe	81
PID 3640 wrote to memory of 2276	3640	vjr68.exe	81
PID 2276 wrote to memory of 3356	2276	vnT73.exe	82
PID 2276 wrote to memory of 3356	2276	vnT73.exe	82
PID 2276 wrote to memory of 3356	2276	vnT73.exe	82
PID 2276 wrote to memory of 796	2276	vnT73.exe	86
PID 2276 wrote to memory of 796	2276	vnT73.exe	86
PID 2276 wrote to memory of 796	2276	vnT73.exe	86
PID 796 wrote to memory of 4268	796	lbx59.exe	88
PID 796 wrote to memory of 4268	796	lbx59.exe	88
PID 796 wrote to memory of 4268	796	lbx59.exe	88
PID 796 wrote to memory of 4268	796	lbx59.exe	88
PID 796 wrote to memory of 4268	796	lbx59.exe	88
PID 3640 wrote to memory of 3788	3640	vjr68.exe	89
PID 3640 wrote to memory of 3788	3640	vjr68.exe	89
PID 3640 wrote to memory of 3788	3640	vjr68.exe	89
PID 1048 wrote to memory of 3616	1048	73689f35e5c3314666769cea1523915f725ff953c247be0da22a1023bd51a42c.exe	91
PID 1048 wrote to memory of 3616	1048	73689f35e5c3314666769cea1523915f725ff953c247be0da22a1023bd51a42c.exe	91

C:\Users\Admin\AppData\Local\Temp\73689f35e5c3314666769cea1523915f725ff953c247be0da22a1023bd51a42c.exe
"C:\Users\Admin\AppData\Local\Temp\73689f35e5c3314666769cea1523915f725ff953c247be0da22a1023bd51a42c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vjr68.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vjr68.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vnT73.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vnT73.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSp38.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSp38.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1548
        5⤵
        Program crash
        
        PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lbx59.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lbx59.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nMy29.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nMy29.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\szC90.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\szC90.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3356 -ip 3356
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\szC90.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\szC90.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vjr68.exe

Filesize
662KB

MD5
21ddeb410f0a7d50bdcd0048d45f45d9

SHA1
d7445739154370162f7e1f81555f8f97b69bd100

SHA256
56400b9fb4b7fdfd3452667198bd415fa1b63fa3038f1901af6d88b955ddafb5

SHA512
c30e236048d21eff34226f48d252a053bd08de15554eccfc013e111d4d33fa02d1f69557095459fcb55be7f224fdca551d010ecf1f4bd795912395c8327b293d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vjr68.exe

Filesize
662KB

MD5
21ddeb410f0a7d50bdcd0048d45f45d9

SHA1
d7445739154370162f7e1f81555f8f97b69bd100

SHA256
56400b9fb4b7fdfd3452667198bd415fa1b63fa3038f1901af6d88b955ddafb5

SHA512
c30e236048d21eff34226f48d252a053bd08de15554eccfc013e111d4d33fa02d1f69557095459fcb55be7f224fdca551d010ecf1f4bd795912395c8327b293d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nMy29.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nMy29.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vnT73.exe

Filesize
517KB

MD5
cc03aeb61411d3aec5f5806a43423e29

SHA1
df42934a32676d5ab7d62c30619117e3c16c0137

SHA256
9320fd317b1aee8da6c0a6d2aa2d95683cdd49032d12e8ae0bd3eb4f40dea56d

SHA512
edc569696575c66cde3cbcf700f924054d4f724838c786fd99c0d047c0a557cc097e7b11d1468d6ab4286e70f75a98a91b8065e6a3d2b5d036f125842ada04df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vnT73.exe

Filesize
517KB

MD5
cc03aeb61411d3aec5f5806a43423e29

SHA1
df42934a32676d5ab7d62c30619117e3c16c0137

SHA256
9320fd317b1aee8da6c0a6d2aa2d95683cdd49032d12e8ae0bd3eb4f40dea56d

SHA512
edc569696575c66cde3cbcf700f924054d4f724838c786fd99c0d047c0a557cc097e7b11d1468d6ab4286e70f75a98a91b8065e6a3d2b5d036f125842ada04df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSp38.exe

