Analysis
-
max time kernel
140s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2023 22:24
Static task
static1
Behavioral task
behavioral1
Sample
a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b.exe
Resource
win10v2004-20230220-en
General
-
Target
a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b.exe
-
Size
693KB
-
MD5
e4f864be71a5fd2a2471cb89e65cfb57
-
SHA1
246981954d84c65ced4e824d0545be7426aae359
-
SHA256
a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b
-
SHA512
2b122794fae7da2886823c821e8afd10ae66c91df61265950402dc0b3ebad5a53265067203985f75d118b7a954309a10a04bc9419ff3ec4af470758bbf391d9a
-
SSDEEP
12288:fMr9y90KnEY12wvT8z1kpUomZI9Yyw9m/7G3nmI/7akbDL8l:+yFEcTGG5s9bK7Ktr8l
Malware Config
Extracted
redline
ruzhpe
pepunn.com:4162
-
auth_value
f735ced96ae8d01d0bd1d514240e54e0
Extracted
redline
fchan
pepunn.com:4162
-
auth_value
127bd53d55e8c4f0dd2f6e1ea60deef4
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" urEg06bH51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" urEg06bH51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" urEg06bH51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" urEg06bH51.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection urEg06bH51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" urEg06bH51.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3964-192-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-193-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-195-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-197-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-199-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-201-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-203-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-205-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-207-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-209-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-211-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-213-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-215-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-217-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-219-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-221-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-223-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-225-0x0000000007330000-0x0000000007340000-memory.dmp family_redline behavioral1/memory/3964-228-0x00000000071C0000-0x00000000071FE000-memory.dmp family_redline behavioral1/memory/3964-1112-0x0000000007330000-0x0000000007340000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2736 ycvx99Yd45.exe 4796 urEg06bH51.exe 3964 wrVn47ZH41.exe 4992 xuqy89xU94.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features urEg06bH51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" urEg06bH51.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ycvx99Yd45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ycvx99Yd45.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4640 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4712 4796 WerFault.exe 86 3200 3964 WerFault.exe 97 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4796 urEg06bH51.exe 4796 urEg06bH51.exe 3964 wrVn47ZH41.exe 3964 wrVn47ZH41.exe 4992 xuqy89xU94.exe 4992 xuqy89xU94.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4796 urEg06bH51.exe Token: SeDebugPrivilege 3964 wrVn47ZH41.exe Token: SeDebugPrivilege 4992 xuqy89xU94.