Analysis
-
max time kernel
145s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
19-03-2023 02:07
General
-
Target
625a6e5301d0160f38945cff9a8338838461d5f3e2f3fe2bf1b3b35536f6baee.exe
-
Size
851KB
-
MD5
2253bd37a78f6c6022986a3fbeeedfd2
-
SHA1
27ada82b4dbae9e5359f6762bc5d293aeb81ff11
-
SHA256
625a6e5301d0160f38945cff9a8338838461d5f3e2f3fe2bf1b3b35536f6baee
-
SHA512
884cc1feb1d987da5e065b6bed6c66ca2cc766e36f32f5ce04716608aebf6cc872af0d050cd3c1db1810a30e2bcf8ddd42a1fbbd3e734c903de3cdc3db43dd3c
-
SSDEEP
12288:iMrcy907WFdAu6sbI37fpIR+4D+5M/SRQwxEs+S4qAB/aSw4:yyRM+qp6+4MM/SRQ/soBySw4
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\625a6e5301d0160f38945cff9a8338838461d5f3e2f3fe2bf1b3b35536f6baee.exe"C:\Users\Admin\AppData\Local\Temp\625a6e5301d0160f38945cff9a8338838461d5f3e2f3fe2bf1b3b35536f6baee.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8928.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8928.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba3313.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba3313.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3778WK.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3778WK.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h54HH69.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h54HH69.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iSmmZ67.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iSmmZ67.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 16884⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l49lr24.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l49lr24.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4516 -ip 45161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l49lr24.exeFilesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l49lr24.exeFilesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8928.exeFilesize
709KB
MD5ce1a2e84f63efc8479b7b34751a1c208
SHA1e1e9fa3246eb545a7e16bf449641fecbbca87663
SHA2564a3130f1db10be4d6e59329e4b2696af19d98275ac7c684ef14074b53e2caec8
SHA512e57817d0d6692721b7d8cd3b818a9c37bcf024cd6739e4b53bc55dbf3f3b7a0a68624967a5b826530c268c3e477ec376859c88885f6b37446f1a9076e16c7575
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8928.exeFilesize
709KB
MD5ce1a2e84f63efc8479b7b34751a1c208
SHA1e1e9fa3246eb545a7e16bf449641fecbbca87663
SHA2564a3130f1db10be4d6e59329e4b2696af19d98275ac7c684ef14074b53e2caec8
SHA512e57817d0d6692721b7d8cd3b818a9c37bcf024cd6739e4b53bc55dbf3f3b7a0a68624967a5b826530c268c3e477ec376859c88885f6b37446f1a9076e16c7575
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iSmmZ67.exeFilesize
391KB
MD5cdaff4197ab3430003a103fb8cafc571
SHA1ba7c08139e8f08028f9703e61355c05d1793fdcc
SHA25602f53d620a2e1138af9a7ef05438a43d91e8695b0bdcb086b1c40e5c94df50fe
SHA512d131e558205fc669288e458ec77d42f64b1aeeb5877edf2aa29683e0532a2b050b7eecb99917ffc15c476c11a7b1e28c69598de6cb4ad7a1749897e02cdbcac4
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iSmmZ67.exeFilesize
391KB
MD5cdaff4197ab3430003a103fb8cafc571
SHA1ba7c08139e8f08028f9703e61355c05d1793fdcc
SHA25602f53d620a2e1138af9a7ef05438a43d91e8695b0bdcb086b1c40e5c94df50fe
SHA512d131e558205fc669288e458ec77d42f64b1aeeb5877edf2aa29683e0532a2b050b7eecb99917ffc15c476c11a7b1e28c69598de6cb4ad7a1749897e02cdbcac4
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba3313.exeFilesize
358KB
MD5f20ab0cb823113f15fcf6aadf85f5648
SHA1c84f912f62e6d6daacc1116ddeb5ce559d9345ab
SHA2565533d1afbc625cfcdc16b1b7436853b5935d2c9e332ff35d6ee6a2440b367afc
SHA512e445e0cd431933c333c90c2c895bdda2766658ae94b9349c8856f42cc4cbe215a73c8c17aa5e35c61f91388aad3435e1cebec875671cb86bed458c80467d25eb
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba3313.exeFilesize
358KB
MD5f20ab0cb823113f15fcf6aadf85f5648
SHA1c84f912f62e6d6daacc1116ddeb5ce559d9345ab
SHA2565533d1afbc625cfcdc16b1b7436853b5935d2c9e332ff35d6ee6a2440b367afc
SHA512e445e0cd431933c333c90c2c895bdda2766658ae94b9349c8856f42cc4cbe215a73c8c17aa5e35c61f91388aad3435e1cebec875671cb86bed458c80467d25eb
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3778WK.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3778WK.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h54HH69.exeFilesize
371KB
MD5aed163383fd11ad810a8710c1704d30e
SHA1489cb2b54769e4563fe322afd63c9dcdcf924ade
SHA2560a940c0bf94b42e85f6608ca9de0bedc2f1399010cddd45692ad71b2e850974d
SHA5126ffbf123f9aa221dda54edb3e230a6e1606e932a0ee7b86e8732788357fdc9f079c82086f78309a2b0a7be8963e72dd54019fec8f37ebe7980c39be8472b3710
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h54HH69.exeFilesize
371KB
MD5aed163383fd11ad810a8710c1704d30e