Filesize
295KB

MD5
d8dc91e4e92e8180ed954ad107ef273a

SHA1
71a90521a00c976b51a3bb871ae084ff7b82fd85

SHA256
1bf985d2fad051952b94362e61093806795a0b79ec6641e75cf9e194d770abd3

SHA512
772a25964a00375ea5ed6132b8d335e63d182f7744b8662aa99a4bd29f43a80e80f908bc17cd2f7351f5685b4de5844cea1b78f674b1fb0551e2ffd83b29020f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSp38.exe

Filesize
295KB

MD5
d8dc91e4e92e8180ed954ad107ef273a

SHA1
71a90521a00c976b51a3bb871ae084ff7b82fd85

SHA256
1bf985d2fad051952b94362e61093806795a0b79ec6641e75cf9e194d770abd3

SHA512
772a25964a00375ea5ed6132b8d335e63d182f7744b8662aa99a4bd29f43a80e80f908bc17cd2f7351f5685b4de5844cea1b78f674b1fb0551e2ffd83b29020f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lbx59.exe

Filesize
277KB

MD5
3bc6ecb7d1f35f3171383f88879659b7

SHA1
e82887b3d6ab38ae3b8880d6c904244495dcf0cc

SHA256
c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068

SHA512
709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lbx59.exe

Filesize
277KB

MD5
3bc6ecb7d1f35f3171383f88879659b7

SHA1
e82887b3d6ab38ae3b8880d6c904244495dcf0cc

SHA256
c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068

SHA512
709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c

Download Submit
memory/3356-152-0x0000000006820000-0x0000000006D4C000-memory.dmp

Filesize
5.2MB

Download
memory/3356-145-0x00000000053A0000-0x00000000059B8000-memory.dmp

Filesize
6.1MB

Download
memory/3356-148-0x0000000005BA0000-0x0000000005BDC000-memory.dmp

Filesize
240KB

Download
memory/3356-149-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/3356-150-0x0000000006540000-0x00000000065D2000-memory.dmp

Filesize
584KB

Download
memory/3356-151-0x0000000006650000-0x0000000006812000-memory.dmp

Filesize
1.8MB

Download
memory/3356-153-0x0000000000922000-0x0000000000951000-memory.dmp

Filesize
188KB

Download
memory/3356-154-0x00000000070E0000-0x0000000007156000-memory.dmp

Filesize
472KB

Download
memory/3356-155-0x0000000007160000-0x00000000071B0000-memory.dmp

Filesize
320KB

Download
memory/3356-156-0x0000000000922000-0x0000000000951000-memory.dmp

Filesize
188KB

Download
memory/3356-157-0x0000000000400000-0x00000000007A6000-memory.dmp

Filesize
3.6MB

Download
memory/3356-146-0x0000000005A40000-0x0000000005B4A000-memory.dmp

Filesize
1.0MB

Download
memory/3356-147-0x0000000005B80000-0x0000000005B92000-memory.dmp

Filesize
72KB

Download
memory/3356-144-0x0000000004DE0000-0x0000000005384000-memory.dmp

Filesize
5.6MB

Download
memory/3356-141-0x0000000000922000-0x0000000000951000-memory.dmp

Filesize
188KB

Download
memory/3356-142-0x0000000000880000-0x00000000008CB000-memory.dmp

Filesize
300KB

Download
memory/3356-143-0x0000000000400000-0x00000000007A6000-memory.dmp

Filesize
3.6MB

Download
memory/3616-174-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/3616-175-0x00007FF82D370000-0x00007FF82DE31000-memory.dmp

Filesize
10.8MB

Download
memory/3616-176-0x00007FF82D370000-0x00007FF82DE31000-memory.dmp

Filesize
10.8MB

Download
memory/3788-170-0x00000000003A0000-0x00000000003D2000-memory.dmp

Filesize
200KB

Download
memory/4268-162-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download