Overview

overview

10

Static

static

1

9f2a2fc1dd...e4.exe

windows7-x64

10

9f2a2fc1dd...e4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2023 07:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f2a2fc1dda81f7747cf49a1999b87e4.exe

  • Size

    866KB

  • MD5

    9f2a2fc1dda81f7747cf49a1999b87e4

  • SHA1

    5abdc7ab4c726665bccb0f1557faa860455852ff

  • SHA256

    6abbeec35a40919325f069ec47dccfc1b6d4132ef0f9114acc19778f1cfd21ea

  • SHA512

    7e37517c6fc135fd3905d8851b73e82df160fb03dcfc23c44562b9aa68c8a5a887d4924ab1557ef6e3a57217252ab7b0fdf7adaa4ca21889a48ee6ffda7d7e1b

  • SSDEEP

    12288:xMrBy90He3BbmlZh5uxsbqVTb149z0Tf3R0f8332Jtzs6j/cRJp/Y+62uSD+R1Mb:4yo4FWLWV1+z0Tq0nEtzvcRJmCDlmc

Score
10/10
redlinegenarelondiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gena

C2

193.233.20.30:4125

Attributes
  • auth_value

    93c20961cb6b06b2d5781c212db6201e

Extracted

Family

redline

Botnet

relon

C2

193.233.20.30:4125

Attributes
  • auth_value

    17da69809725577b595e217ba006b869

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f2a2fc1dda81f7747cf49a1999b87e4.exe
    "C:\Users\Admin\AppData\Local\Temp\9f2a2fc1dda81f7747cf49a1999b87e4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9853.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9853.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9775.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9775.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5609il.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5609il.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1272
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c30JV57.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c30JV57.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4460
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dpaPD71.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dpaPD71.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4876
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1840
          4⤵
          • Program crash
          PID:820
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e97ID96.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e97ID96.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3984
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4876 -ip 4876
    1⤵
      PID:972
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:1468

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e97ID96.exe
      Filesize

      175KB

      MD5

      6fbff2d7c9ba7f0a71f02a5c70df9dfc

      SHA1

      003da0075734cd2d7f201c5b0e4779b8e1f33621

      SHA256

      cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

      SHA512

      25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e97ID96.exe
      Filesize

      175KB

      MD5

      6fbff2d7c9ba7f0a71f02a5c70df9dfc

      SHA1

      003da0075734cd2d7f201c5b0e4779b8e1f33621

      SHA256

      cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3

      SHA512

      25842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9853.exe
      Filesize

      721KB

      MD5

      26ebfd9c205fcefcf63ed869b401f52b

      SHA1

      f5fb4e23ec254ca4d678b6bde2d75a63f28052fd

      SHA256

      4160bd15b0817eb6b122dd27cc15ceae6e398a12155ac6e618afad8dabdc83d9

      SHA512

      344e9d0cdd68e7ce55a4fa27e0a45bd254fc02ba724c3613382351009d3c7f973e132125718adecb788e36bd58ee91dc51a4b232ff48253cb54a0709335c6f9a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice9853.exe
      Filesize

      721KB

      MD5

      26ebfd9c205fcefcf63ed869b401f52b

      SHA1

      f5fb4e23ec254ca4d678b6bde2d75a63f28052fd

      SHA256

      4160bd15b0817eb6b122dd27cc15ceae6e398a12155ac6e618afad8dabdc83d9

      SHA512

      344e9d0cdd68e7ce55a4fa27e0a45bd254fc02ba724c3613382351009d3c7f973e132125718adecb788e36bd58ee91dc51a4b232ff48253cb54a0709335c6f9a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dpaPD71.exe
      Filesize

      391KB

      MD5

      34506dbc96d1f09df75a08a6296a9360

      SHA1

      72946d6177c42f1522251e0d8535e75e4de37ca8

      SHA256

      1fc305bd660a80cd21dd7adb484d96284ef8d8898557a5c6e454bdfce70686c6

      SHA512

      877a2b1f73c3d79ea9e6e5caf3be87ee2c49de0c779741e6c67d96021f269d89f1406d5c52b58fe817dd969d7b43ca04ebf3c44d3214bcdc270531b772eefb3a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dpaPD71.exe
      Filesize

      391KB

      MD5

      34506dbc96d1f09df75a08a6296a9360

      SHA1

      72946d6177c42f1522251e0d8535e75e4de37ca8

      SHA256

      1fc305bd660a80cd21dd7adb484d96284ef8d8898557a5c6e454bdfce70686c6

      SHA512

      877a2b1f73c3d79ea9e6e5caf3be87ee2c49de0c779741e6c67d96021f269d89f1406d5c52b58fe817dd969d7b43ca04ebf3c44d3214bcdc270531b772eefb3a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9775.exe
      Filesize

