Analysis
-
max time kernel
52s -
max time network
54s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
13-02-2023 06:34
Static task
static1
Behavioral task
behavioral1
Sample
dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738.exe
Resource
win10-20220812-en
General
-
Target
dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738.exe
-
Size
481KB
-
MD5
e44976bdb0218ad9048d8653f29ceb04
-
SHA1
27016d7d97f0d48c44dc6b40644ba4534601d297
-
SHA256
dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738
-
SHA512
e611e9492a29c7fff80270df923e369bb3d233797a7ea987966a93fa93e4734dcb6075c90810c79a4abb3505704188aa0cf10260a998dd2fd24ab4a019ff17fb
-
SSDEEP
12288:tMrOy90Ou9D1WactFEZlbpV48QOoUbhGi:Tyfu9BrctFEr4c5
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Extracted
redline
crnn
176.113.115.17:4132
-
auth_value
6dfbf5eac3db7046d55dfd3f6608be3f
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dmG78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dmG78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dmG78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dmG78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dmG78.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 2108 nqH64.exe 2272 bBm62.exe 3324 cbW01MY.exe 4776 dmG78.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features dmG78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" dmG78.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nqH64.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce nqH64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2272 bBm62.exe 2272 bBm62.exe 3324 cbW01MY.exe 3324 cbW01MY.exe 4776 dmG78.exe 4776 dmG78.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2272 bBm62.exe Token: SeDebugPrivilege 3324 cbW01MY.exe Token: SeDebugPrivilege 4776 dmG78.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2108 2248 dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738.exe 66 PID 2248 wrote to memory of 2108 2248 dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738.exe 66 PID 2248 wrote to memory of 2108 2248 dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738.exe 66 PID 2108 wrote to memory of 2272 2108 nqH64.exe 67 PID 2108 wrote to memory of 2272 2108 nqH64.exe 67 PID 2108 wrote to memory of 2272 2108 nqH64.exe 67 PID 2108 wrote to memory of 3324 2108 nqH64.exe 69 PID 2108 wrote to memory of 3324 2108 nqH64.exe 69 PID 2108 wrote to memory of 3324 2108 nqH64.exe 69 PID 2248 wrote to memory of 4776 2248 dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738.exe 70 PID 2248 wrote to memory of 4776 2248 dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738.exe 70 PID 2248 wrote to memory of 4776 2248 dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738.exe"C:\Users\Admin\AppData\Local\Temp\dbe58be8dd1d29b95b29470bded895eb4e56de9c8d0f78d556f5a97d19552738.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nqH64.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nqH64.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bBm62.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bBm62.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cbW01MY.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cbW01MY.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dmG78.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dmG78.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5bff8038cbd0298ace77dfd5c5a4249c2
SHA1390f91519cbdf582e2495948bd436bbb5e534c46
SHA256c2edd540118d2586ebd7e518d56577536afddd67f8524f547195e152ed806ef4
SHA5129fdab976c4cbbffe68d057d50139d2e2c492aa9825c9a11d35d83ca046d3c7f546a5628f2f5b406cd4f601ac1724af121ca02e2d96cc8843266006d70f3f2ab5
-
Filesize
248KB
MD5bff8038cbd0298ace77dfd5c5a4249c2
SHA1390f91519cbdf582e2495948bd436bbb5e534c46
SHA256c2edd540118d2586ebd7e518d56577536afddd67f8524f547195e152ed806ef4
SHA5129fdab976c4cbbffe68d057d50139d2e2c492aa9825c9a11d35d83ca046d3c7f546a5628f2f5b406cd4f601ac1724af121ca02e2d96cc8843266006d70f3f2ab5
-
Filesize
200KB
MD5d14397e2b26effeb9a59f3d62b050f48
SHA1797ef467ccb80f04845798bd641b7f7cd9f4396d
SHA256e078e56bf0989a99b6d7303b7961e65669e0e35808f8b4e3c925084b1df263e4
SHA512fbbd3cec21e723798dbd15fde0351f073454febfb827923b2c3228765a8c9f7fb8e9061e3b54d1124832c048d8fdbe27a6d886143d9c60d139bc28fd0b5db3f0
-
Filesize
200KB
MD5d14397e2b26effeb9a59f3d62b050f48
SHA1797ef467ccb80f04845798bd641b7f7cd9f4396d
SHA256e078e56bf0989a99b6d7303b7961e65669e0e35808f8b4e3c925084b1df263e4
SHA512fbbd3cec21e723798dbd15fde0351f073454febfb827923b2c3228765a8c9f7fb8e9061e3b54d1124832c048d8fdbe27a6d886143d9c60d139bc28fd0b5db3f0
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec
-
Filesize
175KB
MD5062a3c73b1aaf076abefd71633b66de5
SHA1e4b7e004c32d673fd61b1669c797dc4b207d8445
SHA256f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881
SHA5126bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3
-
Filesize
175KB
MD5062a3c73b1aaf076abefd71633b66de5
SHA1e4b7e004c32d673fd61b1669c797dc4b207d8445
SHA256f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881
SHA5126bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3