Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
28-03-2023 00:49
General
-
Target
setup.exe
-
Size
700KB
-
MD5
91b2d727b8117ad492600d92b46d2bb0
-
SHA1
89304ec2f654ce86b9e56d6cccb21019bf0ee2fd
-
SHA256
a7f78b36d51957d3826f1433142ca10123c9ae9ad7f6c0c8a4562af181de9ea8
-
SHA512
b061c6a19d6b1748d679d20a82ddede91e00cf8541686ccff7934a671da46c31b57fa8eaefd1d8624837d217368263c453d020d5d43fa3087ec235ef36a16da3
-
SSDEEP
12288:0MrSy90iiY8hjHwdT9DVicAuN9qOVZ3Gptw336DWn:GyiY8BQwqqqGkaDm
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un735299.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un735299.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5345.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5345.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4240.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4240.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si324365.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si324365.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si324365.exeFilesize
175KB
MD50c6bbc941b32441d0484c032f2bced54
SHA10fe2c9daccadd968a6db2eea1b43338b18385aa9
SHA2560c8ff0599a226a5737d8b7161cf0394a32c6dff19598ec302062c733cae69240
SHA512d0416e97915764cc49973fb368829efe2cc4f66c4d4a75a7d4df7905ea910c8ab6ff22129ab8c9e8c92f3e1aec996849f3a77692964503a90073f7507eac4e44
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si324365.exeFilesize
175KB
MD50c6bbc941b32441d0484c032f2bced54
SHA10fe2c9daccadd968a6db2eea1b43338b18385aa9
SHA2560c8ff0599a226a5737d8b7161cf0394a32c6dff19598ec302062c733cae69240
SHA512d0416e97915764cc49973fb368829efe2cc4f66c4d4a75a7d4df7905ea910c8ab6ff22129ab8c9e8c92f3e1aec996849f3a77692964503a90073f7507eac4e44
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un735299.exeFilesize
558KB
MD54ac703772ad858bfb18f64ef7eec4b05
SHA1aaccacaa03a73f539327c668de29205de5647546
SHA256118d1a080167be414d73d12cd453eb73a2729c13a9c9abcf0e4b74385874ae18
SHA512f8ae02350ab46d31ce30dc0969c8d84e9d94c068ededf27391b0080ddf9e2f04d4e5581829d5214acbb43438b2885f54a0d4fc9d26fba194a4ac1615ad7aae18
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un735299.exeFilesize
558KB
MD54ac703772ad858bfb18f64ef7eec4b05
SHA1aaccacaa03a73f539327c668de29205de5647546
SHA256118d1a080167be414d73d12cd453eb73a2729c13a9c9abcf0e4b74385874ae18
SHA512f8ae02350ab46d31ce30dc0969c8d84e9d94c068ededf27391b0080ddf9e2f04d4e5581829d5214acbb43438b2885f54a0d4fc9d26fba194a4ac1615ad7aae18
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5345.exeFilesize
307KB
MD59b6d712ca30d69c543807665bea6cf80
SHA1624b8e0521d6be9e7930962a9ce331856c23ac3b
SHA2567b5064206dcdc3f723fa2e2b1fc41c86726601b77f1907ddf173518ed74590d4
SHA512ccbdb97a16cb3aafafc0476225ae10b9d781f18d8649ca8714640f92296b0163751adc20085545282b5daf32101f9695d84e8a76ab59ca62971b9ca60d9f9481
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5345.exeFilesize
307KB
MD59b6d712ca30d69c543807665bea6cf80
SHA1624b8e0521d6be9e7930962a9ce331856c23ac3b
SHA2567b5064206dcdc3f723fa2e2b1fc41c86726601b77f1907ddf173518ed74590d4
SHA512ccbdb97a16cb3aafafc0476225ae10b9d781f18d8649ca8714640f92296b0163751adc20085545282b5daf32101f9695d84e8a76ab59ca62971b9ca60d9f9481
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5345.exeFilesize
307KB
MD59b6d712ca30d69c543807665bea6cf80
SHA1624b8e0521d6be9e7930962a9ce331856c23ac3b
SHA2567b5064206dcdc3f723fa2e2b1fc41c86726601b77f1907ddf173518ed74590d4
SHA512ccbdb97a16cb3aafafc0476225ae10b9d781f18d8649ca8714640f92296b0163751adc20085545282b5daf32101f9695d84e8a76ab59ca62971b9ca60d9f9481
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4240.exeFilesize
365KB
MD5f3f404ff1aa4575c39f0eabccdec404a
SHA1340416ce7ec3c80c2fab33866f43c32df0859752
SHA256ae5190792d47cf646c8e65d665d765fe6a31cf561cd9a89063067dfb0c95dd06
