Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06/03/2023, 15:17
General
-
Target
311dd0813811cc4fdda68ec17f64e7b2935427a1c8cd98832622659bb6855f67.exe
-
Size
560KB
-
MD5
8768adcbd96198129dc4f49e8cde9514
-
SHA1
0fb4c61eec53055dba98c84cee1720ccf84c3c83
-
SHA256
311dd0813811cc4fdda68ec17f64e7b2935427a1c8cd98832622659bb6855f67
-
SHA512
68d7806639fe01539670c13dbb7b667045c710c0ace139d590837c0e9ba929b89b1b1aa88cedd21cb7cb715d01e767896da63d61fecf747368b37a85284830f2
-
SSDEEP
12288:KMrty906c9eCrV5ZXd9gj2618pyt7T6D4y9bx6CUKLlL0juB:ryxLgV3tB618At7T6DL9bx6QlL0juB
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Extracted
redline
fabio
193.233.20.27:4123
-
auth_value
56b82736c3f56b13be8e64c87d2cf9e5
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\311dd0813811cc4fdda68ec17f64e7b2935427a1c8cd98832622659bb6855f67.exe"C:\Users\Admin\AppData\Local\Temp\311dd0813811cc4fdda68ec17f64e7b2935427a1c8cd98832622659bb6855f67.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhFX9612qz.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhFX9612qz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf87rZ39ee08.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf87rZ39ee08.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf03Gc32Hg44.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf03Gc32Hg44.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 13364⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhqf97yQ45Ep.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhqf97yQ45Ep.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4124 -ip 41241⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5e3c2b0b24606c528e4b299d99ebb48de
SHA1882527eb9cafa8e183c448f7f361885b7e8aa476
SHA2562866ad53173ee0ac649b6bd01d5670e4c6a33431b8b734ee59620b3114efa5be
SHA512204561e18bab8ee2b9fceed170cd15a93e589f2850c40b23a65f0aca5292cd70154d879c4dea5e191e0a392c408757ce08b6ef342fdb2ae77373e9b4b79a1a82
-
Filesize
176KB
MD5e3c2b0b24606c528e4b299d99ebb48de
SHA1882527eb9cafa8e183c448f7f361885b7e8aa476
SHA2562866ad53173ee0ac649b6bd01d5670e4c6a33431b8b734ee59620b3114efa5be
SHA512204561e18bab8ee2b9fceed170cd15a93e589f2850c40b23a65f0aca5292cd70154d879c4dea5e191e0a392c408757ce08b6ef342fdb2ae77373e9b4b79a1a82
-
Filesize
416KB
MD5b5cff4df27006ae5ef494d3528fd7bd5
SHA19327a1adbc79217fd15c7b2529448b95355023aa
SHA2567389ff2ccbe018527f0d762d7a756fe15728444cef8b89ff8d31768cbf413673
SHA512999be4d3d05c17e84b0622e761190758fa99f85c06b383d01acce122f0ee1be31c9e9d434d600b69efd7ef0a20442d426bbb6c265dd50ad9532ed9ee547ec946
-
Filesize
416KB
MD5b5cff4df27006ae5ef494d3528fd7bd5
SHA19327a1adbc79217fd15c7b2529448b95355023aa
SHA2567389ff2ccbe018527f0d762d7a756fe15728444cef8b89ff8d31768cbf413673
SHA512999be4d3d05c17e84b0622e761190758fa99f85c06b383d01acce122f0ee1be31c9e9d434d600b69efd7ef0a20442d426bbb6c265dd50ad9532ed9ee547ec946
-
Filesize
11KB
MD5b93d9605e5d7ae3649220f8d4041d132
SHA1c92887c08e453726268f7ded389418521c890f1b
SHA2560ef98d0f4ef8ba99c8b1c10e490a17a493e2e613f9a48aa2ca76f291fe45784b
SHA512e363a0c043f6d7f3d932b47b28da33cca77f55aa92904a26e2468d22821e8ba7d843a736e4158249ea6fb9fde908997c8dad6a474d1f0313df060e8fab2c6aa7
-
Filesize
11KB
MD5b93d9605e5d7ae3649220f8d4041d132
SHA1c92887c08e453726268f7ded389418521c890f1b
SHA2560ef98d0f4ef8ba99c8b1c10e490a17a493e2e613f9a48aa2ca76f291fe45784b
SHA512e363a0c043f6d7f3d932b47b28da33cca77f55aa92904a26e2468d22821e8ba7d843a736e4158249ea6fb9fde908997c8dad6a474d1f0313df060e8fab2c6aa7
-
Filesize
416KB
MD53298bce398b0b8db15538825fc22ec70
SHA197382a7c1ec70bd6549554c69ae3a8b18daddc9c
SHA256c85fde6aeb312030435d285771cf28b3aaca92431f2a8e4f50227ddbd05d31fd
SHA5124bcae254153697dfc1d54415b5571cece4cc33f0dec3423d89fa6879238d6939a3e4be6992085e1365f9b7150d64c642d36e694541f0e1eabdf212cabab4f737
-
Filesize
416KB
MD53298bce398b0b8db15538825fc22ec70
SHA197382a7c1ec70bd6549554c69ae3a8b18daddc9c
SHA256c85fde6aeb312030435d285771cf28b3aaca92431f2a8e4f50227ddbd05d31fd
SHA5124bcae254153697dfc1d54415b5571cece4cc33f0dec3423d89fa6879238d6939a3e4be6992085e1365f9b7150d64c642d36e694541f0e1eabdf212cabab4f737
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
40KB