redline | 36038c268651d5d38375145474fc4ba567d06021e911d0eaa8289e8604b8cadd

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2023, 13:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

36038c268651d5d38375145474fc4ba567d06021e911d0eaa8289e8604b8cadd.exe
Size

769KB
MD5

61c3a3642d10db1706f786957463b161
SHA1

7ce75389b1c39a179bbc7ed42d83199f36a52be4
SHA256

36038c268651d5d38375145474fc4ba567d06021e911d0eaa8289e8604b8cadd
SHA512

22428492253b50a6077c25c6b7e4de50ff3677932a87790c9fb2dc5560da101099fee5f49829be7be471cb828f618b0c696c61d78b9ca15b148596f4afcb18ab
SSDEEP

24576:byEUByog8H9HMkmJD13PcTPrDU+JqxTwFIL:OEhog8FMfR132PrNqB

Score

10^/10

redline cr2 dunm discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cr2

176.113.115.17:4132

Attributes

auth_value
4bf573d6f5ab16f3b5e36da6855dc128

Extracted

Family

redline

Botnet

dunm

193.233.20.12:4132

Attributes

auth_value
352959e3707029296ec94306d74e2334

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	suh86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	suh86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	suh86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	suh86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	suh86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	suh86.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1864	vHP12.exe
4184	vPI31.exe
4928	djy69.exe
4064	lIP13.exe
4740	ntM82.exe
4812	suh86.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	suh86.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	36038c268651d5d38375145474fc4ba567d06021e911d0eaa8289e8604b8cadd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vHP12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vHP12.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vPI31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vPI31.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	36038c268651d5d38375145474fc4ba567d06021e911d0eaa8289e8604b8cadd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4064 set thread context of 3484	4064	lIP13.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3400	4928	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4928	djy69.exe
4928	djy69.exe
4740	ntM82.exe
3484	AppLaunch.exe
4740	ntM82.exe
3484	AppLaunch.exe
4812	suh86.exe
4812	suh86.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	djy69.exe
Token: SeDebugPrivilege	4740	ntM82.exe
Token: SeDebugPrivilege	3484	AppLaunch.exe
Token: SeDebugPrivilege	4812	suh86.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 1864	4324	36038c268651d5d38375145474fc4ba567d06021e911d0eaa8289e8604b8cadd.exe	79
PID 4324 wrote to memory of 1864	4324	36038c268651d5d38375145474fc4ba567d06021e911d0eaa8289e8604b8cadd.exe	79
PID 4324 wrote to memory of 1864	4324	36038c268651d5d38375145474fc4ba567d06021e911d0eaa8289e8604b8cadd.exe	79
PID 1864 wrote to memory of 4184	1864	vHP12.exe	80
PID 1864 wrote to memory of 4184	1864	vHP12.exe	80
PID 1864 wrote to memory of 4184	1864	vHP12.exe	80
PID 4184 wrote to memory of 4928	4184	vPI31.exe	81
PID 4184 wrote to memory of 4928	4184	vPI31.exe	81
PID 4184 wrote to memory of 4928	4184	vPI31.exe	81
PID 4184 wrote to memory of 4064	4184	vPI31.exe	85
PID 4184 wrote to memory of 4064	4184	vPI31.exe	85
PID 4184 wrote to memory of 4064	4184	vPI31.exe	85
PID 4064 wrote to memory of 3484	4064	lIP13.exe	87
PID 4064 wrote to memory of 3484	4064	lIP13.exe	87
PID 4064 wrote to memory of 3484	4064	lIP13.exe	87
PID 4064 wrote to memory of 3484	4064	lIP13.exe	87
PID 4064 wrote to memory of 3484	4064	lIP13.exe	87
PID 1864 wrote to memory of 4740	1864	vHP12.exe	88
PID 1864 wrote to memory of 4740	1864	vHP12.exe	88
PID 1864 wrote to memory of 4740	1864	vHP12.exe	88
PID 4324 wrote to memory of 4812	4324	36038c268651d5d38375145474fc4ba567d06021e911d0eaa8289e8604b8cadd.exe	90
PID 4324 wrote to memory of 4812	4324	36038c268651d5d38375145474fc4ba567d06021e911d0eaa8289e8604b8cadd.exe	90

C:\Users\Admin\AppData\Local\Temp\36038c268651d5d38375145474fc4ba567d06021e911d0eaa8289e8604b8cadd.exe
"C:\Users\Admin\AppData\Local\Temp\36038c268651d5d38375145474fc4ba567d06021e911d0eaa8289e8604b8cadd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP12.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP12.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vPI31.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vPI31.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\djy69.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\djy69.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1940
        5⤵
        Program crash
        
        PID:3400
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lIP13.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lIP13.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ntM82.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ntM82.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\suh86.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\suh86.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4928 -ip 4928
1⤵
PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\suh86.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\suh86.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP12.exe

Filesize
665KB

MD5
ad0446d6466dbbf3b547ecae5ba79409

SHA1
d057101929979c9bbc13ae0fea47461f2c23007a

SHA256
4d38eacaf6507b066d05b0541085b1109c8281af18307a5197a092cfcd174cc5

SHA512
0ba53e76e7864a3b5c55e4e3a307ec002fc6ea9f58f9bdb6d58247386f7724dec961dd9729124e3b5861741ead68499874c2c6d48cfaa2fe2fe59b4996e36a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP12.exe

