Analysis
-
max time kernel
142s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2023, 16:14
Static task
static1
Behavioral task
behavioral1
Sample
74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8.exe
Resource
win10v2004-20230220-en
General
-
Target
74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8.exe
-
Size
877KB
-
MD5
db212aea907b91b68426483cc45be9dd
-
SHA1
bb1b11a672136b0ad53bd821a0e141985447a408
-
SHA256
74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8
-
SHA512
c615f2610c900480e09a2d5e78f4251165b76804f2efc684eae7eb41d26a6a6d3fbead1faa7ea20c0a6fbdceb4f5bb26477b0dc6e7194174fe4f146262a0a3b0
-
SSDEEP
12288:kMrAy90nVco0skWajSftC5SwYcMVYwQX2P7b2A4HRvkQpHLtBsp6sfOKfNeAvTZE:sygVIskqkYDCwQXq2AYkStBOM6Vtep
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
relon
193.233.20.30:4125
-
auth_value
17da69809725577b595e217ba006b869
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9725.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9725.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" qu5204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" qu5204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" qu5204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" qu5204.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro9725.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9725.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9725.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9725.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection qu5204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" qu5204.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/2984-203-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-204-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-206-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-208-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-210-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-212-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-214-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-216-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-218-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-220-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-222-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-224-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-226-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-228-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-230-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-232-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-234-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-236-0x0000000004CD0000-0x0000000004D0E000-memory.dmp family_redline behavioral1/memory/2984-265-0x0000000004DA0000-0x0000000004DB0000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 2300 unio8090.exe 4596 unio9705.exe 3540 pro9725.exe 4904 qu5204.exe 2984 rfy10s60.exe 4052 si369984.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features qu5204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" qu5204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9725.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" unio8090.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce unio9705.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" unio9705.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce unio8090.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4624 4904 WerFault.exe 91 4864 2984 WerFault.exe 98 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3540 pro9725.exe 3540 pro9725.exe 4904 qu5204.exe 4904 qu5204.exe 2984 rfy10s60.exe 2984 rfy10s60.exe 4052 si369984.exe 4052 si369984.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3540 pro9725.exe Token: SeDebugPrivilege 4904 qu5204.exe Token: SeDebugPrivilege 2984 rfy10s60.exe Token: SeDebugPrivilege 4052 si369984.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1256 wrote to memory of 2300 1256 74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8.exe 83 PID 1256 wrote to memory of 2300 1256 74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8.exe 83 PID 1256 wrote to memory of 2300 1256 74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8.exe 83 PID 2300 wrote to memory of 4596 2300 unio8090.exe 84 PID 2300 wrote to memory of 4596 2300 unio8090.exe 84 PID 2300 wrote to memory of 4596 2300 unio8090.exe 84 PID 4596 wrote to memory of 3540 4596 unio9705.exe 85 PID 4596 wrote to memory of 3540 4596 unio9705.exe 85 PID 4596 wrote to memory of 4904 4596 unio9705.exe 91 PID 4596 wrote to memory of 4904 4596 unio9705.exe 91 PID 4596 wrote to memory of 4904 4596 unio9705.exe 91 PID 2300 wrote to memory of 2984 2300 unio8090.exe 98 PID 2300 wrote to memory of 2984 2300 unio8090.exe 98 PID 2300 wrote to memory of 2984 2300 unio8090.exe 98 PID 1256 wrote to memory of 4052 1256 74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8.exe 103 PID 1256 wrote to memory of 4052 1256 74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8.exe 103 PID 1256 wrote to memory of 4052 1256 74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8.exe"C:\Users\Admin\AppData\Local\Temp\74ae27fae2a24ea6edf840f3558163bf9a8b448a2d80190c46a0969f451a9cb8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8090.