Analysis
-
max time kernel
55s -
max time network
72s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
28-03-2023 00:43
General
-
Target
27666a4ab2eb84700b10d92a85367275f7e96eb7875a4d25a1284fefa97b5bd9.exe
-
Size
690KB
-
MD5
58b02770b7aadadd5e4accb4ff666ec4
-
SHA1
e91bfabbb7eff336b0f0b100b007f0862e074b61
-
SHA256
27666a4ab2eb84700b10d92a85367275f7e96eb7875a4d25a1284fefa97b5bd9
-
SHA512
34151f64e50fb6e46cf03aa4e739741f7d53110aa2a0f3a1335f53c3d02ee6d6355280b050ad00989f9aca6c3b87313dc063a0f63a1d293b107d952e3ce46b34
-
SSDEEP
12288:SMrQy90+mFV7e/wim++VdwvUivsjsYS1ctI/ppiLONiVmhhLbTpLWiuOJljp9+:2yFmnYwim+EywtKXhiAhhxWijA
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\27666a4ab2eb84700b10d92a85367275f7e96eb7875a4d25a1284fefa97b5bd9.exe"C:\Users\Admin\AppData\Local\Temp\27666a4ab2eb84700b10d92a85367275f7e96eb7875a4d25a1284fefa97b5bd9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un963081.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un963081.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3392.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3392.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7444.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7444.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si086916.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si086916.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si086916.exeFilesize
175KB
MD5c8f6d396dbcd5c921c325ec9f4fc7bb2
SHA1060d1104a88bb31544f61f941e1ea491ae40bbcb
SHA256d4a96bdbb68b408143b8f9e9f2d9f0cbdf030318b0891e4a5f16c91b06e15a46
SHA512865c9d80d25fbdacd202286abc2d3325e4b651d3b0a4bcd38d9bec5efb63f91a59b7d02d9bd45c51f32be6037f23b23dbf13573c227332dbca1acf11e17ab25c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si086916.exeFilesize
175KB
MD5c8f6d396dbcd5c921c325ec9f4fc7bb2
SHA1060d1104a88bb31544f61f941e1ea491ae40bbcb
SHA256d4a96bdbb68b408143b8f9e9f2d9f0cbdf030318b0891e4a5f16c91b06e15a46
SHA512865c9d80d25fbdacd202286abc2d3325e4b651d3b0a4bcd38d9bec5efb63f91a59b7d02d9bd45c51f32be6037f23b23dbf13573c227332dbca1acf11e17ab25c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un963081.exeFilesize
548KB
MD57c83bf29603a2066572f0ff864ee69a6
SHA14a63cdeecd8e667b19bda5d078d255999000150f
SHA2564ad010d61d4d2ceb0725ccda3dbe95e8beca76150f9b9483d217542bb64b4926
SHA51293845f1a65296250da068a7a2849d6fadec751c865d70115282a0ffe70c2de74df50f2e408e8fccc18c214a276ff6e00f88fe76b1a5495588062ef8f131560cc
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un963081.exeFilesize
548KB
MD57c83bf29603a2066572f0ff864ee69a6
SHA14a63cdeecd8e667b19bda5d078d255999000150f
SHA2564ad010d61d4d2ceb0725ccda3dbe95e8beca76150f9b9483d217542bb64b4926
SHA51293845f1a65296250da068a7a2849d6fadec751c865d70115282a0ffe70c2de74df50f2e408e8fccc18c214a276ff6e00f88fe76b1a5495588062ef8f131560cc
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3392.exeFilesize
291KB
MD520a2cde4dff76c567a50238cc26624b1
SHA1b44fb852d8c4529ac9c33d855d0b33790b497dd4
SHA25627ffe98df336082d4b0275afee871977e9b3c1a7e3801e90da85991527b7c635
SHA512cc5c6355bc6941e6dfffe838cf51f1baecf5d00672155a7155d77f83ae64f7f50d31cfef059e40556d2a193335a03ac5b2f65586898c30d606da5ed2bd51b488
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3392.exeFilesize
291KB
MD520a2cde4dff76c567a50238cc26624b1
SHA1b44fb852d8c4529ac9c33d855d0b33790b497dd4
SHA25627ffe98df336082d4b0275afee871977e9b3c1a7e3801e90da85991527b7c635
SHA512cc5c6355bc6941e6dfffe838cf51f1baecf5d00672155a7155d77f83ae64f7f50d31cfef059e40556d2a193335a03ac5b2f65586898c30d606da5ed2bd51b488
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7444.exeFilesize
350KB
MD51cf467f3da7d06cd6c45ee662269036a
SHA108dc9969ae984eb9de4a6cb660f02b05c086dc51
SHA256a47a648499961cd98e02ab390e2c8b280c02c65d1551dea0ccf5f27c141286e3
SHA512dc8185679c3c079bee8cc9ab4d14224fe65d900139ef8a3cefc773c30437a8e16971e639e91ffa02fe7232f18a10faa0115bdf38c92982c8e45025fc76b05404
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7444.exeFilesize
350KB
MD51cf467f3da7d06cd6c45ee662269036a
SHA108dc9969ae984eb9de4a6cb660f02b05c086dc51
SHA256a47a648499961cd98e02ab390e2c8b280c02c65d1551dea0ccf5f27c141286e3
SHA512dc8185679c3c079bee8cc9ab4d14224fe65d900139ef8a3cefc773c30437a8e16971e639e91ffa02fe7232f18a10faa0115bdf38c92982c8e45025fc76b05404
-
memory/1500-1114-0x00000000048D0000-0x00000000048E0000-memory.dmpFilesize
64KB
-
memory/1500-1113-0x0000000004AD0000-0x0000000004B1B000-memory.dmpFilesize
300KB
-
memory/1500-1112-0x0000000000080000-0x00000000000B2000-memory.dmpFilesize
200KB
-
