Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 19:29
Static task
static1
Behavioral task
behavioral1
Sample
9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f.exe
Resource
win10v2004-20230221-en
General
-
Target
9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f.exe
-
Size
696KB
-
MD5
d63f0a998c714b199c06b6661c3a4037
-
SHA1
97b48f1fad307ab8ddf80a8343a79d9fb960c375
-
SHA256
9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f
-
SHA512
9a609d3e1152787b97953cdd55e3d2b5ed8a309a3b9d36f3dc5621cd3baa0e64eb32421e893d432f853daea061dbc025284e0efb3243450f610de9912f61058c
-
SSDEEP
12288:IMrdy90rv4JLHYnLruoLu+eVQM3mXMl7S7lLvIZeQbrsaMf1dzL0EJkSKQXKjyW0:1ySvvruooVN3mcl7S7lLvIcCGfLx9PyE
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4844.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4844.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4844.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4844.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4844.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4844.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4928-191-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-192-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-194-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-196-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-198-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-200-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-202-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-204-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-206-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-208-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-210-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-212-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-214-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-216-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-218-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-222-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-220-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-224-0x0000000002830000-0x000000000286F000-memory.dmp family_redline behavioral1/memory/4928-261-0x0000000004EE0000-0x0000000004EF0000-memory.dmp family_redline behavioral1/memory/4928-263-0x0000000004EE0000-0x0000000004EF0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4504 un001884.exe 1172 pro4844.exe 4928 qu2258.exe 4960 si209446.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4844.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4844.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un001884.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un001884.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1172 pro4844.exe 1172 pro4844.exe 4928 qu2258.exe 4928 qu2258.exe 4960 si209446.exe 4960 si209446.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1172 pro4844.exe Token: SeDebugPrivilege 4928 qu2258.exe Token: SeDebugPrivilege 4960 si209446.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4432 wrote to memory of 4504 4432 9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f.exe 82 PID 4432 wrote to memory of 4504 4432 9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f.exe 82 PID 4432 wrote to memory of 4504 4432 9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f.exe 82 PID 4504 wrote to memory of 1172 4504 un001884.exe 83 PID 4504 wrote to memory of 1172 4504 un001884.exe 83 PID 4504 wrote to memory of 1172 4504 un001884.exe 83 PID 4504 wrote to memory of 4928 4504 un001884.exe 87 PID 4504 wrote to memory of 4928 4504 un001884.exe 87 PID 4504 wrote to memory of 4928 4504 un001884.exe 87 PID 4432 wrote to memory of 4960 4432 9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f.exe 88 PID 4432 wrote to memory of 4960 4432 9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f.exe 88 PID 4432 wrote to memory of 4960 4432 9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f.exe"C:\Users\Admin\AppData\Local\Temp\9a2f1a9eaadd70eb1052d55aaaaa9993c66c4f32c52a27cd2e5ea14e4f03c79f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001884.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un001884.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4844.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4844.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2258.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2258.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si209446.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si209446.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56a1524f3fabca62b84cc7d980a6af2f0
SHA1bb9844c8a2f8accd01b10156fab31d04c8bec43f
SHA256449dcb3606bb0ed6ce841e372fc8ec5e9ac81ac6f61974f3c08401b993fcdf04
SHA512e6b3393c9d089d00e04ac0efb44c6cc0259ff7bafb595cc092633ae07a038fbb93af5746e12e852c732078f4ff534570b7acadc80335710918c09d09d2738d7c
-
Filesize
175KB
MD56a1524f3fabca62b84cc7d980a6af2f0
SHA1bb9844c8a2f8accd01b10156fab31d04c8bec43f
SHA256449dcb3606bb0ed6ce841e372fc8ec5e9ac81ac6f61974f3c08401b993fcdf04
SHA512e6b3393c9d089d00e04ac0efb44c6cc0259ff7bafb595cc092633ae07a038fbb93af5746e12e852c732078f4ff534570b7acadc80335710918c09d09d2738d7c
-
Filesize
554KB
MD59a80740c8f04920679f2f9e42f664758
SHA14ffb22221755896b30f9571ea048a397daae0450
SHA256fcfcfd66b82678a5526ca3e43780fd8c9b5ddb0cc8d5cf959e492423dcd6a470
SHA5122b9112d9ae545cb74491f60bc59eef1ff88bf2eb00cb3cffaf08f5c16ebe2bef79b9af91ea6b8763b46565289e1e3c56aa0a882fbc7b5637cdaf5327123586f4
-
Filesize
554KB
MD59a80740c8f04920679f2f9e42f664758
SHA14ffb22221755896b30f9571ea048a397daae0450
SHA256fcfcfd66b82678a5526ca3e43780fd8c9b5ddb0cc8d5cf959e492423dcd6a470
SHA5122b9112d9ae545cb74491f60bc59eef1ff88bf2eb00cb3cffaf08f5c16ebe2bef79b9af91ea6b8763b46565289e1e3c56aa0a882fbc7b5637cdaf5327123586f4
-
Filesize
308KB
MD5daa930e2177cfa20e6c0419bfd6f1ec6
SHA160c8801f44247d92e64730539807c47e2baedaf0
SHA256289faa63cb92d4bb9c0b6574ba1c6848d103ef479b5c6bb3c2b1cba6c64cbefb
SHA512625036344dead19849147e70f7232e9a76786aac4ff0f422ae2c1d89f66e45bc81aef33633c65be2af2c61fcd85bd89a47415b77bf0886a5048f29a5daa038cf
-
Filesize
308KB
MD5daa930e2177cfa20e6c0419bfd6f1ec6
SHA160c8801f44247d92e64730539807c47e2baedaf0
SHA256289faa63cb92d4bb9c0b6574ba1c6848d103ef479b5c6bb3c2b1cba6c64cbefb
SHA512625036344dead19849147e70f7232e9a76786aac4ff0f422ae2c1d89f66e45bc81aef33633c65be2af2c61fcd85bd89a47415b77bf0886a5048f29a5daa038cf
-
Filesize
366KB
MD58a59138536ccd64f5f06347b242684fa
SHA19caba4bc4c10b5e4378fe52c1c2a3564d444acf7
SHA25632f4b43ffd4d9e985d00593916919513d39a72a269fdaca039f793a6da2ec137
SHA512d95f0dcd91141c8fe0f50a51e1e1b98755e83f0e69c4258adfa2ea02955035734e4f33d5bf8d363053b7ba6ccf2c721420bf2a1fa0e53cacfede9e45f9fc59e6
-
Filesize
366KB
MD58a59138536ccd64f5f06347b242684fa
SHA19caba4bc4c10b5e4378fe52c1c2a3564d444acf7
SHA25632f4b43ffd4d9e985d00593916919513d39a72a269fdaca039f793a6da2ec137
SHA512d95f0dcd91141c8fe0f50a51e1e1b98755e83f0e69c4258adfa2ea02955035734e4f33d5bf8d363053b7ba6ccf2c721420bf2a1fa0e53cacfede9e45f9fc59e6