SHA51252b49757f01df32d3e699800e170c60031a6a03805aa401d92cf43714eff0490dfe9ba829b237b0acc8d3fbd5d65f3eda7fbdafe9b349a2e6ff8539d08afc3bf
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4240.exeFilesize
365KB
MD5f3f404ff1aa4575c39f0eabccdec404a
SHA1340416ce7ec3c80c2fab33866f43c32df0859752
SHA256ae5190792d47cf646c8e65d665d765fe6a31cf561cd9a89063067dfb0c95dd06
SHA51252b49757f01df32d3e699800e170c60031a6a03805aa401d92cf43714eff0490dfe9ba829b237b0acc8d3fbd5d65f3eda7fbdafe9b349a2e6ff8539d08afc3bf
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4240.exeFilesize
365KB
MD5f3f404ff1aa4575c39f0eabccdec404a
SHA1340416ce7ec3c80c2fab33866f43c32df0859752
SHA256ae5190792d47cf646c8e65d665d765fe6a31cf561cd9a89063067dfb0c95dd06
SHA51252b49757f01df32d3e699800e170c60031a6a03805aa401d92cf43714eff0490dfe9ba829b237b0acc8d3fbd5d65f3eda7fbdafe9b349a2e6ff8539d08afc3bf
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\si324365.exeFilesize
175KB
MD50c6bbc941b32441d0484c032f2bced54
SHA10fe2c9daccadd968a6db2eea1b43338b18385aa9
SHA2560c8ff0599a226a5737d8b7161cf0394a32c6dff19598ec302062c733cae69240
SHA512d0416e97915764cc49973fb368829efe2cc4f66c4d4a75a7d4df7905ea910c8ab6ff22129ab8c9e8c92f3e1aec996849f3a77692964503a90073f7507eac4e44
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\si324365.exeFilesize
175KB
MD50c6bbc941b32441d0484c032f2bced54
SHA10fe2c9daccadd968a6db2eea1b43338b18385aa9
SHA2560c8ff0599a226a5737d8b7161cf0394a32c6dff19598ec302062c733cae69240
SHA512d0416e97915764cc49973fb368829efe2cc4f66c4d4a75a7d4df7905ea910c8ab6ff22129ab8c9e8c92f3e1aec996849f3a77692964503a90073f7507eac4e44
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un735299.exeFilesize
558KB
MD54ac703772ad858bfb18f64ef7eec4b05
SHA1aaccacaa03a73f539327c668de29205de5647546
SHA256118d1a080167be414d73d12cd453eb73a2729c13a9c9abcf0e4b74385874ae18
SHA512f8ae02350ab46d31ce30dc0969c8d84e9d94c068ededf27391b0080ddf9e2f04d4e5581829d5214acbb43438b2885f54a0d4fc9d26fba194a4ac1615ad7aae18
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un735299.exeFilesize
558KB
MD54ac703772ad858bfb18f64ef7eec4b05
SHA1aaccacaa03a73f539327c668de29205de5647546
SHA256118d1a080167be414d73d12cd453eb73a2729c13a9c9abcf0e4b74385874ae18
SHA512f8ae02350ab46d31ce30dc0969c8d84e9d94c068ededf27391b0080ddf9e2f04d4e5581829d5214acbb43438b2885f54a0d4fc9d26fba194a4ac1615ad7aae18
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5345.exeFilesize
307KB
MD59b6d712ca30d69c543807665bea6cf80
SHA1624b8e0521d6be9e7930962a9ce331856c23ac3b
SHA2567b5064206dcdc3f723fa2e2b1fc41c86726601b77f1907ddf173518ed74590d4
SHA512ccbdb97a16cb3aafafc0476225ae10b9d781f18d8649ca8714640f92296b0163751adc20085545282b5daf32101f9695d84e8a76ab59ca62971b9ca60d9f9481
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5345.exeFilesize
307KB
MD59b6d712ca30d69c543807665bea6cf80
SHA1624b8e0521d6be9e7930962a9ce331856c23ac3b
SHA2567b5064206dcdc3f723fa2e2b1fc41c86726601b77f1907ddf173518ed74590d4
SHA512ccbdb97a16cb3aafafc0476225ae10b9d781f18d8649ca8714640f92296b0163751adc20085545282b5daf32101f9695d84e8a76ab59ca62971b9ca60d9f9481
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5345.exeFilesize
307KB
MD59b6d712ca30d69c543807665bea6cf80
SHA1624b8e0521d6be9e7930962a9ce331856c23ac3b
SHA2567b5064206dcdc3f723fa2e2b1fc41c86726601b77f1907ddf173518ed74590d4
SHA512ccbdb97a16cb3aafafc0476225ae10b9d781f18d8649ca8714640f92296b0163751adc20085545282b5daf32101f9695d84e8a76ab59ca62971b9ca60d9f9481
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4240.exeFilesize
365KB
MD5f3f404ff1aa4575c39f0eabccdec404a
SHA1340416ce7ec3c80c2fab33866f43c32df0859752
SHA256ae5190792d47cf646c8e65d665d765fe6a31cf561cd9a89063067dfb0c95dd06
SHA51252b49757f01df32d3e699800e170c60031a6a03805aa401d92cf43714eff0490dfe9ba829b237b0acc8d3fbd5d65f3eda7fbdafe9b349a2e6ff8539d08afc3bf
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4240.exeFilesize
365KB