SHA1489cb2b54769e4563fe322afd63c9dcdcf924ade
SHA2560a940c0bf94b42e85f6608ca9de0bedc2f1399010cddd45692ad71b2e850974d
SHA5126ffbf123f9aa221dda54edb3e230a6e1606e932a0ee7b86e8732788357fdc9f079c82086f78309a2b0a7be8963e72dd54019fec8f37ebe7980c39be8472b3710
-
memory/648-1136-0x00000000054A0000-0x00000000054B0000-memory.dmpFilesize
64KB
-
memory/648-1135-0x0000000000B90000-0x0000000000BC2000-memory.dmpFilesize
200KB
-
memory/2508-154-0x0000000000240000-0x000000000024A000-memory.dmpFilesize
40KB
-
memory/4516-240-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-1116-0x0000000008070000-0x00000000080AC000-memory.dmpFilesize
240KB
-
memory/4516-1128-0x000000000A6F0000-0x000000000A740000-memory.dmpFilesize
320KB
-
memory/4516-1127-0x0000000004BA0000-0x0000000004C16000-memory.dmpFilesize
472KB
-
memory/4516-1126-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4516-1125-0x000000000A0A0000-0x000000000A5CC000-memory.dmpFilesize
5.2MB
-
memory/4516-1124-0x0000000009ED0000-0x000000000A092000-memory.dmpFilesize
1.8MB
-
memory/4516-1123-0x00000000083F0000-0x0000000008456000-memory.dmpFilesize
408KB
-
memory/4516-1122-0x0000000008350000-0x00000000083E2000-memory.dmpFilesize
584KB
-
memory/4516-1121-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4516-1120-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4516-1119-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4516-1117-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4516-1115-0x0000000008050000-0x0000000008062000-memory.dmpFilesize
72KB
-
memory/4516-1114-0x0000000007F40000-0x000000000804A000-memory.dmpFilesize
1.0MB
-
memory/4516-1113-0x0000000007920000-0x0000000007F38000-memory.dmpFilesize
6.1MB
-
memory/4516-238-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-236-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-234-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-232-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-230-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-203-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-204-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-206-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-208-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-210-0x0000000004630000-0x000000000467B000-memory.dmpFilesize
300KB
-
memory/4516-213-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4516-212-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-211-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4516-215-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4516-218-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-216-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-220-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-222-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-224-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-226-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4516-228-0x0000000004CA0000-0x0000000004CDE000-memory.dmpFilesize
248KB
-
memory/4796-186-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-196-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4796-167-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-197-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4796-184-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-162-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-195-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4796-180-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-192-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-171-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-188-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-190-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-198-0x0000000000400000-0x0000000002B0C000-memory.dmpFilesize
39.0MB
-
memory/4796-169-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-193-0x0000000000400000-0x0000000002B0C000-memory.dmpFilesize
39.0MB
-
memory/4796-182-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-176-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4796-178-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-175-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-174-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4796-173-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4796-163-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-165-0x0000000004B90000-0x0000000004BA2000-memory.dmpFilesize
72KB
-
memory/4796-161-0x00000000070A0000-0x0000000007644000-memory.dmpFilesize
5.6MB
-
memory/4796-160-0x0000000002F00000-0x0000000002F2D000-memory.dmpFilesize
180KB