Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 01:38
Static task
static1
Behavioral task
behavioral1
Sample
fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a.exe
Resource
win10v2004-20230220-en
General
-
Target
fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a.exe
-
Size
690KB
-
MD5
a3cd2fabe8fddd09d0f16b379590b493
-
SHA1
ca65c759ba8d490a956910185e09d1c3f8638731
-
SHA256
fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a
-
SHA512
5ff316c3e8744432c7eb7ac6cdacfd141ad3ff4a44029ebb0b7a9e69d67a2bc98ebb41b509f84b8a67f570d6ff5dce82c3b8f3ae1dec664bd4fa1ad284b43869
-
SSDEEP
12288:/MrMy90l0HFAFyLyy65hLud8cNhvwB/tvxvJF+dfigzMhntoNUS:Hyb6w2hfadrhy/BxL+dagz2S
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1110.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro1110.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/4548-192-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-191-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-194-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-196-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-198-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-200-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-202-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-204-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-206-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-208-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-210-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-212-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-214-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-216-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-218-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-222-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-224-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-220-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/4548-371-0x0000000006280000-0x0000000006290000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1404 un471827.exe 2988 pro1110.exe 4548 qu2975.exe 3976 si454518.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1110.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro1110.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un471827.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un471827.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4760 2988 WerFault.exe 87 4512 4548 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2988 pro1110.exe 2988 pro1110.exe 4548 qu2975.exe 4548 qu2975.exe 3976 si454518.exe 3976 si454518.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2988 pro1110.exe Token: SeDebugPrivilege 4548 qu2975.exe Token: SeDebugPrivilege 3976 si454518.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4056 wrote to memory of 1404 4056 fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a.exe 86 PID 4056 wrote to memory of 1404 4056 fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a.exe 86 PID 4056 wrote to memory of 1404 4056 fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a.exe 86 PID 1404 wrote to memory of 2988 1404 un471827.exe 87 PID 1404 wrote to memory of 2988 1404 un471827.exe 87 PID 1404 wrote to memory of 2988 1404 un471827.exe 87 PID 1404 wrote to memory of 4548 1404 un471827.exe 93 PID 1404 wrote to memory of 4548 1404 un471827.exe 93 PID 1404 wrote to memory of 4548 1404 un471827.exe 93 PID 4056 wrote to memory of 3976 4056 fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a.exe 97 PID 4056 wrote to memory of 3976 4056 fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a.exe 97 PID 4056 wrote to memory of 3976 4056 fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a.exe"C:\Users\Admin\AppData\Local\Temp\fdc98cd521c4051b32685d81dd2d579b2c99b501bf2476ca9b23fea5f517a85a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471827.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471827.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1110.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1110.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 10844⤵
- Program crash
PID:4760
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2975.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2975.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 17524⤵
- Program crash
PID:4512
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si454518.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si454518.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2988 -ip 29881⤵PID:1644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4548 -ip 45481⤵PID:4012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD50221bd72a6fc6363add5760376b57a5d
SHA131569b946cbc27f4cebe4a102798723905f0a3ce
SHA2568b3b4f7d906267e1f6cdfecef2f3855103f9626126721cc9db7c6e72ed2c39e4
SHA512fd757fdcc4e7a1b84afc0882b79115c9568a219a328c8e544a33111a97bf084e85af65a31237cd55a3095f61bc863e69bc34084e1853d8199cc82964f5b32a23
-
Filesize
175KB
MD50221bd72a6fc6363add5760376b57a5d
SHA131569b946cbc27f4cebe4a102798723905f0a3ce
SHA2568b3b4f7d906267e1f6cdfecef2f3855103f9626126721cc9db7c6e72ed2c39e4
SHA512fd757fdcc4e7a1b84afc0882b79115c9568a219a328c8e544a33111a97bf084e85af65a31237cd55a3095f61bc863e69bc34084e1853d8199cc82964f5b32a23
-
Filesize
548KB
MD5b7cbeb775eab4b2786b3d75b5522a9b9
SHA18d3292c26ea7cb9d5fed517a6928de9a26b4324e
SHA2568700599618e0dea0eca80c9325b54ac26ace418faab6d480f1779fa6558a1f83
SHA512f7740e763b2f4b670e606461921ba85b48c5df7e8acfc1a80933d9c76a2dec7fb5ff9a65ac0d29fc80bf4cbb483cfb2306ae287d654282270a8fb4cef2df3e93
-
Filesize
548KB
MD5b7cbeb775eab4b2786b3d75b5522a9b9
SHA18d3292c26ea7cb9d5fed517a6928de9a26b4324e
SHA2568700599618e0dea0eca80c9325b54ac26ace418faab6d480f1779fa6558a1f83
SHA512f7740e763b2f4b670e606461921ba85b48c5df7e8acfc1a80933d9c76a2dec7fb5ff9a65ac0d29fc80bf4cbb483cfb2306ae287d654282270a8fb4cef2df3e93
-
Filesize
291KB
MD5a575c96ce6c090947fd37cc582b9521e
SHA160ea46e9769566fb1e0ffbf141e693e6f5ee83aa
SHA2561d1e3c048709a45dd0de6b05ef8735f633cf93af995773897de35a60a15ccd55
SHA5123ee7b10426c81874f64e18b34c5f40a7639aef6be0aeb764bab280244bf16095454eebf6ddc99d4e40aaa227123ae75976877d335c086eca67881b94bb928e44
-
Filesize
291KB
MD5a575c96ce6c090947fd37cc582b9521e
SHA160ea46e9769566fb1e0ffbf141e693e6f5ee83aa
SHA2561d1e3c048709a45dd0de6b05ef8735f633cf93af995773897de35a60a15ccd55
SHA5123ee7b10426c81874f64e18b34c5f40a7639aef6be0aeb764bab280244bf16095454eebf6ddc99d4e40aaa227123ae75976877d335c086eca67881b94bb928e44
-
Filesize
345KB
MD5cb9e6f8f8eec5063bee2faa69ed272f4
SHA14f2c779d74690fcb1ad3b69f36e0a2b097d67bb1
SHA2564502f92762d46d440cbe3683d79377116b1df920f8e11700b3999fc654e45efb
SHA51289789b98f4bf5ec3bcdf06556c6bc3cd2c074e64a1f58cdfcc656be0e77358c035c276505f803f36ae6d5a37a7047886a6c3c460d085a33f9d8b5e9771345d5d
-
Filesize
345KB
MD5cb9e6f8f8eec5063bee2faa69ed272f4
SHA14f2c779d74690fcb1ad3b69f36e0a2b097d67bb1
SHA2564502f92762d46d440cbe3683d79377116b1df920f8e11700b3999fc654e45efb
SHA51289789b98f4bf5ec3bcdf06556c6bc3cd2c074e64a1f58cdfcc656be0e77358c035c276505f803f36ae6d5a37a7047886a6c3c460d085a33f9d8b5e9771345d5d