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio8090.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9705.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio9705.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro9725.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro9725.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5204.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu5204.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 10805⤵
- Program crash
PID:4624
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rfy10s60.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rfy10s60.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 13404⤵
- Program crash
PID:4864
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si369984.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si369984.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4904 -ip 49041⤵PID:1116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2984 -ip 29841⤵PID:4796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56fbff2d7c9ba7f0a71f02a5c70df9dfc
SHA1003da0075734cd2d7f201c5b0e4779b8e1f33621
SHA256cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3
SHA51225842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f
-
Filesize
175KB
MD56fbff2d7c9ba7f0a71f02a5c70df9dfc
SHA1003da0075734cd2d7f201c5b0e4779b8e1f33621
SHA256cb56407367a42f61993842b66bcd24993a30c87116313c26d6af9e37bbb1b6b3
SHA51225842b9df4767b16096f2bfcedc9d368a9696e6c6d9c7b2c75987769a5b338ae04b23b1e89f18eef2244e84f04e4acf6af56643a97abfe5b605f66cba0bac27f
-
Filesize
735KB
MD5fbfa00c77c88f32fbb50a9d8314f3983
SHA1828f2af5778c20d94e59764ece00b6c6d32788c7
SHA25634182bf857cf4075740b99fceb81c1199d70cf31300cd8749d535c129fb0751f
SHA5128055594f66d37afbc4ca653c1b62a68d6c88d39eeb0508da97eea0e8d568d2c27491942483b23a2e456c1657e009b605f8f516cdcfe4e3d82d0ff3915c978f58
-
Filesize
735KB
MD5fbfa00c77c88f32fbb50a9d8314f3983
SHA1828f2af5778c20d94e59764ece00b6c6d32788c7
SHA25634182bf857cf4075740b99fceb81c1199d70cf31300cd8749d535c129fb0751f
SHA5128055594f66d37afbc4ca653c1b62a68d6c88d39eeb0508da97eea0e8d568d2c27491942483b23a2e456c1657e009b605f8f516cdcfe4e3d82d0ff3915c978f58
-
Filesize
420KB
MD544f9ddcecf7562857fd0a8917e620db0
SHA1695cfb50a1a7c64eb1817a6850c9461ee2ba5b37
SHA256d9afa5d066dec835af46d94996c6e3cbce8b70c22f3e416842ec22f169ff8fee
SHA512f6a34350553469a9c5fe9a16895b2c039b09b91d395f2111cd411c20edd2589c14270ad5c5682e462ede72b177ae68552fbfa0d52b7f1df4805d7639743a5a11
-
Filesize
420KB
MD544f9ddcecf7562857fd0a8917e620db0
SHA1695cfb50a1a7c64eb1817a6850c9461ee2ba5b37
SHA256d9afa5d066dec835af46d94996c6e3cbce8b70c22f3e416842ec22f169ff8fee
SHA512f6a34350553469a9c5fe9a16895b2c039b09b91d395f2111cd411c20edd2589c14270ad5c5682e462ede72b177ae68552fbfa0d52b7f1df4805d7639743a5a11
-
Filesize
364KB
MD5426dc4824a568caae580aa44bdeeb50a
SHA1142ce05c2df6ae2c41c5a9b18bc8c6ad7658a452
SHA256a7159b9fa49f2a5dcda50c6ad2b7147ed9cb5a2feb1a5f6747009b53a0ffbbc7
SHA5128909b60fa658a7d68bdb95d132cf3c28b2a99ce47e703a1ce3c6b51411bb6d3a96d65a89b3340634f525c389027650ee715bd1dba76a397b12a68d20e729bc3e
-
Filesize
364KB
MD5426dc4824a568caae580aa44bdeeb50a
SHA1142ce05c2df6ae2c41c5a9b18bc8c6ad7658a452
SHA256a7159b9fa49f2a5dcda50c6ad2b7147ed9cb5a2feb1a5f6747009b53a0ffbbc7
SHA5128909b60fa658a7d68bdb95d132cf3c28b2a99ce47e703a1ce3c6b51411bb6d3a96d65a89b3340634f525c389027650ee715bd1dba76a397b12a68d20e729bc3e
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
363KB
MD53a1b3831d59c51ee2119fde0305768f5
SHA1de887370191268fa1b082a53013c20a61ac1333c
SHA25620fe0c9ad1a0a8f7235e712e9c2d67589de4a3b9347337d3009d5f9024dfab09
SHA51230e21ffc545bc57a67248cedd8a090cde6e886825d9cbca8eb28bf9d4d201739b5f1b5623fb1a2c8b728b1d698b1e08e885b906d361a4119aded6533f278e591
-
Filesize
363KB
MD53a1b3831d59c51ee2119fde0305768f5
SHA1de887370191268fa1b082a53013c20a61ac1333c
SHA25620fe0c9ad1a0a8f7235e712e9c2d67589de4a3b9347337d3009d5f9024dfab09
SHA51230e21ffc545bc57a67248cedd8a090cde6e886825d9cbca8eb28bf9d4d201739b5f1b5623fb1a2c8b728b1d698b1e08e885b906d361a4119aded6533f278e591