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4476 wrote to memory of 2736 4476 a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b.exe 85 PID 4476 wrote to memory of 2736 4476 a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b.exe 85 PID 4476 wrote to memory of 2736 4476 a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b.exe 85 PID 2736 wrote to memory of 4796 2736 ycvx99Yd45.exe 86 PID 2736 wrote to memory of 4796 2736 ycvx99Yd45.exe 86 PID 2736 wrote to memory of 4796 2736 ycvx99Yd45.exe 86 PID 2736 wrote to memory of 3964 2736 ycvx99Yd45.exe 97 PID 2736 wrote to memory of 3964 2736 ycvx99Yd45.exe 97 PID 2736 wrote to memory of 3964 2736 ycvx99Yd45.exe 97 PID 4476 wrote to memory of 4992 4476 a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b.exe 101 PID 4476 wrote to memory of 4992 4476 a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b.exe 101 PID 4476 wrote to memory of 4992 4476 a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b.exe"C:\Users\Admin\AppData\Local\Temp\a6b2801b074d71729663602a1dc8cd75fea0b7c4d59268a1b5dbe93c9269d02b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycvx99Yd45.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycvx99Yd45.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urEg06bH51.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urEg06bH51.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 10764⤵
- Program crash
PID:4712
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrVn47ZH41.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrVn47ZH41.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 19404⤵
- Program crash
PID:3200
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuqy89xU94.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuqy89xU94.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4796 -ip 47961⤵PID:1304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3964 -ip 39641⤵PID:3228
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5e19d994fcb8a0791c19fc1853cd8d4da
SHA13b433a9486740ce4956ba89ed3b051f0efe0c2f9
SHA256b4ef53d7bfb5d952c6f2ef004cf0a5b8881b1dc12979136dc5c7a173bb26ad90
SHA51268eff9f7362b495d10adbb1cdac888e88c3bfec8051d4105bc4fdb8435812e59c30a8f1416d8487168cad345399663616f70f29231573762439ef8033ecb798e
-
Filesize
175KB
MD5e19d994fcb8a0791c19fc1853cd8d4da
SHA13b433a9486740ce4956ba89ed3b051f0efe0c2f9
SHA256b4ef53d7bfb5d952c6f2ef004cf0a5b8881b1dc12979136dc5c7a173bb26ad90
SHA51268eff9f7362b495d10adbb1cdac888e88c3bfec8051d4105bc4fdb8435812e59c30a8f1416d8487168cad345399663616f70f29231573762439ef8033ecb798e
-
Filesize
549KB
MD515514ddca2f6e550d8332f7dd5b00e85
SHA1db27abf3d463564a8157893a0ebadfac703e8b66
SHA256f5787d667e074c4c643bdb69843b33c25a96790ce2da4f457eef87b2cf217b26
SHA51219c3a7de1f63e3021b0687f1f23025a75281f5ce2e3dfded6a18043c55063877e964ab1a0e497f51adb1a8f6710fe32eec5f7ab06608f7f54f12d5ed2d9e4e6c
-
Filesize
549KB
MD515514ddca2f6e550d8332f7dd5b00e85
SHA1db27abf3d463564a8157893a0ebadfac703e8b66
SHA256f5787d667e074c4c643bdb69843b33c25a96790ce2da4f457eef87b2cf217b26
SHA51219c3a7de1f63e3021b0687f1f23025a75281f5ce2e3dfded6a18043c55063877e964ab1a0e497f51adb1a8f6710fe32eec5f7ab06608f7f54f12d5ed2d9e4e6c
-
Filesize
350KB
MD5e51e74d094b076776b0169ed1a54d0a3
SHA10e6f8f2fc33bed2e1d0768ae674e0e4b182085b2
SHA2566e25bad8749aa05160afd2dfe3a01906f424ca495518c70cebc2d3ef5930521b
SHA512d04434571bf1c971c350fb13e54b4a6d6bc96b1443a45ba2a0124c5d903f0f17287fd8ea54c94e1d06ec302242275900819807559318f16fac28c6f6e6a3ff5f
-
Filesize
350KB
MD5e51e74d094b076776b0169ed1a54d0a3
SHA10e6f8f2fc33bed2e1d0768ae674e0e4b182085b2
SHA2566e25bad8749aa05160afd2dfe3a01906f424ca495518c70cebc2d3ef5930521b
SHA512d04434571bf1c971c350fb13e54b4a6d6bc96b1443a45ba2a0124c5d903f0f17287fd8ea54c94e1d06ec302242275900819807559318f16fac28c6f6e6a3ff5f
-
Filesize
409KB
MD567530ca401a21e9021983dd91b37c971
SHA1059cc53f7d897b6e0b9072274cb964ab547489a9
SHA2563b8cd7237a32fdb861ebd4c8243729f969a0355e4554832f73d8ab0ee3871b9a
SHA5120b8f93e0d38b8bf6fab4adb7c1ecd05da3c354acd94e9f02c48ef8f822be328d6e2c558806e732a840178ec2d0c32daf718f372a6040403353565196ce231b78
-
Filesize
409KB
MD567530ca401a21e9021983dd91b37c971
SHA1059cc53f7d897b6e0b9072274cb964ab547489a9
SHA2563b8cd7237a32fdb861ebd4c8243729f969a0355e4554832f73d8ab0ee3871b9a
SHA5120b8f93e0d38b8bf6fab4adb7c1ecd05da3c354acd94e9f02c48ef8f822be328d6e2c558806e732a840178ec2d0c32daf718f372a6040403353565196ce231b78