Filesize
665KB

MD5
ad0446d6466dbbf3b547ecae5ba79409

SHA1
d057101929979c9bbc13ae0fea47461f2c23007a

SHA256
4d38eacaf6507b066d05b0541085b1109c8281af18307a5197a092cfcd174cc5

SHA512
0ba53e76e7864a3b5c55e4e3a307ec002fc6ea9f58f9bdb6d58247386f7724dec961dd9729124e3b5861741ead68499874c2c6d48cfaa2fe2fe59b4996e36a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ntM82.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ntM82.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vPI31.exe

Filesize
520KB

MD5
89c0505192ccbb1fc35ba1977c6719ac

SHA1
4995012ab1151a67e9c4dff038b4092bad73a39e

SHA256
04dedf12f14ad715727102b12d1001ac4e108ee38ca776bd287a66ec00b048f6

SHA512
c60730dc0a5d0d02826d29783ed69f6287e93401304183f609c8573ff2e723ea60b760bf9818dea948b33fbed588faa640d05232e54262e96a4609206b9c4949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vPI31.exe

Filesize
520KB

MD5
89c0505192ccbb1fc35ba1977c6719ac

SHA1
4995012ab1151a67e9c4dff038b4092bad73a39e

SHA256
04dedf12f14ad715727102b12d1001ac4e108ee38ca776bd287a66ec00b048f6

SHA512
c60730dc0a5d0d02826d29783ed69f6287e93401304183f609c8573ff2e723ea60b760bf9818dea948b33fbed588faa640d05232e54262e96a4609206b9c4949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\djy69.exe

Filesize
306KB

MD5
b509da29c8331e51a50faa3fe77bf4cc

SHA1
6f56b7cfa494f0a1be2e5f894c1d709944d531b1

SHA256
036b5933d5f9e36fa2ae69e5f96e02a53cb70156fe573670fcd8ccf1ea6aeafe

SHA512
108f3b2dc6b2f842960055b21cfa6a3cbaeb6e8e89b889c1e0f8e237c103658e5cc328a077a2ff188099659c0f450cfb48321c86223e3b70f4cb275e857d35a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\djy69.exe

Filesize
306KB

MD5
b509da29c8331e51a50faa3fe77bf4cc

SHA1
6f56b7cfa494f0a1be2e5f894c1d709944d531b1

SHA256
036b5933d5f9e36fa2ae69e5f96e02a53cb70156fe573670fcd8ccf1ea6aeafe

SHA512
108f3b2dc6b2f842960055b21cfa6a3cbaeb6e8e89b889c1e0f8e237c103658e5cc328a077a2ff188099659c0f450cfb48321c86223e3b70f4cb275e857d35a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lIP13.exe

Filesize
281KB

MD5
4f7302c3f372c146e2dd87a7ea481f31

SHA1
c1f39c30a4138440399ae1c566cd414b2a4dd459

SHA256
6c9f8de22f30f2d8ddf1fa04c975d2832f6455e546a5ac1e923e76016ffa66e3

SHA512
a9a355bef77e741cb4b5040480960e0509d5c2ebcc866ad81a448bd24096fafa4962d02f76f365f8714bb8f41bbff28320566ce049746e3857c4353029140312

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lIP13.exe

Filesize
281KB

MD5
4f7302c3f372c146e2dd87a7ea481f31

SHA1
c1f39c30a4138440399ae1c566cd414b2a4dd459

SHA256
6c9f8de22f30f2d8ddf1fa04c975d2832f6455e546a5ac1e923e76016ffa66e3

SHA512
a9a355bef77e741cb4b5040480960e0509d5c2ebcc866ad81a448bd24096fafa4962d02f76f365f8714bb8f41bbff28320566ce049746e3857c4353029140312

Download Submit
memory/3484-162-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4740-170-0x00000000001C0000-0x00000000001F2000-memory.dmp

Filesize
200KB

Download
memory/4812-174-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/4812-176-0x00007FFDDFA80000-0x00007FFDE0541000-memory.dmp

Filesize
10.8MB

Download
memory/4812-175-0x00007FFDDFA80000-0x00007FFDE0541000-memory.dmp

Filesize
10.8MB

Download
memory/4928-142-0x0000000000650000-0x000000000069B000-memory.dmp

Filesize
300KB

Download
memory/4928-156-0x00000000008A1000-0x00000000008CF000-memory.dmp

Filesize
184KB

Download
memory/4928-157-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4928-155-0x00000000067E0000-0x0000000006D0C000-memory.dmp

Filesize
5.2MB

Download
memory/4928-154-0x0000000006610000-0x00000000067D2000-memory.dmp

Filesize
1.8MB

Download
memory/4928-153-0x00000000008A1000-0x00000000008CF000-memory.dmp

Filesize
184KB

Download
memory/4928-152-0x0000000006590000-0x00000000065E0000-memory.dmp

Filesize
320KB

Download
memory/4928-151-0x0000000006500000-0x0000000006576000-memory.dmp

Filesize
472KB

Download
memory/4928-150-0x0000000006320000-0x00000000063B2000-memory.dmp

Filesize
584KB

Download
memory/4928-149-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/4928-148-0x0000000005970000-0x00000000059AC000-memory.dmp

Filesize
240KB

Download
memory/4928-147-0x0000000005950000-0x0000000005962000-memory.dmp

Filesize
72KB

Download
memory/4928-146-0x0000000005820000-0x000000000592A000-memory.dmp

Filesize
1.0MB

Download
memory/4928-145-0x00000000051C0000-0x00000000057D8000-memory.dmp

Filesize
6.1MB

Download
memory/4928-144-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/4928-143-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/4928-141-0x00000000008A1000-0x00000000008CF000-memory.dmp

Filesize
184KB

Download