      368KB

      MD5

      ca54334bd51c57e7decdb1ad786f8dc0

      SHA1

      ab8202995ace7d8eb8a14a5070190d86e192e646

      SHA256

      66e341cb8bd750366cd87fd807fa174e5401a7b14fae708364acf0ccd5e5d6a3

      SHA512

      bba5c6e12e090a5f898cb1f804127b15819265eb10dfac131a2810503057b83f2cf257eebd3525c0c20a87db07d2ee06d9ab5ee7fa26b5804ddb59cc68977100

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9775.exe
      Filesize

      368KB

      MD5

      ca54334bd51c57e7decdb1ad786f8dc0

      SHA1

      ab8202995ace7d8eb8a14a5070190d86e192e646

      SHA256

      66e341cb8bd750366cd87fd807fa174e5401a7b14fae708364acf0ccd5e5d6a3

      SHA512

      bba5c6e12e090a5f898cb1f804127b15819265eb10dfac131a2810503057b83f2cf257eebd3525c0c20a87db07d2ee06d9ab5ee7fa26b5804ddb59cc68977100

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5609il.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5609il.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c30JV57.exe
      Filesize

      371KB

      MD5

      56ba78d46d205b34297e21562bf7b3d9

      SHA1

      019d574df9d64d5f6f41c8902982c865b415bd4d

      SHA256

      061316f7deaa9dbf1739d4cf77926a8d5368aa22b9c5dbbc034c53894511d05a

      SHA512

      aecf463501b9e58432a0ca4079297f1fe77cd9ba183c952a6dbd4d40a5d1d87e3bb9cbafa0952417959ac46f7a2e1cd1f9b65c0a2a794b858a00ee3a6991c466

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c30JV57.exe
      Filesize

      371KB

      MD5

      56ba78d46d205b34297e21562bf7b3d9

      SHA1

      019d574df9d64d5f6f41c8902982c865b415bd4d

      SHA256

      061316f7deaa9dbf1739d4cf77926a8d5368aa22b9c5dbbc034c53894511d05a

      SHA512

      aecf463501b9e58432a0ca4079297f1fe77cd9ba183c952a6dbd4d40a5d1d87e3bb9cbafa0952417959ac46f7a2e1cd1f9b65c0a2a794b858a00ee3a6991c466

      Download Submit

    • memory/1272-154-0x0000000000A40000-0x0000000000A4A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1272-156-0x000000001B5F0000-0x000000001B73E000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3984-1135-0x0000000000A20000-0x0000000000A52000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3984-1136-0x00000000052D0000-0x00000000052E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4460-172-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-190-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-168-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-170-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-164-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-174-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-176-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-178-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-180-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-182-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-184-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-186-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-188-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-166-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-191-0x0000000007250000-0x0000000007260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4460-192-0x0000000007250000-0x0000000007260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4460-193-0x0000000007250000-0x0000000007260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4460-194-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/4460-196-0x0000000007250000-0x0000000007260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4460-197-0x0000000007250000-0x0000000007260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4460-199-0x0000000007250000-0x0000000007260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4460-198-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/4460-163-0x0000000004A70000-0x0000000004A82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4460-162-0x0000000007260000-0x0000000007804000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4460-161-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4876-204-0x0000000002C90000-0x0000000002CDB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4876-207-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-210-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-212-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-214-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-216-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-218-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-220-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-222-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-224-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-226-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-230-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-228-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-232-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-234-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-236-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-238-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-294-0x0000000007230000-0x0000000007240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-1114-0x00000000077F0000-0x0000000007E08000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4876-1115-0x0000000007E10000-0x0000000007F1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4876-1116-0x0000000007210000-0x0000000007222000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4876-1117-0x0000000007F20000-0x0000000007F5C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4876-1118-0x0000000007230000-0x0000000007240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-1120-0x0000000007230000-0x0000000007240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-1121-0x0000000007230000-0x0000000007240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-1122-0x0000000008210000-0x00000000082A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4876-1123-0x00000000082B0000-0x0000000008316000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4876-1124-0x0000000007230000-0x0000000007240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-1125-0x0000000008AD0000-0x0000000008C92000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4876-1126-0x0000000008CB0000-0x00000000091DC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4876-1127-0x0000000009330000-0x00000000093A6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4876-1128-0x00000000093B0000-0x0000000009400000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4876-208-0x0000000004B80000-0x0000000004BBE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4876-205-0x0000000007230000-0x0000000007240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-206-0x0000000007230000-0x0000000007240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-1129-0x0000000007230000-0x0000000007240000-memory.dmp

      Filesize

      64KB

      Download