Analysis
-
max time kernel
143s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2023, 08:38
Static task
static1
Behavioral task
behavioral1
Sample
b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe
Resource
win10v2004-20230220-en
General
-
Target
b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe
-
Size
569KB
-
MD5
0d8da5a7fab3bcf3e887e53e9b01ffb2
-
SHA1
5e6e9548a487eb0700c188149455b2ee70bffac0
-
SHA256
b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89
-
SHA512
1b99f30646b82345a14b15a6335e1307f18ae52409c0f3b6ea6a9ab2b3a2057d0693c58eaa94c94270c15e519cadac18c25943bff48734ce36544ae00ca5fca9
-
SSDEEP
12288:LMrfy90dahimz7AuxqVgVQWL1ZOQ3F3712yGgwB:wyUsVAuxYgq6ZOQ3F37Yp
Malware Config
Extracted
redline
fud
193.233.20.27:4123
-
auth_value
cddc991efd6918ad5321d80dac884b40
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" r0736zC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" r0736zC.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection r0736zC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" r0736zC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" r0736zC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" r0736zC.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/4528-181-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-180-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-183-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-190-0x0000000004AD0000-0x0000000004AE0000-memory.dmp family_redline behavioral1/memory/4528-189-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-185-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-193-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-195-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-197-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-199-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-201-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-203-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-205-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-207-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-209-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-211-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-213-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-215-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline behavioral1/memory/4528-217-0x0000000004A10000-0x0000000004A4E000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 936 r0736zC.exe 4528 w99vf62.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features r0736zC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" r0736zC.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4904 936 WerFault.exe 86 4584 4528 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 936 r0736zC.exe 936 r0736zC.exe 4528 w99vf62.exe 4528 w99vf62.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 936 r0736zC.exe Token: SeDebugPrivilege 4528 w99vf62.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3036 wrote to memory of 936 3036 b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe 86 PID 3036 wrote to memory of 936 3036 b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe 86 PID 3036 wrote to memory of 936 3036 b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe 86 PID 3036 wrote to memory of 4528 3036 b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe 92 PID 3036 wrote to memory of 4528 3036 b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe 92 PID 3036 wrote to memory of 4528 3036 b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe"C:\Users\Admin\AppData\Local\Temp\b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0736zC.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0736zC.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 10843⤵
- Program crash
PID:4904
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w99vf62.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w99vf62.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 13763⤵
- Program crash
PID:4584
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 936 -ip 9361⤵PID:756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4528 -ip 45281⤵PID:3844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
322KB
MD58141937b23cd1895e561d8e90fdeeff3
SHA16f810e9e480564f5837461f8ccdd07c951a1bece
SHA256ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6
SHA51240957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec
-
Filesize
322KB
MD58141937b23cd1895e561d8e90fdeeff3
SHA16f810e9e480564f5837461f8ccdd07c951a1bece
SHA256ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6
SHA51240957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec
-
Filesize
301KB
MD5bd7d0997d92b4372ed4df555af7feb35
SHA198c793437da6a7593604a89fca61e9369192f417
SHA2565fb3491831556672c848f6eea070fa753aabb321f3eeb9cfef28e508bcf84bcd
SHA512cf2a7fa34d3aeda08d39d391a31d1c5c8bd332a5e73ee8374c72be07aa379c81e24449a6572fdb7f1fa5d17de4df556fa1ccd0a4c1163083bd7500e34fcb1b8c
-
Filesize
301KB
MD5bd7d0997d92b4372ed4df555af7feb35
SHA198c793437da6a7593604a89fca61e9369192f417
SHA2565fb3491831556672c848f6eea070fa753aabb321f3eeb9cfef28e508bcf84bcd
SHA512cf2a7fa34d3aeda08d39d391a31d1c5c8bd332a5e73ee8374c72be07aa379c81e24449a6572fdb7f1fa5d17de4df556fa1ccd0a4c1163083bd7500e34fcb1b8c