Analysis
-
max time kernel
56s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
13/02/2023, 15:09
Static task
static1
Behavioral task
behavioral1
Sample
dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe
Resource
win10-20220812-en
General
-
Target
dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe
-
Size
474KB
-
MD5
0132924603f08693b2754365a1982cfc
-
SHA1
c8f9a90879c88c0b999cb38331e4e44c99aec1dc
-
SHA256
dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095
-
SHA512
9b2509a77ac24ee82933e9e093ead9418c8f80dc3bd168231350cc17f675b208e9ce6339a386d8dca9423fd3bb9df8a164c0ccb4fbff52f97a256d4b1d0315a1
-
SSDEEP
6144:Kgy+bnr+Wp0yN90QEt/ooX0LQZ2XvSDsRI1XUUhZzOpH4al9w2z5EF33Oevl9jCq:sMruy90Ld86DsYhZGvOF3/d9jCq
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Extracted
redline
crnn
176.113.115.17:4132
-
auth_value
6dfbf5eac3db7046d55dfd3f6608be3f
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dJD11.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dJD11.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dJD11.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dJD11.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dJD11.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 4556 nCV34.exe 1416 bqD98.exe 2928 cvn13CS.exe 4724 dJD11.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features dJD11.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" dJD11.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce nCV34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nCV34.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1416 bqD98.exe 1416 bqD98.exe 2928 cvn13CS.exe 2928 cvn13CS.exe 4724 dJD11.exe 4724 dJD11.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1416 bqD98.exe Token: SeDebugPrivilege 2928 cvn13CS.exe Token: SeDebugPrivilege 4724 dJD11.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2360 wrote to memory of 4556 2360 dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe 66 PID 2360 wrote to memory of 4556 2360 dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe 66 PID 2360 wrote to memory of 4556 2360 dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe 66 PID 4556 wrote to memory of 1416 4556 nCV34.exe 67 PID 4556 wrote to memory of 1416 4556 nCV34.exe 67 PID 4556 wrote to memory of 1416 4556 nCV34.exe 67 PID 4556 wrote to memory of 2928 4556 nCV34.exe 69 PID 4556 wrote to memory of 2928 4556 nCV34.exe 69 PID 4556 wrote to memory of 2928 4556 nCV34.exe 69 PID 2360 wrote to memory of 4724 2360 dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe 70 PID 2360 wrote to memory of 4724 2360 dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe 70 PID 2360 wrote to memory of 4724 2360 dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe"C:\Users\Admin\AppData\Local\Temp\dc013bb782e3ceeec5507ea108401b66a55ec30f435751350fe8c4dbc7cb9095.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nCV34.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bqD98.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvn13CS.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dJD11.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD51dfaea61e3959f902a94287e95ee6824
SHA1a303be2ea1744692c8bf527568100d2182ddf58a
SHA2561054db02a2bf17fa18d0f4422f9fa62893cd437bdb74d31225643b7c0c1861e6
SHA512c69619f34be5345efd95a91d5771564651e521ff5cccad9b5ce694eed982344539bbfcb9f39bae0208b4a62c9215ca82f254715606a99cedabdf47ad0dcf7dd3
-
Filesize
235KB
MD51dfaea61e3959f902a94287e95ee6824
SHA1a303be2ea1744692c8bf527568100d2182ddf58a
SHA2561054db02a2bf17fa18d0f4422f9fa62893cd437bdb74d31225643b7c0c1861e6
SHA512c69619f34be5345efd95a91d5771564651e521ff5cccad9b5ce694eed982344539bbfcb9f39bae0208b4a62c9215ca82f254715606a99cedabdf47ad0dcf7dd3
-
Filesize
200KB
MD5d901c40d66f39ce57245aebcc139a5ad
SHA10cdfe58bce9a8c9abedc65610c744383406f8ede
SHA256bd87b9d04c03d49359727f4d60bc77f1de2411ff7b619dc593c18dabf9ef4c09
SHA5124a5a66abe4db90bf14034113bcaf383a264fafbf1cfa236afb427acb9d0e45c07f73e47cc9b9c8f5ec111a1e5c5a00ae3f9ea2b24a061a05b2961824c05839ed
-
Filesize
200KB
MD5d901c40d66f39ce57245aebcc139a5ad
SHA10cdfe58bce9a8c9abedc65610c744383406f8ede
SHA256bd87b9d04c03d49359727f4d60bc77f1de2411ff7b619dc593c18dabf9ef4c09
SHA5124a5a66abe4db90bf14034113bcaf383a264fafbf1cfa236afb427acb9d0e45c07f73e47cc9b9c8f5ec111a1e5c5a00ae3f9ea2b24a061a05b2961824c05839ed
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec
-
Filesize
175KB
MD5062a3c73b1aaf076abefd71633b66de5
SHA1e4b7e004c32d673fd61b1669c797dc4b207d8445
SHA256f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881
SHA5126bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3
-
Filesize
175KB
MD5062a3c73b1aaf076abefd71633b66de5
SHA1e4b7e004c32d673fd61b1669c797dc4b207d8445
SHA256f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881
SHA5126bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3