Analysis
-
max time kernel
114s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 17:36
Static task
static1
Behavioral task
behavioral1
Sample
257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c.exe
Resource
win10v2004-20230220-en
General
-
Target
257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c.exe
-
Size
695KB
-
MD5
9dc56e356c8ddba17d733cb68cca4ccf
-
SHA1
154b02e22182a56f6fee46258715416029743d0f
-
SHA256
257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c
-
SHA512
1b35d0f6eeba92282b6849c9a03c77ba9a31e2060205fbd0ac902c9cb64abffb98005569e2d89b57d8e856dc97462c62e513d85fe368e9a6ac6954b3211210de
-
SSDEEP
12288:PMrvy90hVtrXjaW4mlJcN9/nF/7xGNQX3RO9k4jrbK0y18tMil5slnhy12pZFM:QyITtJcrF/7xGNShOnjrbS18tMil5sdy
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7222.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7222.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7222.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7222.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7222.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7222.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/2852-190-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-193-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-191-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-195-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-197-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-200-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-204-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-208-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-206-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-210-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-212-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-214-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-216-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-218-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-220-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-222-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-224-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline behavioral1/memory/2852-226-0x0000000004C30000-0x0000000004C6F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1744 un827736.exe 2032 pro7222.exe 2852 qu5684.exe 3268 si640602.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7222.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7222.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un827736.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un827736.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 692 2032 WerFault.exe 84 3976 2852 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2032 pro7222.exe 2032 pro7222.exe 2852 qu5684.exe 2852 qu5684.exe 3268 si640602.exe 3268 si640602.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2032 pro7222.exe Token: SeDebugPrivilege 2852 qu5684.exe Token: SeDebugPrivilege 3268 si640602.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3204 wrote to memory of 1744 3204 257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c.exe 83 PID 3204 wrote to memory of 1744 3204 257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c.exe 83 PID 3204 wrote to memory of 1744 3204 257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c.exe 83 PID 1744 wrote to memory of 2032 1744 un827736.exe 84 PID 1744 wrote to memory of 2032 1744 un827736.exe 84 PID 1744 wrote to memory of 2032 1744 un827736.exe 84 PID 1744 wrote to memory of 2852 1744 un827736.exe 90 PID 1744 wrote to memory of 2852 1744 un827736.exe 90 PID 1744 wrote to memory of 2852 1744 un827736.exe 90 PID 3204 wrote to memory of 3268 3204 257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c.exe 94 PID 3204 wrote to memory of 3268 3204 257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c.exe 94 PID 3204 wrote to memory of 3268 3204 257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c.exe"C:\Users\Admin\AppData\Local\Temp\257c92bb1efa773db8c7bb9c089dd628ad053dbe1d23e5ece82d2292343ff93c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un827736.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un827736.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7222.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7222.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 10844⤵
- Program crash
PID:692
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5684.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5684.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 17684⤵
- Program crash
PID:3976
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si640602.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si640602.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2032 -ip 20321⤵PID:4748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2852 -ip 28521⤵PID:1784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD55cdd46448ed57dce7e99b3c950f99423
SHA1038164c5b4c182ad579f9aed38da8d117c74fd3f
SHA256f93c93820ac31f2bb533f2661669c9a508e5eed7616567855465bbb42bccf231
SHA5128df99c4db1ae001b7499372c7081ca95b57c2f3c8b0aaa5e10cea3633741d6db84724db4e5e1d8232fb919a0c796211abffdab6b0eed9170ef7f353550642705
-
Filesize
175KB
MD55cdd46448ed57dce7e99b3c950f99423
SHA1038164c5b4c182ad579f9aed38da8d117c74fd3f
SHA256f93c93820ac31f2bb533f2661669c9a508e5eed7616567855465bbb42bccf231
SHA5128df99c4db1ae001b7499372c7081ca95b57c2f3c8b0aaa5e10cea3633741d6db84724db4e5e1d8232fb919a0c796211abffdab6b0eed9170ef7f353550642705
-
Filesize
554KB
MD5ff53656e50fa11e20664b753779903b8
SHA1ce9bd6748ab6d63d4b30d9de65f5fab22996e740
SHA25644e99346a090610d43b2feded4ce7b7d0b68ce2bd58c0cc04ff7f3cc43d1585f
SHA5120a074ed25781fcda5ce9c3a2e045a8462995dec0ffbca2899b1ccc6b9c556c519c530ca0d1e91ebf5ee47096622ef3d0da3d75f8f32106b00acc0d95394b1efb
-
Filesize
554KB
MD5ff53656e50fa11e20664b753779903b8
SHA1ce9bd6748ab6d63d4b30d9de65f5fab22996e740
SHA25644e99346a090610d43b2feded4ce7b7d0b68ce2bd58c0cc04ff7f3cc43d1585f
SHA5120a074ed25781fcda5ce9c3a2e045a8462995dec0ffbca2899b1ccc6b9c556c519c530ca0d1e91ebf5ee47096622ef3d0da3d75f8f32106b00acc0d95394b1efb
-
Filesize
308KB
MD5f3f42eecd56b14199f05c3551056a4d5
SHA1c14a0c1c7379a2bd3091d1d5d0a01b23056e20ab
SHA256475ef34b1ab26ddadaeb24b5cc6c95c9be5e9e68ddc96cd031b3d0e97b9c1336
SHA5127c3b732119cfd85a97e638ef180e98803939fbc01b57647a02a6686eb663d08db520f6c8085b338fd3014fde0025e90bc53e54b40911d62f9ef00ce2e020139a
-
Filesize
308KB
MD5f3f42eecd56b14199f05c3551056a4d5
SHA1c14a0c1c7379a2bd3091d1d5d0a01b23056e20ab
SHA256475ef34b1ab26ddadaeb24b5cc6c95c9be5e9e68ddc96cd031b3d0e97b9c1336
SHA5127c3b732119cfd85a97e638ef180e98803939fbc01b57647a02a6686eb663d08db520f6c8085b338fd3014fde0025e90bc53e54b40911d62f9ef00ce2e020139a
-
Filesize
366KB
MD526c6986af3f1cfe40d4331b78cbad761
SHA16600570e2fa48794a8bbfce1e2c24fa683634f52
SHA2564341ca72c5686c3179ebe6cb5cdf7df6e392dba2f45795895cece0076c3badd8
SHA51237c28b30d994e4d1998ed72d699928345b96052194deeeb03d87248817e42039142b0403b0480a4e1ef657c3681480a987de7720390f733c135a95c43f1bfeb1
-
Filesize
366KB
MD526c6986af3f1cfe40d4331b78cbad761
SHA16600570e2fa48794a8bbfce1e2c24fa683634f52
SHA2564341ca72c5686c3179ebe6cb5cdf7df6e392dba2f45795895cece0076c3badd8
SHA51237c28b30d994e4d1998ed72d699928345b96052194deeeb03d87248817e42039142b0403b0480a4e1ef657c3681480a987de7720390f733c135a95c43f1bfeb1