Analysis
-
max time kernel
86s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 20:35
Static task
static1
Behavioral task
behavioral1
Sample
4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b.exe
Resource
win10v2004-20230220-en
General
-
Target
4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b.exe
-
Size
695KB
-
MD5
39a5d719823b7a9091496ee134b89d79
-
SHA1
c263f229c69bb5c94f9f8b5adf834bd4e06187d1
-
SHA256
4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b
-
SHA512
ce927fd35563b489a78481fab66a38dd34add34862c585910e65b5f9670b4d95b8e82158ca75b9d1ce13e834c53ab40fe8062294451f0968b175a67c195efa39
-
SSDEEP
12288:HMr9y90ajuzPgl6b9Dt3NWNuPly1O4H4kQ5zGAbJ57Wt9UeJ:aytizPgl6b9xANely1Ov/GU89PJ
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9781.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9781.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/2012-190-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-193-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-191-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-195-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-197-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-199-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-201-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-203-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-205-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-207-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-209-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-211-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-213-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-215-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-217-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-219-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-224-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline behavioral1/memory/2012-227-0x0000000004CE0000-0x0000000004D1F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1524 un549877.exe 644 pro9781.exe 2012 qu7213.exe 2452 si776228.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9781.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9781.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un549877.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un549877.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 644 pro9781.exe 644 pro9781.exe 2012 qu7213.exe 2012 qu7213.exe 2452 si776228.exe 2452 si776228.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 644 pro9781.exe Token: SeDebugPrivilege 2012 qu7213.exe Token: SeDebugPrivilege 2452 si776228.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4400 wrote to memory of 1524 4400 4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b.exe 84 PID 4400 wrote to memory of 1524 4400 4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b.exe 84 PID 4400 wrote to memory of 1524 4400 4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b.exe 84 PID 1524 wrote to memory of 644 1524 un549877.exe 85 PID 1524 wrote to memory of 644 1524 un549877.exe 85 PID 1524 wrote to memory of 644 1524 un549877.exe 85 PID 1524 wrote to memory of 2012 1524 un549877.exe 89 PID 1524 wrote to memory of 2012 1524 un549877.exe 89 PID 1524 wrote to memory of 2012 1524 un549877.exe 89 PID 4400 wrote to memory of 2452 4400 4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b.exe 91 PID 4400 wrote to memory of 2452 4400 4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b.exe 91 PID 4400 wrote to memory of 2452 4400 4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b.exe"C:\Users\Admin\AppData\Local\Temp\4ee2a2676c57d925c359be2d4af3b37be85a3f1733a104aaf55fb93650ccb96b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un549877.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un549877.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9781.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9781.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7213.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7213.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si776228.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si776228.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
Network
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request145.115.113.176.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request151.122.125.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.8.109.52.in-addr.arpaIN PTRResponse
-
322 B 7
-
322 B 7
-
877.1kB 16.6kB 616 261
-
876.9kB 15.3kB 614 230
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
74 B 134 B 1 1
DNS Request
145.115.113.176.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
151.122.125.40.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.8.109.52.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD58d44b3cef18991a189b9db910648df65
SHA11444721c1fbc678ecbcdedb0b93767f7e6723330
SHA256d150f76833071403885ec11ffc17b84d93a4dbaa39294df9ad4eb2b810f9c169
SHA512acb60b9d9d1e40ad7b62790267a980c27b8574386e9e7042112a97863d2919bd7a131883db6e14dd32fa3725a2fcf364d84a061b94e3c7548f9674cf0013bd6f
-
Filesize
175KB
MD58d44b3cef18991a189b9db910648df65
SHA11444721c1fbc678ecbcdedb0b93767f7e6723330
SHA256d150f76833071403885ec11ffc17b84d93a4dbaa39294df9ad4eb2b810f9c169
SHA512acb60b9d9d1e40ad7b62790267a980c27b8574386e9e7042112a97863d2919bd7a131883db6e14dd32fa3725a2fcf364d84a061b94e3c7548f9674cf0013bd6f
-
Filesize
553KB
MD547be47368f2a44200457a0be69a971ea
SHA168557738aa8c3f4813e8e55b6a3cc3551d485bc2
SHA25663a8887bcc853d875c5b571916df10d5ba7c263d009baad6287c469284f765a3
SHA51296e92869b84e4aac938ea6c0d3956649cb632d5cb68e33a3c6f320540ad0f7b230ebb9b521dfd0d35b4e51dd37d6b8cd3e97c17dac999c791836ff15d9fd92f5
-
Filesize
553KB
MD547be47368f2a44200457a0be69a971ea
SHA168557738aa8c3f4813e8e55b6a3cc3551d485bc2
SHA25663a8887bcc853d875c5b571916df10d5ba7c263d009baad6287c469284f765a3
SHA51296e92869b84e4aac938ea6c0d3956649cb632d5cb68e33a3c6f320540ad0f7b230ebb9b521dfd0d35b4e51dd37d6b8cd3e97c17dac999c791836ff15d9fd92f5
-
Filesize
308KB
MD5be260eed04cfbc7617eab55184052413
SHA10c911b54a67e8549e4cb87567965183b4d49782e
SHA256880eaf2d2b7104fd95a5e855ede63e3a3fe01167ca764e3e1922e3e94f63da9c
SHA512d2ef466025cfafe6fe7bfc33e5bf835f082112174c201f834e411ce7eaf13802a9a16016488ce73800438dfeaf2ced6bb8ed6e0428073ecd4d66f3540d8354b6
-
Filesize
308KB
MD5be260eed04cfbc7617eab55184052413
SHA10c911b54a67e8549e4cb87567965183b4d49782e
SHA256880eaf2d2b7104fd95a5e855ede63e3a3fe01167ca764e3e1922e3e94f63da9c
SHA512d2ef466025cfafe6fe7bfc33e5bf835f082112174c201f834e411ce7eaf13802a9a16016488ce73800438dfeaf2ced6bb8ed6e0428073ecd4d66f3540d8354b6
-
Filesize
366KB
MD5f756ccb608c7153c5c72013e1800e274
SHA152349f21a7e4e977662df685e7f66cafd4a15ae2
SHA25665cf40b3724d8075dfb6c753063bfb284a9e2ff35acd6ced796f59d39c5cd1e3
SHA512e42f9a99a33b721704ae54e835a8071729c0865b42ff8804c36c1cb4f67a9076af31787cc4b49fe53e61138cbc8f5e77d583373346be9f1bad69f8ff85555e8e
-
Filesize
366KB
MD5f756ccb608c7153c5c72013e1800e274
SHA152349f21a7e4e977662df685e7f66cafd4a15ae2
SHA25665cf40b3724d8075dfb6c753063bfb284a9e2ff35acd6ced796f59d39c5cd1e3
SHA512e42f9a99a33b721704ae54e835a8071729c0865b42ff8804c36c1cb4f67a9076af31787cc4b49fe53e61138cbc8f5e77d583373346be9f1bad69f8ff85555e8e