memory/2032-1092-0x0000000005530000-0x0000000005542000-memory.dmpFilesize
72KB
-
memory/2032-1095-0x0000000004D70000-0x0000000004D80000-memory.dmpFilesize
64KB
-
memory/2032-1106-0x0000000006FE0000-0x0000000007030000-memory.dmpFilesize
320KB
-
memory/2032-1105-0x0000000006F60000-0x0000000006FD6000-memory.dmpFilesize
472KB
-
memory/2032-1104-0x0000000004D70000-0x0000000004D80000-memory.dmpFilesize
64KB
-
memory/2032-1103-0x0000000004D70000-0x0000000004D80000-memory.dmpFilesize
64KB
-
memory/2032-1102-0x0000000004D70000-0x0000000004D80000-memory.dmpFilesize
64KB
-
memory/2032-1101-0x0000000004D70000-0x0000000004D80000-memory.dmpFilesize
64KB
-
memory/2032-1099-0x00000000067B0000-0x0000000006CDC000-memory.dmpFilesize
5.2MB
-
memory/2032-1098-0x00000000065E0000-0x00000000067A2000-memory.dmpFilesize
1.8MB
-
memory/2032-1097-0x00000000058D0000-0x0000000005936000-memory.dmpFilesize
408KB
-
memory/2032-1096-0x0000000005830000-0x00000000058C2000-memory.dmpFilesize
584KB
-
memory/2032-1094-0x00000000056A0000-0x00000000056EB000-memory.dmpFilesize
300KB
-
memory/2032-1093-0x0000000005550000-0x000000000558E000-memory.dmpFilesize
248KB
-
memory/2032-1091-0x00000000053F0000-0x00000000054FA000-memory.dmpFilesize
1.0MB
-
memory/2032-1090-0x0000000005990000-0x0000000005F96000-memory.dmpFilesize
6.0MB
-
memory/2032-217-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-215-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-213-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-211-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-178-0x0000000002440000-0x0000000002486000-memory.dmpFilesize
280KB
-
memory/2032-179-0x0000000004CA0000-0x0000000004CE4000-memory.dmpFilesize
272KB
-
memory/2032-181-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-183-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-180-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-185-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-187-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-189-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-191-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-193-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-195-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-197-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-198-0x0000000000770000-0x00000000007BB000-memory.dmpFilesize
300KB
-
memory/2032-202-0x0000000004D70000-0x0000000004D80000-memory.dmpFilesize
64KB
-
memory/2032-203-0x0000000004D70000-0x0000000004D80000-memory.dmpFilesize
64KB
-
memory/2032-201-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-199-0x0000000004D70000-0x0000000004D80000-memory.dmpFilesize
64KB
-
memory/2032-205-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-207-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/2032-209-0x0000000004CA0000-0x0000000004CDF000-memory.dmpFilesize
252KB
-
memory/4168-159-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-170-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/4168-141-0x0000000002320000-0x0000000002338000-memory.dmpFilesize
96KB
-
memory/4168-171-0x0000000004E30000-0x0000000004E40000-memory.dmpFilesize
64KB
-
memory/4168-157-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-169-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-137-0x0000000004E30000-0x0000000004E40000-memory.dmpFilesize
64KB
-
memory/4168-155-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-165-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-143-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-163-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-161-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-173-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/4168-142-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-167-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-153-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-151-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-149-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-147-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-145-0x0000000002320000-0x0000000002332000-memory.dmpFilesize
72KB
-
memory/4168-140-0x0000000004E30000-0x0000000004E40000-memory.dmpFilesize
64KB
-
memory/4168-138-0x0000000004E30000-0x0000000004E40000-memory.dmpFilesize
64KB
-
memory/4168-139-0x0000000004E40000-0x000000000533E000-memory.dmpFilesize
5.0MB
-
memory/4168-136-0x0000000000710000-0x000000000073D000-memory.dmpFilesize
180KB
-
memory/4168-135-0x0000000002280000-0x000000000229A000-memory.dmpFilesize
104KB