Overview

overview

10

Static

static

1

7384ad4b89...ad.exe

windows7-x64

10

7384ad4b89...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-02-2023 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7384ad4b89310f0e5ce7a561d7173bad.exe

  • Size

    480KB

  • MD5

    7384ad4b89310f0e5ce7a561d7173bad

  • SHA1

    ec9f9990704595941aa89cb7560ac74a0c71f3a2

  • SHA256

    bff73ef26c410d89b352b6f6a33897fce077d951db59735155ff6e7a0e71209c

  • SHA512

    12c8bb7b5729adad551fe2246fe1733f2a0d898e6f0ca3555f7ab909feca4e25cd9e5b5bd293d29bab688a6f3d1292e615c07925bb2909bdbfbaa0f87a757310

  • SSDEEP

    12288:gMrty90wu1GLaabMMpSYHAnd2SFiLCoRagTZe:9yDuEfeQS0Cost

Score
10/10
redlinecrnnfukiadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes
  • auth_value

    e5783636fbd9e4f0cf9a017bce02e67e

Extracted

Family

redline

Botnet

crnn

C2

176.113.115.17:4132

Attributes
  • auth_value

    6dfbf5eac3db7046d55dfd3f6608be3f

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7384ad4b89310f0e5ce7a561d7173bad.exe
    "C:\Users\Admin\AppData\Local\Temp\7384ad4b89310f0e5ce7a561d7173bad.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nrV73.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nrV73.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\byh16.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\byh16.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFX70sA.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFX70sA.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4100
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkI58.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkI58.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3492
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1080
        3⤵
        • Program crash
        PID:2652
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3492 -ip 3492
    1⤵
      PID:2380

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkI58.exe
      Filesize

      247KB

      MD5

      0ef0dfd14f4136e407d971cfb57adf3f

      SHA1

      f7225981e833c73276fcb3569357f5c60312843a

      SHA256

      75b453b18104f8df29c0c668319eee3dc13a162a9d9054135a69b28f0803ae49

      SHA512

      bc06e461f8ff784b31cc98570e1e62c881c8eb20b4883e9ebf59207d0ef34fef982bbdbdb04ba7521c29cabda874274f71658dc6f7ae9cf01ae14bf9392bd281

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkI58.exe
      Filesize

      247KB

      MD5

      0ef0dfd14f4136e407d971cfb57adf3f

      SHA1

      f7225981e833c73276fcb3569357f5c60312843a

      SHA256

      75b453b18104f8df29c0c668319eee3dc13a162a9d9054135a69b28f0803ae49

      SHA512

      bc06e461f8ff784b31cc98570e1e62c881c8eb20b4883e9ebf59207d0ef34fef982bbdbdb04ba7521c29cabda874274f71658dc6f7ae9cf01ae14bf9392bd281

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nrV73.exe
      Filesize

      202KB

      MD5

      c061012bed5bd45e89402b59eb1dc6c4

      SHA1

      79c55149fea496bf61cba88544650b641b9b8051

      SHA256

      43035d7ab2c5376cc32d33b94e513e6e70e52767095451a0ed557e644dcfbda0

      SHA512

      675096d0d8ed047e7346bdc9d4d5d593694332464257bf951b60533326152fe6c1a25b8612561b5b3050e7e2595911615bc990f1e4bd470abc2bd69d412f614f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nrV73.exe
      Filesize

      202KB

      MD5

      c061012bed5bd45e89402b59eb1dc6c4

      SHA1

      79c55149fea496bf61cba88544650b641b9b8051

      SHA256

      43035d7ab2c5376cc32d33b94e513e6e70e52767095451a0ed557e644dcfbda0

      SHA512

      675096d0d8ed047e7346bdc9d4d5d593694332464257bf951b60533326152fe6c1a25b8612561b5b3050e7e2595911615bc990f1e4bd470abc2bd69d412f614f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\byh16.exe
      Filesize

      175KB

      MD5

      a5f5c5d6291c7ae9e1d1b7ed1e551490

      SHA1

      3d06413341893b838549939e15f8f1eec423d71a

      SHA256

      1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

      SHA512

      d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\byh16.exe
      Filesize

      175KB

      MD5

      a5f5c5d6291c7ae9e1d1b7ed1e551490

      SHA1

      3d06413341893b838549939e15f8f1eec423d71a

      SHA256

      1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

      SHA512

      d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFX70sA.exe
      Filesize

      175KB

      MD5

      062a3c73b1aaf076abefd71633b66de5

      SHA1

      e4b7e004c32d673fd61b1669c797dc4b207d8445

      SHA256

      f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881

      SHA512

      6bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFX70sA.exe
      Filesize

      175KB

      MD5

      062a3c73b1aaf076abefd71633b66de5

      SHA1

      e4b7e004c32d673fd61b1669c797dc4b207d8445

      SHA256

      f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881

      SHA512

      6bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3

      Download Submit

    • memory/2812-132-0x0000000000000000-mapping.dmp

      Download

    • memory/2872-146-0x00000000060E0000-0x0000000006156000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2872-139-0x00000000054F0000-0x0000000005B08000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2872-143-0x0000000005330000-0x0000000005396000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2872-144-0x0000000005EC0000-0x0000000005F52000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2872-145-0x0000000006510000-0x0000000006AB4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2872-141-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-147-0x0000000006160000-0x00000000061B0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2872-148-0x0000000006AC0000-0x0000000006C82000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2872-149-0x00000000071C0000-0x00000000076EC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2872-135-0x0000000000000000-mapping.dmp

      Download

    • memory/2872-140-0x0000000005070000-0x000000000517A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2872-142-0x0000000005000000-0x000000000503C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2872-138-0x0000000000710000-0x0000000000742000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3492-154-0x0000000000000000-mapping.dmp

      Download

    • memory/3492-157-0x00000000007C1000-0x00000000007E1000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3492-158-0x0000000000640000-0x000000000066D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3492-159-0x0000000000400000-0x000000000056F000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3492-160-0x00000000007C1000-0x00000000007E1000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3492-161-0x0000000000400000-0x000000000056F000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4100-153-0x0000000000150000-0x0000000000182000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4100-150-0x0000000000000000-mapping.dmp

      Download