Analysis
-
max time kernel
77s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2023, 15:29
Static task
static1
Behavioral task
behavioral1
Sample
3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc.exe
Resource
win10v2004-20230220-en
General
-
Target
3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc.exe
-
Size
696KB
-
MD5
31a2cce84a65d262a8cf28bfc2ec4dc0
-
SHA1
e7e3ade7f1e9868a2be6add74f3b6bc6c3721f98
-
SHA256
3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc
-
SHA512
040d89973091f57f602dfc671bc84de43666bb3b1e8fb64a8175fde97221d46c425583f7f764b7bc04089563287d03b510b5c14e55e7b27db7be333ad7348e3d
-
SSDEEP
12288:rMrSy90eQKVK1001IFuFK2+Ctqg0wiwctvUVMLf4xjhl9QA:Ry2KVcnhFb+Ctqgow2/LQxjhQA
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
dezik
193.56.146.220:4174
-
auth_value
d39f21dca8edc10800b036ab83f4d75e
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection b3820KZ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b3820KZ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b3820KZ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b3820KZ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b3820KZ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b3820KZ.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/4372-189-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-188-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-191-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-193-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-195-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-197-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-199-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-201-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-203-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-205-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-207-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-209-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-212-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-215-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-219-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-221-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-223-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline behavioral1/memory/4372-225-0x00000000023A0000-0x00000000023DE000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 628 nxB6908HY.exe 1484 b3820KZ.exe 4372 c06Bs93.exe 2844 dLSCl33.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" b3820KZ.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features b3820KZ.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nxB6908HY.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce nxB6908HY.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3452 4372 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1484 b3820KZ.exe 1484 b3820KZ.exe 4372 c06Bs93.exe 4372 c06Bs93.exe 2844 dLSCl33.exe 2844 dLSCl33.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1484 b3820KZ.exe Token: SeDebugPrivilege 4372 c06Bs93.exe Token: SeDebugPrivilege 2844 dLSCl33.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 548 wrote to memory of 628 548 3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc.exe 86 PID 548 wrote to memory of 628 548 3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc.exe 86 PID 548 wrote to memory of 628 548 3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc.exe 86 PID 628 wrote to memory of 1484 628 nxB6908HY.exe 87 PID 628 wrote to memory of 1484 628 nxB6908HY.exe 87 PID 628 wrote to memory of 1484 628 nxB6908HY.exe 87 PID 628 wrote to memory of 4372 628 nxB6908HY.exe 92 PID 628 wrote to memory of 4372 628 nxB6908HY.exe 92 PID 628 wrote to memory of 4372 628 nxB6908HY.exe 92 PID 548 wrote to memory of 2844 548 3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc.exe 99 PID 548 wrote to memory of 2844 548 3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc.exe 99 PID 548 wrote to memory of 2844 548 3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc.exe"C:\Users\Admin\AppData\Local\Temp\3c75f1591c4061d2111f8b6e0725f6bff1197cd3207222806a5d948b2bb9e1cc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nxB6908HY.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nxB6908HY.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3820KZ.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3820KZ.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c06Bs93.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c06Bs93.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 14764⤵
- Program crash
PID:3452
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dLSCl33.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dLSCl33.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4372 -ip 43721⤵PID:340
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD592f2a148b8f701e50e2f838f73d4d7b7
SHA1324d8546e35d4f4285cac15b21620299ba5cb023
SHA2569ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04
SHA5123300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c
-
Filesize
175KB
MD592f2a148b8f701e50e2f838f73d4d7b7
SHA1324d8546e35d4f4285cac15b21620299ba5cb023
SHA2569ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04
SHA5123300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c
-
Filesize
552KB
MD509909746c8c79a8b0bea4cd302192e8f
SHA1c1770f36ed95c4e9a7332fae1f864e1e5cd3eef3
SHA2568c8488193254cb13e992ae794d8c2edb86bb25dd867839190c547979f0f0de9a
SHA512b63312a83b848fca217c957f9c9cfdb06198c2b34edd4e34a459d6919fe13760d2a4e007bd7210847b8568da52e2fb8c65a5b2e53115e47dd840f4b95b407157
-
Filesize
552KB
MD509909746c8c79a8b0bea4cd302192e8f
SHA1c1770f36ed95c4e9a7332fae1f864e1e5cd3eef3
SHA2568c8488193254cb13e992ae794d8c2edb86bb25dd867839190c547979f0f0de9a
SHA512b63312a83b848fca217c957f9c9cfdb06198c2b34edd4e34a459d6919fe13760d2a4e007bd7210847b8568da52e2fb8c65a5b2e53115e47dd840f4b95b407157
-
Filesize
323KB
MD5ee43881ab62092621b2d2e22a0295878
SHA10339221e3f787602fea6a0541817565d751a293c
SHA2562764ed1001c0289c438398b43297206b64e883f65c34eec0418f809392bab22d
SHA512df6b636d896665a3ec9ee572dc8dcb79169c02316741d9a693d7c09be7ce419e373b1c4d0635c8ecda95e936313750820fb97ee31111a005b334f44ec6112f6c
-
Filesize
323KB
MD5ee43881ab62092621b2d2e22a0295878
SHA10339221e3f787602fea6a0541817565d751a293c
SHA2562764ed1001c0289c438398b43297206b64e883f65c34eec0418f809392bab22d
SHA512df6b636d896665a3ec9ee572dc8dcb79169c02316741d9a693d7c09be7ce419e373b1c4d0635c8ecda95e936313750820fb97ee31111a005b334f44ec6112f6c
-
Filesize
381KB
MD579183f88b273bd94752126e28a74a872
SHA14969ee7676f48a9c26c21da543322993704c403f
SHA25635c6bb7d3f63d1c1b25b5dba53cbbbc3b3876baf9c02688ca95768b2b4062f21
SHA512c7f4663100fef6e7206b9f879afb6b1309460ef14af23444f9ef0e115e2d7892831e04dd4a344eac4d77654d400360223c45d1343638cf5f45edaefc1e569899
-
Filesize
381KB
MD579183f88b273bd94752126e28a74a872
SHA14969ee7676f48a9c26c21da543322993704c403f
SHA25635c6bb7d3f63d1c1b25b5dba53cbbbc3b3876baf9c02688ca95768b2b4062f21
SHA512c7f4663100fef6e7206b9f879afb6b1309460ef14af23444f9ef0e115e2d7892831e04dd4a344eac4d77654d400360223c45d1343638cf5f45edaefc1e569899