Analysis
-
max time kernel
58s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 00:45
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
700KB
-
MD5
c02eadc091346b614db72aa3cee4291d
-
SHA1
aa5eb1444b14993b34679bc0ef7df63808f51d3a
-
SHA256
e38cdc9277fbfdfc7d5deec1eaffe50bc8c190d014096301f2fb2772dc7b1f2c
-
SHA512
f5a73d1e6aadbbac5b455101e9d1a1181743fbaf2b3674d5f132fa52c9a0c13cb4e4c1d196f97bf4faff5968aca3d05e17f660ee907c5d5d11a57d4a8f65f6b2
-
SSDEEP
12288:KMrwy90q6cMKvL4XeQ+nqo9D73cAroNQGiLfJDhusR0c3XtxTybQH:CyoKvDJqYrPfJVuAx3Xj7
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
Processes:
pro7511.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro7511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7511.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7511.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
Processes:
resource yara_rule behavioral2/memory/4876-194-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-195-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-197-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-199-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-201-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-203-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-205-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-207-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-209-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-211-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-213-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-215-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-217-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-219-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-221-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-223-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-225-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline behavioral2/memory/4876-227-0x00000000027A0000-0x00000000027DF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
un784020.exepro7511.exequ2846.exesi513750.exepid process 1268 un784020.exe 3532 pro7511.exe 4876 qu2846.exe 4516 si513750.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
pro7511.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7511.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7511.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
setup.exeun784020.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un784020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un784020.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4604 3532 WerFault.exe pro7511.exe 4804 4876 WerFault.exe qu2846.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
pro7511.exequ2846.exesi513750.exepid process 3532 pro7511.exe 3532 pro7511.exe 4876 qu2846.exe 4876 qu2846.exe 4516 si513750.exe 4516 si513750.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
pro7511.exequ2846.exesi513750.exedescription pid process Token: SeDebugPrivilege 3532 pro7511.exe Token: SeDebugPrivilege 4876 qu2846.exe Token: SeDebugPrivilege 4516 si513750.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
setup.exeun784020.exedescription pid process target process PID 4164 wrote to memory of 1268 4164 setup.exe un784020.exe PID 4164 wrote to memory of 1268 4164 setup.exe un784020.exe PID 4164 wrote to memory of 1268 4164 setup.exe un784020.exe PID 1268 wrote to memory of 3532 1268 un784020.exe pro7511.exe PID 1268 wrote to memory of 3532 1268 un784020.exe pro7511.exe PID 1268 wrote to memory of 3532 1268 un784020.exe pro7511.exe PID 1268 wrote to memory of 4876 1268 un784020.exe qu2846.exe PID 1268 wrote to memory of 4876 1268 un784020.exe qu2846.exe PID 1268 wrote to memory of 4876 1268 un784020.exe qu2846.exe PID 4164 wrote to memory of 4516 4164 setup.exe si513750.exe PID 4164 wrote to memory of 4516 4164 setup.exe si513750.exe PID 4164 wrote to memory of 4516 4164 setup.exe si513750.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un784020.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un784020.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7511.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7511.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 10804⤵
- Program crash
PID:4604
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2846.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2846.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 13404⤵
- Program crash
PID:4804
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si513750.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si513750.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3532 -ip 35321⤵PID:3968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4876 -ip 48761⤵PID:4020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5c39c395d84483ecd59ac66847bf74495
SHA1737bbabcd02671d8b413b3ab9ee9b91635745098
SHA256475accde89f4a08af1b631bb4a616a0e99c2096781c50cf34f26edaa07e96a58
SHA5127d888cbdc9a5d27b31a44dd60b4da09ef666b74e7ad52d87067c388ab1d49ef8be0c032a05feedb0267914004b140e7dbdb7661d6182853fdc7e4f169de490cc
-
Filesize
175KB
MD5c39c395d84483ecd59ac66847bf74495
SHA1737bbabcd02671d8b413b3ab9ee9b91635745098
SHA256475accde89f4a08af1b631bb4a616a0e99c2096781c50cf34f26edaa07e96a58
SHA5127d888cbdc9a5d27b31a44dd60b4da09ef666b74e7ad52d87067c388ab1d49ef8be0c032a05feedb0267914004b140e7dbdb7661d6182853fdc7e4f169de490cc
-
Filesize
558KB
MD538f97c62e3c6bc71c16bff030fe12bc7
SHA13eade78d8dba3f5050f57822b8f62e030787d180
SHA25626701387481bd8ad17ed972dfc12e4f2f4b6c2f8d5f5d82869e956359c1dbbe2
SHA512273e91b6674417785b37dc4036a11b0ff6f3b082516d4ca76aa1b8ef64fe9e34742f0e1c4b952f9b1b4b68f7983d9299098b37e97ef6e63c290c8417cbc29053
-
Filesize
558KB
MD538f97c62e3c6bc71c16bff030fe12bc7
SHA13eade78d8dba3f5050f57822b8f62e030787d180
SHA25626701387481bd8ad17ed972dfc12e4f2f4b6c2f8d5f5d82869e956359c1dbbe2
SHA512273e91b6674417785b37dc4036a11b0ff6f3b082516d4ca76aa1b8ef64fe9e34742f0e1c4b952f9b1b4b68f7983d9299098b37e97ef6e63c290c8417cbc29053
-
Filesize
307KB
MD5b72c6f90e3755520d9535184f8923595
SHA15372243346b62e926a6d0a127e2f6d1981e39e60
SHA256a349ca7e8dc74a4eb33473aa836d22ff972dc29c6f8dcb055fa3db9e20d31990
SHA5129ef4db4800ccc47b65dbdd74f8bda060c463432ecdff8c78a90be6c84d2c59a07a0be391920e3989b257622d29ee3f0a107406e0f99572c56a06dd6895377399
-
Filesize
307KB
MD5b72c6f90e3755520d9535184f8923595
SHA15372243346b62e926a6d0a127e2f6d1981e39e60
SHA256a349ca7e8dc74a4eb33473aa836d22ff972dc29c6f8dcb055fa3db9e20d31990
SHA5129ef4db4800ccc47b65dbdd74f8bda060c463432ecdff8c78a90be6c84d2c59a07a0be391920e3989b257622d29ee3f0a107406e0f99572c56a06dd6895377399
-
Filesize
365KB
MD5698e4e5f0716dbd2a1ccda9ff118d40c
SHA15f28bdecb3f6aa53ffc05f613ae482fc0a4e5d05
SHA2567bc9464d7bf6a037160af32ad3a41e57ea1488a5e78030d3034d66dc4a37076c
SHA5123e47d1de95aa8e1a3bba40368393a848fd53fd5273d41466e356a418d8e59012007d139994bf1dc05e18ef9c141d8be90ecf14369a930b6128e2392cef4d26ab
-
Filesize
365KB
MD5698e4e5f0716dbd2a1ccda9ff118d40c
SHA15f28bdecb3f6aa53ffc05f613ae482fc0a4e5d05
SHA2567bc9464d7bf6a037160af32ad3a41e57ea1488a5e78030d3034d66dc4a37076c
SHA5123e47d1de95aa8e1a3bba40368393a848fd53fd5273d41466e356a418d8e59012007d139994bf1dc05e18ef9c141d8be90ecf14369a930b6128e2392cef4d26ab