MD5f3f404ff1aa4575c39f0eabccdec404a
SHA1340416ce7ec3c80c2fab33866f43c32df0859752
SHA256ae5190792d47cf646c8e65d665d765fe6a31cf561cd9a89063067dfb0c95dd06
SHA51252b49757f01df32d3e699800e170c60031a6a03805aa401d92cf43714eff0490dfe9ba829b237b0acc8d3fbd5d65f3eda7fbdafe9b349a2e6ff8539d08afc3bf
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4240.exeFilesize
365KB
MD5f3f404ff1aa4575c39f0eabccdec404a
SHA1340416ce7ec3c80c2fab33866f43c32df0859752
SHA256ae5190792d47cf646c8e65d665d765fe6a31cf561cd9a89063067dfb0c95dd06
SHA51252b49757f01df32d3e699800e170c60031a6a03805aa401d92cf43714eff0490dfe9ba829b237b0acc8d3fbd5d65f3eda7fbdafe9b349a2e6ff8539d08afc3bf
-
memory/328-143-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-149-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-1034-0x0000000004CD0000-0x0000000004D10000-memory.dmpFilesize
256KB
-
memory/328-161-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-159-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-157-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-155-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-153-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-151-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-147-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-145-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-141-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-139-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-137-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-135-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-133-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-131-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-122-0x0000000002480000-0x00000000024C6000-memory.dmpFilesize
280KB
-
memory/328-123-0x00000000024C0000-0x0000000002504000-memory.dmpFilesize
272KB
-
memory/328-124-0x0000000000320000-0x000000000036B000-memory.dmpFilesize
300KB
-
memory/328-125-0x0000000004CD0000-0x0000000004D10000-memory.dmpFilesize
256KB
-
memory/328-126-0x0000000004CD0000-0x0000000004D10000-memory.dmpFilesize
256KB
-
memory/328-127-0x0000000004CD0000-0x0000000004D10000-memory.dmpFilesize
256KB
-
memory/328-128-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/328-129-0x00000000024C0000-0x00000000024FF000-memory.dmpFilesize
252KB
-
memory/1608-1043-0x0000000000A10000-0x0000000000A42000-memory.dmpFilesize
200KB
-
memory/1608-1044-0x0000000005070000-0x00000000050B0000-memory.dmpFilesize
256KB
-
memory/1896-107-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-105-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-91-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-93-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-82-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-111-0x0000000000400000-0x000000000070F000-memory.dmpFilesize
3.1MB
-
memory/1896-110-0x0000000000400000-0x000000000070F000-memory.dmpFilesize
3.1MB
-
memory/1896-95-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-83-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-109-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-103-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-89-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-99-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-101-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-97-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-81-0x0000000000800000-0x0000000000818000-memory.dmpFilesize
96KB
-
memory/1896-80-0x0000000004EB0000-0x0000000004EF0000-memory.dmpFilesize
256KB
-
memory/1896-79-0x0000000000290000-0x00000000002BD000-memory.dmpFilesize
180KB
-
memory/1896-78-0x00000000007E0000-0x00000000007FA000-memory.dmpFilesize
104KB
-
memory/1896-87-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB
-
memory/1896-85-0x0000000000800000-0x0000000000812000-memory.dmpFilesize
72KB