Analysis
-
max time kernel
141s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 00:02
Static task
static1
Behavioral task
behavioral1
Sample
0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exe
Resource
win10v2004-20230220-en
General
-
Target
0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exe
-
Size
700KB
-
MD5
cb336194f462fa3800eed2a2570f997c
-
SHA1
69f1d922eea27a00d9bf70bde8f36d7b8c8e72ab
-
SHA256
0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7
-
SHA512
a428b4f01e29ce0f8bf7d38ffb2c9ea8ff1ba94b1d144eee89b6b2dc463d4d247bf432c278da55548058f21bec0d0e2b966bfaf69c9823b22b378c85134cfa3b
-
SSDEEP
12288:HMr8y90Mn3sIS/c9DMVcA5u+7Ht0zTTx7L/DZ:PyPnn05u+7Ht0PTxn/DZ
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
Processes:
pro8081.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8081.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
Processes:
resource yara_rule behavioral1/memory/4572-190-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-193-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-191-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-195-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-197-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-199-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-201-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-203-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-205-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-207-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-209-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-213-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-211-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-215-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-217-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-219-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-221-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline behavioral1/memory/4572-223-0x0000000002890000-0x00000000028CF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
un267242.exepro8081.exequ7982.exesi846597.exepid process 4560 un267242.exe 3480 pro8081.exe 4572 qu7982.exe 1344 si846597.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
pro8081.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8081.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8081.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exeun267242.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un267242.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un267242.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 3768 sc.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3284 3480 WerFault.exe pro8081.exe 3308 4572 WerFault.exe qu7982.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
pro8081.exequ7982.exesi846597.exepid process 3480 pro8081.exe 3480 pro8081.exe 4572 qu7982.exe 4572 qu7982.exe 1344 si846597.exe 1344 si846597.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
pro8081.exequ7982.exesi846597.exedescription pid process Token: SeDebugPrivilege 3480 pro8081.exe Token: SeDebugPrivilege 4572 qu7982.exe Token: SeDebugPrivilege 1344 si846597.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exeun267242.exedescription pid process target process PID 2364 wrote to memory of 4560 2364 0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exe un267242.exe PID 2364 wrote to memory of 4560 2364 0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exe un267242.exe PID 2364 wrote to memory of 4560 2364 0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exe un267242.exe PID 4560 wrote to memory of 3480 4560 un267242.exe pro8081.exe PID 4560 wrote to memory of 3480 4560 un267242.exe pro8081.exe PID 4560 wrote to memory of 3480 4560 un267242.exe pro8081.exe PID 4560 wrote to memory of 4572 4560 un267242.exe qu7982.exe PID 4560 wrote to memory of 4572 4560 un267242.exe qu7982.exe PID 4560 wrote to memory of 4572 4560 un267242.exe qu7982.exe PID 2364 wrote to memory of 1344 2364 0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exe si846597.exe PID 2364 wrote to memory of 1344 2364 0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exe si846597.exe PID 2364 wrote to memory of 1344 2364 0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exe si846597.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exe"C:\Users\Admin\AppData\Local\Temp\0c9d93c696b994b66349ae331bf9afba1d34b730486dae290c57e10c43775fc7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un267242.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un267242.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8081.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8081.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 10804⤵
- Program crash
PID:3284
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7982.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7982.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 13364⤵
- Program crash
PID:3308
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si846597.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si846597.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3480 -ip 34801⤵PID:3436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4572 -ip 45721⤵PID:1204
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD51d6f6eb9aa656c59ecc288c6a869eca4
SHA13920c627d25eab201a94daed786e996cc5ffc843
SHA256785def4c9cab6166964c509003209684a494c980ce69eff356a9bc9f3370db8c
SHA512813f337927a16c3a36baa1df4515ef4bf693e69b8c63ee83596df0f705e0bf99b4aa06333e9877423101a1b89e6d38eabab7c5110f8f2cd72ad9e99938273f19
-
Filesize
175KB
MD51d6f6eb9aa656c59ecc288c6a869eca4
SHA13920c627d25eab201a94daed786e996cc5ffc843
SHA256785def4c9cab6166964c509003209684a494c980ce69eff356a9bc9f3370db8c
SHA512813f337927a16c3a36baa1df4515ef4bf693e69b8c63ee83596df0f705e0bf99b4aa06333e9877423101a1b89e6d38eabab7c5110f8f2cd72ad9e99938273f19
-
Filesize
558KB
MD505a0c9a78cc956d88fb25f3fd7a47b5d
SHA16b4d6d6dba3b32900ce3924e39769d54e8f27592
SHA256319f4ece7555d3d08879599341ebd61e4936284b0b8cc87de06b8f0396e45384
SHA512ad5a1799ac2f1e9e4b0bd1dad313a1f7e54eacb86eb3a0a77c357c1a8e7f75b182aaf292864c1325bab07d13d38699fc912d126d90fc00a648cb59e021527c0b
-
Filesize
558KB
MD505a0c9a78cc956d88fb25f3fd7a47b5d
SHA16b4d6d6dba3b32900ce3924e39769d54e8f27592
SHA256319f4ece7555d3d08879599341ebd61e4936284b0b8cc87de06b8f0396e45384
SHA512ad5a1799ac2f1e9e4b0bd1dad313a1f7e54eacb86eb3a0a77c357c1a8e7f75b182aaf292864c1325bab07d13d38699fc912d126d90fc00a648cb59e021527c0b
-
Filesize
307KB
MD5d7f5583b0e06e13db2917a7f5bbeaa3e
SHA1068ee95d2bcc2833a9a6f433bdbb6de6e1bb8b60
SHA25697912495cd985b5300be7cc1b33b7a15c7057b654d82ed1e8edb8789c789f66b
SHA512f9d37729841286507151835ef59e30d63f465abc2660c64174f72339698da6542cf7fe3bb349678ed5e8b1e5cc2ee68b2d9eecb5c5d33d8ec1594bf6d2a64fb7
-
Filesize
307KB
MD5d7f5583b0e06e13db2917a7f5bbeaa3e
SHA1068ee95d2bcc2833a9a6f433bdbb6de6e1bb8b60
SHA25697912495cd985b5300be7cc1b33b7a15c7057b654d82ed1e8edb8789c789f66b
SHA512f9d37729841286507151835ef59e30d63f465abc2660c64174f72339698da6542cf7fe3bb349678ed5e8b1e5cc2ee68b2d9eecb5c5d33d8ec1594bf6d2a64fb7
-
Filesize
365KB
MD56dc37eb2d96e72659142c1cfa1396cff
SHA1fd6f302c4df439567b0c9a946d69f25ce206217b
SHA25686be5736993b55ef2f452c3fda54d2ee6035836e4dbcc2b28086ecb0b7f830e8
SHA512e0367417d70f858c4b67822ee08f27912c26c0b347bfe6479173c5ff36305a12dbed6fe91b7967566d4b385b4014648f1176446a370e8a2df1f46be1fe08677e
-
Filesize
365KB
MD56dc37eb2d96e72659142c1cfa1396cff
SHA1fd6f302c4df439567b0c9a946d69f25ce206217b
SHA25686be5736993b55ef2f452c3fda54d2ee6035836e4dbcc2b28086ecb0b7f830e8
SHA512e0367417d70f858c4b67822ee08f27912c26c0b347bfe6479173c5ff36305a12dbed6fe91b7967566d4b385b4014648f1176446a370e8a2df1f46be1fe08677e