Analysis
-
max time kernel
72s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 20:04
Static task
static1
Behavioral task
behavioral1
Sample
604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164.exe
Resource
win10v2004-20230220-en
General
-
Target
604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164.exe
-
Size
695KB
-
MD5
32992ae9c3073904e96d894a9e78e1a6
-
SHA1
6f7a96c6e7c20fa9cb832b2c2089559a2a44422c
-
SHA256
604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164
-
SHA512
9b5888548b6c37277b4fed4333e3ed6fa5c8981c98f6f1f88beeff954208da40d23bdf8967fd1d4b84e408ad798638ba0f471b048394d0b8931f09bb810f1d8e
-
SSDEEP
12288:3Mr/y90x9EDVtNeYuDtlxi1MuPlmPMYPFAla1jHPsTkzFnEJ57aDrx2BlPu:EyMERjeYuxS1MelmPHP2a1LUTMFEnylH
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9883.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9883.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9883.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9883.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9883.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9883.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/4552-194-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-195-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-197-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-199-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-201-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-203-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-205-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-207-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-209-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-211-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-213-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-215-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-217-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-219-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-221-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-223-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-225-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-227-0x0000000002870000-0x00000000028AF000-memory.dmp family_redline behavioral1/memory/4552-1111-0x0000000004EF0000-0x0000000004F00000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4044 un092411.exe 1164 pro9883.exe 4552 qu6708.exe 2136 si513258.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9883.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9883.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un092411.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un092411.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1164 pro9883.exe 1164 pro9883.exe 4552 qu6708.exe 4552 qu6708.exe 2136 si513258.exe 2136 si513258.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1164 pro9883.exe Token: SeDebugPrivilege 4552 qu6708.exe Token: SeDebugPrivilege 2136 si513258.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4896 wrote to memory of 4044 4896 604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164.exe 85 PID 4896 wrote to memory of 4044 4896 604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164.exe 85 PID 4896 wrote to memory of 4044 4896 604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164.exe 85 PID 4044 wrote to memory of 1164 4044 un092411.exe 86 PID 4044 wrote to memory of 1164 4044 un092411.exe 86 PID 4044 wrote to memory of 1164 4044 un092411.exe 86 PID 4044 wrote to memory of 4552 4044 un092411.exe 92 PID 4044 wrote to memory of 4552 4044 un092411.exe 92 PID 4044 wrote to memory of 4552 4044 un092411.exe 92 PID 4896 wrote to memory of 2136 4896 604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164.exe 93 PID 4896 wrote to memory of 2136 4896 604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164.exe 93 PID 4896 wrote to memory of 2136 4896 604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164.exe"C:\Users\Admin\AppData\Local\Temp\604c2b7486db6e9976a4c15fac6100370f68bb2b35cb38a0541c5af6ed444164.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un092411.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un092411.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9883.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9883.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6708.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6708.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si513258.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si513258.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD59167f35c605cdfbeeb7bb2cad181e153
SHA1f305a89fe355e8b696b730d126685f598f7bea9d
SHA2561c1ad7eb84b533eea3f321ef54f5f8a2fa47551a6bf0798b6c35ef8ba575936b
SHA51225e5cd8359653b79520a2f7ff472616e8d725bfd490d5fd7f8ba8a5ff9b62ad5dabf5f6df76b8e3d0a39af832f17504b7291f8464972b893a664b3fbac3f80dc
-
Filesize
175KB
MD59167f35c605cdfbeeb7bb2cad181e153
SHA1f305a89fe355e8b696b730d126685f598f7bea9d
SHA2561c1ad7eb84b533eea3f321ef54f5f8a2fa47551a6bf0798b6c35ef8ba575936b
SHA51225e5cd8359653b79520a2f7ff472616e8d725bfd490d5fd7f8ba8a5ff9b62ad5dabf5f6df76b8e3d0a39af832f17504b7291f8464972b893a664b3fbac3f80dc
-
Filesize
553KB
MD5adccf2fbbdf209a4de4dba070e1a9b6b
SHA137e05d95f7222e38f93418a6a44b65900ed7eb02
SHA256ac246ca687f2274ad08494b6aa8cb0ff00d8372eedecbd66305a2b4ebcfbed4d
SHA5128d3ce6fa7dd64bcf5b320ac25061b45e607eb9ebd7b0b44343297c2e04e643937c1ca735367ebad746befd973cbe6b148c08d06471d1b6c45e4daf2a12f3d542
-
Filesize
553KB
MD5adccf2fbbdf209a4de4dba070e1a9b6b
SHA137e05d95f7222e38f93418a6a44b65900ed7eb02
SHA256ac246ca687f2274ad08494b6aa8cb0ff00d8372eedecbd66305a2b4ebcfbed4d
SHA5128d3ce6fa7dd64bcf5b320ac25061b45e607eb9ebd7b0b44343297c2e04e643937c1ca735367ebad746befd973cbe6b148c08d06471d1b6c45e4daf2a12f3d542
-
Filesize
308KB
MD5f2d3052173f278fff1b75d3d3428177f
SHA1061f6089f807d3f36d3cae07abae5f5242f2e044
SHA25696e81ab711b6569e30764916029b7a661c653523405f482c9bc7fa18f6ce959a
SHA51298d3c75a17cb0aa360df7e8a88c65661e4732bb26ac3892b8f00a8a02ea577eb26598ea9693ea2e9234a06a535ae670b18e54d5ad545467dc7112cffe58f655a
-
Filesize
308KB
MD5f2d3052173f278fff1b75d3d3428177f
SHA1061f6089f807d3f36d3cae07abae5f5242f2e044
SHA25696e81ab711b6569e30764916029b7a661c653523405f482c9bc7fa18f6ce959a
SHA51298d3c75a17cb0aa360df7e8a88c65661e4732bb26ac3892b8f00a8a02ea577eb26598ea9693ea2e9234a06a535ae670b18e54d5ad545467dc7112cffe58f655a
-
Filesize
366KB
MD5ebba8bd1d8fb83895fe66bdc730b7a42
SHA1f46abd283167109a6ea3fc621af6c4c1be8b8d17
SHA2567db01c62a6aeab100751e0deefdd1aff1e3909f3bd439301a42030a7efa1c121
SHA51253810409c992406ed67143a3fd74204de0d71e84887e54f7b0a3660139576a4f6748028b21d9a410b3f516219716c8b46ec04e80e2a1f116e38042f14a6be863
-
Filesize
366KB
MD5ebba8bd1d8fb83895fe66bdc730b7a42
SHA1f46abd283167109a6ea3fc621af6c4c1be8b8d17
SHA2567db01c62a6aeab100751e0deefdd1aff1e3909f3bd439301a42030a7efa1c121
SHA51253810409c992406ed67143a3fd74204de0d71e84887e54f7b0a3660139576a4f6748028b21d9a410b3f516219716c8b46ec04e80e2a1f116e38042f14a6be863