Analysis
-
max time kernel
98s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 00:49
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
700KB
-
MD5
e5c39288174fe8301d8ce5eadbb9fc45
-
SHA1
35b0f9f9d8511c84a6a6adbc9ffcdac21163eb7e
-
SHA256
59a96ae7fe2837bb38938348c93c5809df4fcd1f57fa2ea6da684451c875d516
-
SHA512
5e0d102abcb17f92eca8174b893de4e208f2d8ced06c18ba444c7a08fed84982c70fab68a717e371e7861246dda1316d91a4cb6521b231a38fe815cf90274508
-
SSDEEP
12288:qMrvy90EQpjD97tL3M9DqecAYqoNdqYTTQBmwu60EOQd5/:VyDQ/xYY/qG9He5/
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
Processes:
pro0178.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0178.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0178.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0178.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0178.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0178.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0178.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
Processes:
resource yara_rule behavioral2/memory/2136-190-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-191-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-193-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-195-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-197-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-199-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-201-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-203-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-205-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-207-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-209-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-213-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-211-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-215-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-217-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-219-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-223-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/2136-226-0x0000000004BD0000-0x0000000004C0F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
un027665.exepro0178.exequ5708.exesi491364.exepid process 3268 un027665.exe 460 pro0178.exe 2136 qu5708.exe 2616 si491364.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
pro0178.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0178.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0178.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
setup.exeun027665.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un027665.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un027665.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3896 460 WerFault.exe pro0178.exe 2912 2136 WerFault.exe qu5708.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
pro0178.exequ5708.exesi491364.exepid process 460 pro0178.exe 460 pro0178.exe 2136 qu5708.exe 2136 qu5708.exe 2616 si491364.exe 2616 si491364.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
pro0178.exequ5708.exesi491364.exedescription pid process Token: SeDebugPrivilege 460 pro0178.exe Token: SeDebugPrivilege 2136 qu5708.exe Token: SeDebugPrivilege 2616 si491364.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
setup.exeun027665.exedescription pid process target process PID 3776 wrote to memory of 3268 3776 setup.exe un027665.exe PID 3776 wrote to memory of 3268 3776 setup.exe un027665.exe PID 3776 wrote to memory of 3268 3776 setup.exe un027665.exe PID 3268 wrote to memory of 460 3268 un027665.exe pro0178.exe PID 3268 wrote to memory of 460 3268 un027665.exe pro0178.exe PID 3268 wrote to memory of 460 3268 un027665.exe pro0178.exe PID 3268 wrote to memory of 2136 3268 un027665.exe qu5708.exe PID 3268 wrote to memory of 2136 3268 un027665.exe qu5708.exe PID 3268 wrote to memory of 2136 3268 un027665.exe qu5708.exe PID 3776 wrote to memory of 2616 3776 setup.exe si491364.exe PID 3776 wrote to memory of 2616 3776 setup.exe si491364.exe PID 3776 wrote to memory of 2616 3776 setup.exe si491364.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un027665.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un027665.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0178.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0178.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 10844⤵
- Program crash
PID:3896
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5708.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5708.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 15404⤵
- Program crash
PID:2912
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si491364.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si491364.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 460 -ip 4601⤵PID:1664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2136 -ip 21361⤵PID:1988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5eebcd5db7c3df05e789364f005301101
SHA12285e34a146573381737b0201fd9e7fc638cd151
SHA256fec54b475baf6e4f6e355b307a0a197a150c3f99f229214d7b51a87f1d317c7b
SHA512d05dc3c64e89423c4b24c96a50b2b42b3755950cfe6e952235edfc332588178882ce7c65f89323b3b9a49cf03d51e934e56ed560ea15693a6611fdac9ac9ae43
-
Filesize
175KB
MD5eebcd5db7c3df05e789364f005301101
SHA12285e34a146573381737b0201fd9e7fc638cd151
SHA256fec54b475baf6e4f6e355b307a0a197a150c3f99f229214d7b51a87f1d317c7b
SHA512d05dc3c64e89423c4b24c96a50b2b42b3755950cfe6e952235edfc332588178882ce7c65f89323b3b9a49cf03d51e934e56ed560ea15693a6611fdac9ac9ae43
-
Filesize
558KB
MD5dbea9fc2487883c906efd56330ce00c4
SHA1fa12a1e3f77093a3f111210b8d48055d32f68d57
SHA256c0b42787a030146779caae3dc4b21e40a5ec5bdf51c639d693304de566c96365
SHA5121658549e5eb1c9cd3402bc48f79123e93ac030ddc10f7fb99a54903af838f2cd509b8a8c288c56a544051d7cab2a8d1d5e11c0caabf167e84b975774a9fa8b32
-
Filesize
558KB
MD5dbea9fc2487883c906efd56330ce00c4
SHA1fa12a1e3f77093a3f111210b8d48055d32f68d57
SHA256c0b42787a030146779caae3dc4b21e40a5ec5bdf51c639d693304de566c96365
SHA5121658549e5eb1c9cd3402bc48f79123e93ac030ddc10f7fb99a54903af838f2cd509b8a8c288c56a544051d7cab2a8d1d5e11c0caabf167e84b975774a9fa8b32
-
Filesize
307KB
MD50a36dc80fa5a24d4bc9baaa3e69ff87a
SHA195a374b7105bfa88080e8699ec5cb1b8e773954c
SHA25691ec9a1970219288802223dcd6ac3953925a42590e27984ab943d5e13cf530d5
SHA5129f232058931178934b6aee72fb6059d6d91ffc2077f2e702a8275ec1d403dc8a16963519f9194b037c14a33b7821f24f413a32bf02e996a9deb7f2f57837ef00
-
Filesize
307KB
MD50a36dc80fa5a24d4bc9baaa3e69ff87a
SHA195a374b7105bfa88080e8699ec5cb1b8e773954c
SHA25691ec9a1970219288802223dcd6ac3953925a42590e27984ab943d5e13cf530d5
SHA5129f232058931178934b6aee72fb6059d6d91ffc2077f2e702a8275ec1d403dc8a16963519f9194b037c14a33b7821f24f413a32bf02e996a9deb7f2f57837ef00
-
Filesize
365KB
MD5059f744cee38f63340775f3741022090
SHA121b4e4795d1eae53e18695a38b98734c04bb6040
SHA256511ca0febadf7560ff121eebb1e4fc060e51aefb9f8ed7e145fffd9845cd888e
SHA5124afda4c7ecbd97abb448aaefdccfae8a1c9e306cb9d451269f4d527e5414b24e26290278681ed01186b867f0d5a74a497549316ddf61198b394657971a56cfbf
-
Filesize
365KB
MD5059f744cee38f63340775f3741022090
SHA121b4e4795d1eae53e18695a38b98734c04bb6040
SHA256511ca0febadf7560ff121eebb1e4fc060e51aefb9f8ed7e145fffd9845cd888e
SHA5124afda4c7ecbd97abb448aaefdccfae8a1c9e306cb9d451269f4d527e5414b24e26290278681ed01186b867f0d5a74a497549316ddf61198b394657971a56cfbf