Analysis
-
max time kernel
94s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 15:50
Static task
static1
Behavioral task
behavioral1
Sample
c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1.exe
Resource
win10v2004-20230220-en
General
-
Target
c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1.exe
-
Size
700KB
-
MD5
fb7128be2a459f0ec1d5c5d1fec02f10
-
SHA1
14ab361843b2168e566a7178b6cd25419e356e59
-
SHA256
c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1
-
SHA512
b0be4c20cc9204f74db73716ff1a5d4b06e42cd0b6656235d04983aa09cbb8ec315a476fd07c95afb7ac27a0b76029db2b6fd4714d75fcdd719ccc983e606f17
-
SSDEEP
12288:6MrSy90GfNPozqu9T6mbkdZqAymLmhAOqajl3Khua8tLB+o1kYRBRvTPIYbgiKOV:IydVP89T603mL6rvjl6itLAoeYRXjbgG
Malware Config
Extracted
redline
sony
193.233.20.33:4125
-
auth_value
1d93d1744381eeb4fcfd7c23ffe0f0b4
Extracted
redline
nice
193.233.20.33:4125
-
auth_value
a7371b75699e8bc7c51fb960e8ac9e81
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7897.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7897.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7897.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7897.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7897.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7897.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3796-192-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-194-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-191-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-196-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-198-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-200-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-204-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-202-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-206-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-208-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-210-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-212-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-214-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-218-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-216-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-220-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-222-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-224-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/3796-1111-0x0000000004DA0000-0x0000000004DB0000-memory.dmp family_redline behavioral1/memory/3796-1112-0x0000000004DA0000-0x0000000004DB0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4544 un682922.exe 1404 pro7897.exe 3796 qu0985.exe 668 si221627.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7897.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7897.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un682922.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un682922.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 808 1404 WerFault.exe 85 4732 3796 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1404 pro7897.exe 1404 pro7897.exe 3796 qu0985.exe 3796 qu0985.exe 668 si221627.exe 668 si221627.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1404 pro7897.exe Token: SeDebugPrivilege 3796 qu0985.exe Token: SeDebugPrivilege 668 si221627.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4260 wrote to memory of 4544 4260 c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1.exe 84 PID 4260 wrote to memory of 4544 4260 c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1.exe 84 PID 4260 wrote to memory of 4544 4260 c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1.exe 84 PID 4544 wrote to memory of 1404 4544 un682922.exe 85 PID 4544 wrote to memory of 1404 4544 un682922.exe 85 PID 4544 wrote to memory of 1404 4544 un682922.exe 85 PID 4544 wrote to memory of 3796 4544 un682922.exe 91 PID 4544 wrote to memory of 3796 4544 un682922.exe 91 PID 4544 wrote to memory of 3796 4544 un682922.exe 91 PID 4260 wrote to memory of 668 4260 c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1.exe 95 PID 4260 wrote to memory of 668 4260 c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1.exe 95 PID 4260 wrote to memory of 668 4260 c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1.exe"C:\Users\Admin\AppData\Local\Temp\c4f9bd7209f416a48965ab1f667f98c059dbf6b99007414075e272c64508a9f1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un682922.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un682922.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7897.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7897.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 10844⤵
- Program crash
PID:808
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0985.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0985.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 20004⤵
- Program crash
PID:4732
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si221627.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si221627.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1404 -ip 14041⤵PID:904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3796 -ip 37961⤵PID:5112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56959648898d36fbc60d5d22b9f89107b
SHA1202461078a1d8fe0e992662b963e628c312ea4ac
SHA25649cc6c4f972b37b464c6eb9603b772d60ac0f6fedcc49293bea770e8315c39b7
SHA5129f7a289d3a9b989f4e27f96b8a24baad6ee07609c30adf0ba780176a4608f17ccf77f494daf4562470aa14af47dd4a7acf5dc654c492532bb555089ea8374c85
-
Filesize
175KB
MD56959648898d36fbc60d5d22b9f89107b
SHA1202461078a1d8fe0e992662b963e628c312ea4ac
SHA25649cc6c4f972b37b464c6eb9603b772d60ac0f6fedcc49293bea770e8315c39b7
SHA5129f7a289d3a9b989f4e27f96b8a24baad6ee07609c30adf0ba780176a4608f17ccf77f494daf4562470aa14af47dd4a7acf5dc654c492532bb555089ea8374c85
-
Filesize
558KB
MD5c409f25936661bb73bf987e09c577c7e
SHA17f6d80151fab256cc8a3b1f5dc7637b1981aac22
SHA2564d14eaf8e8c70f02babbc1796ba150f8b256bd8f2e9c87f4de638c079c020d44
SHA512e8d76694691b3c079625f93ce9239a1970aa7968a675b5cda7f388394714eb83723ade65e57fdbde652dc5adcd0ca8070942ff8f9ec8839fd2a87e747e1025f9
-
Filesize
558KB
MD5c409f25936661bb73bf987e09c577c7e
SHA17f6d80151fab256cc8a3b1f5dc7637b1981aac22
SHA2564d14eaf8e8c70f02babbc1796ba150f8b256bd8f2e9c87f4de638c079c020d44
SHA512e8d76694691b3c079625f93ce9239a1970aa7968a675b5cda7f388394714eb83723ade65e57fdbde652dc5adcd0ca8070942ff8f9ec8839fd2a87e747e1025f9
-
Filesize
308KB
MD513ec9799ee0b9fc0e79730eaae5b3763
SHA163d043f8c00cf4a3ab0b91b786aa8f37f3fab3bc
SHA256862af8b337cd2a39d19f11855b94875f0cecfb2ef5414b8bdbfec18a15d7e85d
SHA51262611ecf0d416aae95db0f29da37b455aae4fc7ae9e5d2f2a7b615d6a3c0f76f9fa86131955650588f2078503adb176d41776a44e8b9fe80fed7ffda2cbf31ec
-
Filesize
308KB
MD513ec9799ee0b9fc0e79730eaae5b3763
SHA163d043f8c00cf4a3ab0b91b786aa8f37f3fab3bc
SHA256862af8b337cd2a39d19f11855b94875f0cecfb2ef5414b8bdbfec18a15d7e85d
SHA51262611ecf0d416aae95db0f29da37b455aae4fc7ae9e5d2f2a7b615d6a3c0f76f9fa86131955650588f2078503adb176d41776a44e8b9fe80fed7ffda2cbf31ec
-
Filesize
366KB
MD51ebcfab5fa047a0acb065f5c4e32467f
SHA158575c41039198dba2310f1e3d33cf90b547df94
SHA2568156ac23e7b5f2440e377834b9aa8ec746e3e13d2cf82de2113edd882a03ea19
SHA512ccebf1d446152fce2dfeb02e12489a253be45275f3e090d7da5cdd40e7db6cbd7f163a9c6b68b2f99055afd53b79a4ec3b67be55c3183a4e7bceaa6142ea11e2
-
Filesize
366KB
MD51ebcfab5fa047a0acb065f5c4e32467f
SHA158575c41039198dba2310f1e3d33cf90b547df94
SHA2568156ac23e7b5f2440e377834b9aa8ec746e3e13d2cf82de2113edd882a03ea19
SHA512ccebf1d446152fce2dfeb02e12489a253be45275f3e090d7da5cdd40e7db6cbd7f163a9c6b68b2f99055afd53b79a4ec3b67be55c3183a4e7bceaa6142ea11e2