Analysis
-
max time kernel
95s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 22:17
Static task
static1
Behavioral task
behavioral1
Sample
8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495.exe
Resource
win10v2004-20230220-en
General
-
Target
8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495.exe
-
Size
699KB
-
MD5
8538ef52091c15483f2f58d3b2499450
-
SHA1
da8a8da427e1ce9ff9a761cd3cffe89e05ab04a0
-
SHA256
8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495
-
SHA512
4d38ccebe941497d331e3054bf49c1a6f35af51d6660efa1667dcc7cd7adabd2e5132737b13521f09c34dc6a99fe3e4720eeffb1e7632279ea906c81839e5cf2
-
SSDEEP
12288:NMrDy90HbGIOaEgW4CP/e5WTTC8VVJd8RbdmNHJrSQgz0j7TCYfwhX+KUPNReuCI:Gyb1aEgWPmCCEVJdadi00HTPfwhXgtFF
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9120.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9120.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9120.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9120.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9120.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9120.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/2616-191-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-192-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-194-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-196-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-198-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-200-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-202-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-204-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-206-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-211-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-214-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-216-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-218-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-220-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-222-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-224-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-226-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-228-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/2616-1109-0x0000000002860000-0x0000000002870000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4624 un433462.exe 1196 pro9120.exe 2616 qu1646.exe 2776 si505509.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9120.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9120.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un433462.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un433462.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4144 1196 WerFault.exe 85 2332 2616 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1196 pro9120.exe 1196 pro9120.exe 2616 qu1646.exe 2616 qu1646.exe 2776 si505509.exe 2776 si505509.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1196 pro9120.exe Token: SeDebugPrivilege 2616 qu1646.exe Token: SeDebugPrivilege 2776 si505509.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3032 wrote to memory of 4624 3032 8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495.exe 84 PID 3032 wrote to memory of 4624 3032 8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495.exe 84 PID 3032 wrote to memory of 4624 3032 8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495.exe 84 PID 4624 wrote to memory of 1196 4624 un433462.exe 85 PID 4624 wrote to memory of 1196 4624 un433462.exe 85 PID 4624 wrote to memory of 1196 4624 un433462.exe 85 PID 4624 wrote to memory of 2616 4624 un433462.exe 94 PID 4624 wrote to memory of 2616 4624 un433462.exe 94 PID 4624 wrote to memory of 2616 4624 un433462.exe 94 PID 3032 wrote to memory of 2776 3032 8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495.exe 99 PID 3032 wrote to memory of 2776 3032 8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495.exe 99 PID 3032 wrote to memory of 2776 3032 8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495.exe"C:\Users\Admin\AppData\Local\Temp\8225c0c17261072f34834c2efb8115e696d85f9e293c4d1fc1a3f37f2a6f8495.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un433462.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un433462.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9120.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9120.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 10804⤵
- Program crash
PID:4144
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1646.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1646.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 13604⤵
- Program crash
PID:2332
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si505509.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si505509.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1196 -ip 11961⤵PID:4244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2616 -ip 26161⤵PID:2632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD57d33f5a07dd185d3dfadf6024e44fd7d
SHA1497644065ea93ed1e58b457f6641a2d5379370c1
SHA2561aab48b1e0e4c8baa3bc69c6b5bf43b00dc29e956c13bfc7c70cee15b69649c3
SHA5121256c843dddcb74856e995446368cf2547bbb24b28fa0db69b1345a9b4f08ad680ebdec29dcc3e95ac1ee59e5f4f9d81bddf3dcd6543cda0dc097c9e2b116171
-
Filesize
175KB
MD57d33f5a07dd185d3dfadf6024e44fd7d
SHA1497644065ea93ed1e58b457f6641a2d5379370c1
SHA2561aab48b1e0e4c8baa3bc69c6b5bf43b00dc29e956c13bfc7c70cee15b69649c3
SHA5121256c843dddcb74856e995446368cf2547bbb24b28fa0db69b1345a9b4f08ad680ebdec29dcc3e95ac1ee59e5f4f9d81bddf3dcd6543cda0dc097c9e2b116171
-
Filesize
557KB
MD5d12a8a815429844087f84c038fcb6b06
SHA13178ac53a26c6675e1b6809845a89d4f113b05d9
SHA2561b09d1101ed60f10b81bb02eb5b5d429e8015e1693f2cd08794d1888ad048ac2
SHA512b06521fac4d7938cb53224b3d5a4048076222d6840dde6d19fc0df4c4a78f04c7bfc0535266954de8e6bc5e62d92aa308940fefdd2c8870f734ece7c44f04986
-
Filesize
557KB
MD5d12a8a815429844087f84c038fcb6b06
SHA13178ac53a26c6675e1b6809845a89d4f113b05d9
SHA2561b09d1101ed60f10b81bb02eb5b5d429e8015e1693f2cd08794d1888ad048ac2
SHA512b06521fac4d7938cb53224b3d5a4048076222d6840dde6d19fc0df4c4a78f04c7bfc0535266954de8e6bc5e62d92aa308940fefdd2c8870f734ece7c44f04986
-
Filesize
307KB
MD562f91574f96733e84730563c5a6c2263
SHA10ef9077bf577d7366309a4bfacf1455fe206f793
SHA256f46ad95745ca09a16e81f7795651378d1c5360593ab7b3f315c0aa2f24a38cb1
SHA5129ec679650f81d79500be0ca67f859d609f225fe15f8c5cb51255c849ac9d818898d3e093e0f2dd9a22ef4fbfcc0514429285e229dc5af4af043b26e3720f366a
-
Filesize
307KB
MD562f91574f96733e84730563c5a6c2263
SHA10ef9077bf577d7366309a4bfacf1455fe206f793
SHA256f46ad95745ca09a16e81f7795651378d1c5360593ab7b3f315c0aa2f24a38cb1
SHA5129ec679650f81d79500be0ca67f859d609f225fe15f8c5cb51255c849ac9d818898d3e093e0f2dd9a22ef4fbfcc0514429285e229dc5af4af043b26e3720f366a
-
Filesize
365KB
MD5ad7c7d02c0e9a7a51e50f0b22c59781e
SHA16d76bbb0591681f94c212d318ed750b311b1486d
SHA2568d75acda4b34a0c6a9ccf6cd6d62f2004a63c78b7197130cdcf3becb2b1af3b5
SHA5121aebeb452e8f755c197619300aeedb6249c6b2cc333ba39bb02bafddbb5fd2b9f18f98971e20aabe135f36c094a31503aa4742591ddf77179f53ad27896f607a
-
Filesize
365KB
MD5ad7c7d02c0e9a7a51e50f0b22c59781e
SHA16d76bbb0591681f94c212d318ed750b311b1486d
SHA2568d75acda4b34a0c6a9ccf6cd6d62f2004a63c78b7197130cdcf3becb2b1af3b5
SHA5121aebeb452e8f755c197619300aeedb6249c6b2cc333ba39bb02bafddbb5fd2b9f18f98971e20aabe135f36c094a31503aa4742591ddf77179f53ad27896f607a