Analysis
-
max time kernel
53s -
max time network
71s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
27/03/2023, 10:53
Static task
static1
Behavioral task
behavioral1
Sample
7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5.exe
Resource
win10-20230220-en
General
-
Target
7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5.exe
-
Size
687KB
-
MD5
ddc5ae571f7a5fd1a0a3109d39c1c5cf
-
SHA1
e72db1d28f0dadb771a70d5bb30a0f9cae77bcc4
-
SHA256
7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5
-
SHA512
af8459e310746f43741964f11f80aa04c1320da3602bd4e41d005af646a8fb7a0e2627c67d2d5aba6c0efc8780a941f8eb2e3ab403b0d8f3548fd824ab90ac2b
-
SSDEEP
12288:cMrqy90gozs27bXE1xsb7A6X2MEyB57WaQA2x0FlIZ0xqc4hJx+4Mrff:+y4nXksPA6DEyB5CaQA2xF+xchIL
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
nice
193.233.20.33:4125
-
auth_value
a7371b75699e8bc7c51fb960e8ac9e81
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4920.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4920.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4920.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4920.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4920.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2036-178-0x00000000027E0000-0x0000000002826000-memory.dmp family_redline behavioral1/memory/2036-179-0x0000000004CB0000-0x0000000004CF4000-memory.dmp family_redline behavioral1/memory/2036-182-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-184-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-187-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-189-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-191-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-193-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-195-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-197-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-199-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-201-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-203-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-205-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-207-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-209-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-211-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-215-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-213-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2036-217-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3276 un370993.exe 3748 pro4920.exe 2036 qu0007.exe 1500 si104092.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4920.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4920.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un370993.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un370993.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3748 pro4920.exe 3748 pro4920.exe 2036 qu0007.exe 2036 qu0007.exe 1500 si104092.exe 1500 si104092.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3748 pro4920.exe Token: SeDebugPrivilege 2036 qu0007.exe Token: SeDebugPrivilege 1500 si104092.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3076 wrote to memory of 3276 3076 7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5.exe 66 PID 3076 wrote to memory of 3276 3076 7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5.exe 66 PID 3076 wrote to memory of 3276 3076 7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5.exe 66 PID 3276 wrote to memory of 3748 3276 un370993.exe 67 PID 3276 wrote to memory of 3748 3276 un370993.exe 67 PID 3276 wrote to memory of 3748 3276 un370993.exe 67 PID 3276 wrote to memory of 2036 3276 un370993.exe 68 PID 3276 wrote to memory of 2036 3276 un370993.exe 68 PID 3276 wrote to memory of 2036 3276 un370993.exe 68 PID 3076 wrote to memory of 1500 3076 7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5.exe 70 PID 3076 wrote to memory of 1500 3076 7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5.exe 70 PID 3076 wrote to memory of 1500 3076 7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5.exe"C:\Users\Admin\AppData\Local\Temp\7b8fb730bc12c267f2e83e8af3e2057ddbd9b066d04e95126cbc7905477da9a5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un370993.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un370993.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4920.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4920.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0007.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0007.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si104092.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si104092.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD58b744a036082be2ad59b87f9a5bec6d7
SHA1c4cbf97deb1ad84a93b358f9b132085a208a3871
SHA25614e4c207fd6d6afa2d769ef1d818dd4c470a5c9ec2629763ae0bd0eaa8065c38
SHA51273f7af6906110fded0cf37a2fdf0e8786a3473d3886b54ab79e611772c10ceab7fdd99735c90762f00630c2bfaae841adc25e92551730732bfc6c537e453dd96
-
Filesize
175KB
MD58b744a036082be2ad59b87f9a5bec6d7
SHA1c4cbf97deb1ad84a93b358f9b132085a208a3871
SHA25614e4c207fd6d6afa2d769ef1d818dd4c470a5c9ec2629763ae0bd0eaa8065c38
SHA51273f7af6906110fded0cf37a2fdf0e8786a3473d3886b54ab79e611772c10ceab7fdd99735c90762f00630c2bfaae841adc25e92551730732bfc6c537e453dd96
-
Filesize
544KB
MD51fcf5182d508d8f7255ac6de013f052a
SHA12a598549ddfbdf3ad9d1b1481423c90cbd77d4b0
SHA256cd4b21d685bbb0fc8d346079ca5a3fc33a841882e63f91ed0ce6781b36700933
SHA51208685f9baa9990dfcc556ba096b5894732d786418c988b12024610443007fdf773ad4da16359e35d8c17d70db1040606647b405adc3519615054d2ae18d4369b
-
Filesize
544KB
MD51fcf5182d508d8f7255ac6de013f052a
SHA12a598549ddfbdf3ad9d1b1481423c90cbd77d4b0
SHA256cd4b21d685bbb0fc8d346079ca5a3fc33a841882e63f91ed0ce6781b36700933
SHA51208685f9baa9990dfcc556ba096b5894732d786418c988b12024610443007fdf773ad4da16359e35d8c17d70db1040606647b405adc3519615054d2ae18d4369b
-
Filesize
300KB
MD5bfc7f5ae71f07245e3cf0848de81ff80
SHA195936fef0a4af91b3a73c2f76a89de4533e7a6ef
SHA256e30cff1a50d9523889a1857edd045793a6a0eb9d4fccf831ccd35b0d77aa0380
SHA512160d34d01bd2f81bbb29e715387c5ada53cb2037ac8407f48365a1e7efe5384b36ee9af50ad1baff87aabd865068c66362ce64cf6e9a671262963559961b307c
-
Filesize
300KB
MD5bfc7f5ae71f07245e3cf0848de81ff80
SHA195936fef0a4af91b3a73c2f76a89de4533e7a6ef
SHA256e30cff1a50d9523889a1857edd045793a6a0eb9d4fccf831ccd35b0d77aa0380
SHA512160d34d01bd2f81bbb29e715387c5ada53cb2037ac8407f48365a1e7efe5384b36ee9af50ad1baff87aabd865068c66362ce64cf6e9a671262963559961b307c
-
Filesize
359KB
MD5df70f2cd16843b6b0bb48fddb9325995
SHA11044c02d984e01f53a9bfbf01d2c08f833286496
SHA256521441aac49b961f81212dfe27ec1a222c2c11926fed020d4b8565b65dab93d7
SHA5124f1cc85eddf0b90a040becc3871192e7baf229dc8de0f3abc21eff0cc0985343e4ffc2b4c0a21a4e7745e49e42b904054b4310309e249b2a1e13c98b49397581
-
Filesize
359KB
MD5df70f2cd16843b6b0bb48fddb9325995
SHA11044c02d984e01f53a9bfbf01d2c08f833286496
SHA256521441aac49b961f81212dfe27ec1a222c2c11926fed020d4b8565b65dab93d7
SHA5124f1cc85eddf0b90a040becc3871192e7baf229dc8de0f3abc21eff0cc0985343e4ffc2b4c0a21a4e7745e49e42b904054b4310309e249b2a1e13c98b49397581