Analysis
-
max time kernel
90s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 00:44
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
699KB
-
MD5
2e0e67b8108122f6c5b00782834344b0
-
SHA1
435299663a47865a5bc01689fe2d825e9c9fed59
-
SHA256
6744c366c926fa0f2986ca76c97fb92118be732df58f7f357c21755d7420590e
-
SHA512
cfb17cfd93304b553c98fd1c9149c511623cec6f3f39ae9ca958ee2db7016b939e4739b6db0a7f446060a8b6f4bcd65daaa863050fc4289b7277169ff20d8527
-
SSDEEP
12288:yMrEy90Mm74mI2VC6jmmUhapVDGuNbhuyPKwN6I/fj79b8n8JT:Gy+8mzVxqdhapXuyPRt/fH9b8n8N
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
Processes:
pro8229.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8229.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8229.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8229.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8229.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8229.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8229.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
Processes:
resource yara_rule behavioral2/memory/1384-191-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-192-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-194-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-196-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-198-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-200-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-202-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-204-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-206-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-208-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-210-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-212-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-214-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-216-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-218-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-220-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-222-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-224-0x0000000004CF0000-0x0000000004D2F000-memory.dmp family_redline behavioral2/memory/1384-229-0x0000000004DF0000-0x0000000004E00000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
un241922.exepro8229.exequ9637.exesi083305.exepid process 4016 un241922.exe 1568 pro8229.exe 1384 qu9637.exe 1500 si083305.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
pro8229.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8229.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8229.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
un241922.exesetup.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un241922.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un241922.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4904 1568 WerFault.exe pro8229.exe 3564 1384 WerFault.exe qu9637.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
pro8229.exequ9637.exesi083305.exepid process 1568 pro8229.exe 1568 pro8229.exe 1384 qu9637.exe 1384 qu9637.exe 1500 si083305.exe 1500 si083305.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
pro8229.exequ9637.exesi083305.exedescription pid process Token: SeDebugPrivilege 1568 pro8229.exe Token: SeDebugPrivilege 1384 qu9637.exe Token: SeDebugPrivilege 1500 si083305.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
setup.exeun241922.exedescription pid process target process PID 880 wrote to memory of 4016 880 setup.exe un241922.exe PID 880 wrote to memory of 4016 880 setup.exe un241922.exe PID 880 wrote to memory of 4016 880 setup.exe un241922.exe PID 4016 wrote to memory of 1568 4016 un241922.exe pro8229.exe PID 4016 wrote to memory of 1568 4016 un241922.exe pro8229.exe PID 4016 wrote to memory of 1568 4016 un241922.exe pro8229.exe PID 4016 wrote to memory of 1384 4016 un241922.exe qu9637.exe PID 4016 wrote to memory of 1384 4016 un241922.exe qu9637.exe PID 4016 wrote to memory of 1384 4016 un241922.exe qu9637.exe PID 880 wrote to memory of 1500 880 setup.exe si083305.exe PID 880 wrote to memory of 1500 880 setup.exe si083305.exe PID 880 wrote to memory of 1500 880 setup.exe si083305.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un241922.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un241922.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8229.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8229.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 10844⤵
- Program crash
PID:4904
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9637.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9637.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 13364⤵
- Program crash
PID:3564
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si083305.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si083305.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1568 -ip 15681⤵PID:4408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1384 -ip 13841⤵PID:1348
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5be0af2a7a8d178d67fd0db5b74a4b3c0
SHA1931fbb418f73811022c0a5c906e15fecebf685da
SHA256de1684ec0a1f661fd47c4b9c6b9dff869a45a22f8a1fd9802fc142360231aabf
SHA5123039cdb9cf6ca4cfabf6a7f2f74e8bc2812fb043a6c31a5ef6dabbcbdb7409b13cb8b10dd09334d0129ec0d55671d57048ad6c72c5d38dfbe2e3ddb1329784dd
-
Filesize
175KB
MD5be0af2a7a8d178d67fd0db5b74a4b3c0
SHA1931fbb418f73811022c0a5c906e15fecebf685da
SHA256de1684ec0a1f661fd47c4b9c6b9dff869a45a22f8a1fd9802fc142360231aabf
SHA5123039cdb9cf6ca4cfabf6a7f2f74e8bc2812fb043a6c31a5ef6dabbcbdb7409b13cb8b10dd09334d0129ec0d55671d57048ad6c72c5d38dfbe2e3ddb1329784dd
-
Filesize
557KB
MD5b898e5ece1e6b425b843554a16cbbff5
SHA17c58cee83c757ffed40bcc568618799eaa3dc4a7
SHA256885ed1b15f850cca6f0dc4d1f91392f1ab684d9f6665a12acc0af94e4948bb08
SHA512cd374164fa3d4eadad199b0a32d9a9446e211c9c10d7f72c401f0c99865ae0335fe4dd7529fcc767d66aa46404604de0bf8b78e8f2bf45f4163ae3e017880503
-
Filesize
557KB
MD5b898e5ece1e6b425b843554a16cbbff5
SHA17c58cee83c757ffed40bcc568618799eaa3dc4a7
SHA256885ed1b15f850cca6f0dc4d1f91392f1ab684d9f6665a12acc0af94e4948bb08
SHA512cd374164fa3d4eadad199b0a32d9a9446e211c9c10d7f72c401f0c99865ae0335fe4dd7529fcc767d66aa46404604de0bf8b78e8f2bf45f4163ae3e017880503
-
Filesize
307KB
MD5f0dbbfc52f25179dfa9e04de0f485603
SHA1e1aa7209f17112d35453752264742ac54222ede6
SHA25611ceab1fe88d126c09efb7c18ac1cb6eab1a543043db5ba477815b80eeb9a72b
SHA512ebf151d38f011a3719d613cde788b57a0711a1f3ae7be1efcb968fd152262b5c658ea4d9a0e0b4fdeb8fdaefe02b3e2c2009ad73f7ae50f9c347efcff2d38626
-
Filesize
307KB
MD5f0dbbfc52f25179dfa9e04de0f485603
SHA1e1aa7209f17112d35453752264742ac54222ede6
SHA25611ceab1fe88d126c09efb7c18ac1cb6eab1a543043db5ba477815b80eeb9a72b
SHA512ebf151d38f011a3719d613cde788b57a0711a1f3ae7be1efcb968fd152262b5c658ea4d9a0e0b4fdeb8fdaefe02b3e2c2009ad73f7ae50f9c347efcff2d38626
-
Filesize
365KB
MD59c857b1bebfe5df4ea6bbf11d3b1ab19
SHA1920952a370636bbb930f927df61ecaa7dc8638ab
SHA25630b66c9c440eb76ffac17e4b8de9bd814393889ccc0d576466a9050373d7f4ba
SHA512e82585eb610095043f0feb178e58afa02f0e7edaad1f5c23d54026eac10f84daede7060d014cd6ccc7bec3ec17635fe1a5d973c80cb950ebab529d7eda45fe51
-
Filesize
365KB
MD59c857b1bebfe5df4ea6bbf11d3b1ab19
SHA1920952a370636bbb930f927df61ecaa7dc8638ab
SHA25630b66c9c440eb76ffac17e4b8de9bd814393889ccc0d576466a9050373d7f4ba
SHA512e82585eb610095043f0feb178e58afa02f0e7edaad1f5c23d54026eac10f84daede7060d014cd6ccc7bec3ec17635fe1a5d973c80cb950ebab529d7eda45fe51