Analysis
-
max time kernel
91s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 20:23
Static task
static1
Behavioral task
behavioral1
Sample
06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe
Resource
win10v2004-20230220-en
General
-
Target
06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe
-
Size
695KB
-
MD5
1b5af02ae251b2eaa952a20340449425
-
SHA1
fa24cdfa5495457fcaf183edecfd61ce3b3f05ea
-
SHA256
06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8
-
SHA512
a1d6718b7a2b1e581a395a7987e4ae53ee9ce002eecf4bb96100fbd9f159f16372b32f04acedb4965b56d498c79c4759c2f7d72b74f711d6f4e9d9bca10b6ab3
-
SSDEEP
12288:9Mr9y90S84AMIemVYmDtcyMBuFlYrZMK2fq3UeFHzbXhJklbsch1M14a:Ayc4A0mVYmxXMB0lYrZig7Tbx8bs21/a
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9807.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9807.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9807.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9807.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9807.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9807.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/4992-191-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-192-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-194-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-196-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-198-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-200-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-202-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-204-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-206-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-208-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-210-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-212-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-214-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-216-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-218-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-220-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-222-0x0000000005310000-0x000000000534F000-memory.dmp family_redline behavioral1/memory/4992-227-0x0000000005310000-0x000000000534F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1496 un792371.exe 1240 pro9807.exe 4992 qu8545.exe 1744 si020432.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9807.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9807.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un792371.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un792371.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1240 pro9807.exe 1240 pro9807.exe 4992 qu8545.exe 4992 qu8545.exe 1744 si020432.exe 1744 si020432.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1240 pro9807.exe Token: SeDebugPrivilege 4992 qu8545.exe Token: SeDebugPrivilege 1744 si020432.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4324 wrote to memory of 1496 4324 06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe 83 PID 4324 wrote to memory of 1496 4324 06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe 83 PID 4324 wrote to memory of 1496 4324 06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe 83 PID 1496 wrote to memory of 1240 1496 un792371.exe 84 PID 1496 wrote to memory of 1240 1496 un792371.exe 84 PID 1496 wrote to memory of 1240 1496 un792371.exe 84 PID 1496 wrote to memory of 4992 1496 un792371.exe 89 PID 1496 wrote to memory of 4992 1496 un792371.exe 89 PID 1496 wrote to memory of 4992 1496 un792371.exe 89 PID 4324 wrote to memory of 1744 4324 06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe 94 PID 4324 wrote to memory of 1744 4324 06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe 94 PID 4324 wrote to memory of 1744 4324 06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe"C:\Users\Admin\AppData\Local\Temp\06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un792371.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un792371.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9807.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9807.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8545.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8545.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si020432.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si020432.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5081447fe567f6083505866cd5ca79f8d
SHA124bcf2934336677f35d4db08013e13fca5e0f46c
SHA25670cf4d8b40aeccc57e61faa897383632ea862a5b1d138ad81cd05b8a54c746ba
SHA5120af56160142fbd67821f2c5cf457cb1ca08b5387af97fd387c848011fd9423a2502bb307d55417cfb12b27d717ac9619bc193d426582e07f9a002cb9e4e7e55d
-
Filesize
175KB
MD5081447fe567f6083505866cd5ca79f8d
SHA124bcf2934336677f35d4db08013e13fca5e0f46c
SHA25670cf4d8b40aeccc57e61faa897383632ea862a5b1d138ad81cd05b8a54c746ba
SHA5120af56160142fbd67821f2c5cf457cb1ca08b5387af97fd387c848011fd9423a2502bb307d55417cfb12b27d717ac9619bc193d426582e07f9a002cb9e4e7e55d
-
Filesize
553KB
MD54a01b5ab01f306ad7f5937d0676e2071
SHA135b70189c96c91fad6e924463e09ba4ca89e983c
SHA256bd9ef5dedb2adcf91ef07ab497c896ee91ea1bfb131ff351a992c42493e7f77e
SHA5126f2518347cd8e28dcb9a5fa0434ef8fdc1c08c990b4222e95a38928a614ac5fbbedd8dcd35fb029488ac00a650fdaa3ac33bf0296a64dfd6e62e87ab06629a3c
-
Filesize
553KB
MD54a01b5ab01f306ad7f5937d0676e2071
SHA135b70189c96c91fad6e924463e09ba4ca89e983c
SHA256bd9ef5dedb2adcf91ef07ab497c896ee91ea1bfb131ff351a992c42493e7f77e
SHA5126f2518347cd8e28dcb9a5fa0434ef8fdc1c08c990b4222e95a38928a614ac5fbbedd8dcd35fb029488ac00a650fdaa3ac33bf0296a64dfd6e62e87ab06629a3c
-
Filesize
308KB
MD5cc9bd046844c2de86423d60e92cb4395
SHA1dcff383a2dfdc97acf5cd234796acc098da42be3
SHA256728b5fc5bec2637c9d4fd64c04aed16c49240c21472f22faf41da8d16f2dc93a
SHA512acfae258b0fc87934a413446a27d0aa323c4d4abebed9e0793c9a797ccc9719cb906c7f57c6b5d213cfaf4b930ce63c3330d2607db84adbb6c573fc2fe574bfb
-
Filesize
308KB
MD5cc9bd046844c2de86423d60e92cb4395
SHA1dcff383a2dfdc97acf5cd234796acc098da42be3
SHA256728b5fc5bec2637c9d4fd64c04aed16c49240c21472f22faf41da8d16f2dc93a
SHA512acfae258b0fc87934a413446a27d0aa323c4d4abebed9e0793c9a797ccc9719cb906c7f57c6b5d213cfaf4b930ce63c3330d2607db84adbb6c573fc2fe574bfb
-
Filesize
366KB
MD50411dc2d6a340d6f16b8fbbcf509eb67
SHA1fba7c37d5ff8bb7223daf71c293a1d16cb1c1fa4
SHA2561fc8c0457602cc0a892de6fb40ff6d5b585d711f7eb15c80ccb14d77f24a8df8
SHA512851321647ef8499f808eb75ff06189b405857f0c7896d7526af3e8a79066e92b6302f23fe9b3a9946e87783aa21ce3cd79222c14ec60fe95eee2e8e2c4dd5c94
-
Filesize
366KB
MD50411dc2d6a340d6f16b8fbbcf509eb67
SHA1fba7c37d5ff8bb7223daf71c293a1d16cb1c1fa4
SHA2561fc8c0457602cc0a892de6fb40ff6d5b585d711f7eb15c80ccb14d77f24a8df8
SHA512851321647ef8499f808eb75ff06189b405857f0c7896d7526af3e8a79066e92b6302f23fe9b3a9946e87783aa21ce3cd79222c14ec60fe95eee2e8e2c4dd5c94