Analysis
-
max time kernel
61s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 01:40
Static task
static1
Behavioral task
behavioral1
Sample
94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e.exe
Resource
win10v2004-20230220-en
General
-
Target
94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e.exe
-
Size
689KB
-
MD5
fb46d2e4678de42f27ac43e1ff4305bd
-
SHA1
6679db37ca749b5d1ce62775145df9aa3d397824
-
SHA256
94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e
-
SHA512
f7eb498dc12d28ef472d61773259c9f5914cb9e9cf58717abcf466b32d8e75c892dde102c147518acc0ac07ae54009a5c5ec42e8e2201b6757e84c675a317aff
-
SSDEEP
12288:NMruy90D5FCRw+D27wXmzyN65hLuW3LuM8+D228+S6Obzv7FOpfigZqilS4L:PyDw+caAfaeLU+D2z+StzROpag0ilS4L
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9034.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9034.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro9034.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/3832-192-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-193-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-195-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-197-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-201-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-199-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-203-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-205-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-207-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-209-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-211-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-213-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-215-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-217-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-219-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-221-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-223-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-225-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/3832-229-0x0000000006040000-0x0000000006050000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1524 un346581.exe 2156 pro9034.exe 3832 qu4630.exe 4836 si181997.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9034.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9034.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un346581.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un346581.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3708 2156 WerFault.exe 84 4200 3832 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2156 pro9034.exe 2156 pro9034.exe 3832 qu4630.exe 3832 qu4630.exe 4836 si181997.exe 4836 si181997.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2156 pro9034.exe Token: SeDebugPrivilege 3832 qu4630.exe Token: SeDebugPrivilege 4836 si181997.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4684 wrote to memory of 1524 4684 94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e.exe 83 PID 4684 wrote to memory of 1524 4684 94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e.exe 83 PID 4684 wrote to memory of 1524 4684 94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e.exe 83 PID 1524 wrote to memory of 2156 1524 un346581.exe 84 PID 1524 wrote to memory of 2156 1524 un346581.exe 84 PID 1524 wrote to memory of 2156 1524 un346581.exe 84 PID 1524 wrote to memory of 3832 1524 un346581.exe 93 PID 1524 wrote to memory of 3832 1524 un346581.exe 93 PID 1524 wrote to memory of 3832 1524 un346581.exe 93 PID 4684 wrote to memory of 4836 4684 94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e.exe 98 PID 4684 wrote to memory of 4836 4684 94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e.exe 98 PID 4684 wrote to memory of 4836 4684 94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e.exe"C:\Users\Admin\AppData\Local\Temp\94a21a678cfdda17a8bd7a7bf939ed1b30146b9a3f3495ba6765ff457a05362e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un346581.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un346581.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9034.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9034.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 10164⤵
- Program crash
PID:3708
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4630.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4630.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 13284⤵
- Program crash
PID:4200
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si181997.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si181997.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2156 -ip 21561⤵PID:988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3832 -ip 38321⤵PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5f3af7457f7ec69f3c69c7f9126b6e163
SHA1d41306cd463fbc5e17999714256844369ea8663a
SHA25630c1b9a6e4fb7befbd480e90848a18c0f2a23e02f22881ed5db97203ed148a27
SHA512020456d197c5b3241fc2ba1875ee90a90c39dc9111f404fa2616d68dc9c353397bed57d4871e957f59e90609543c0a334e25fd88ab5e92427bff146cf3761b56
-
Filesize
175KB
MD5f3af7457f7ec69f3c69c7f9126b6e163
SHA1d41306cd463fbc5e17999714256844369ea8663a
SHA25630c1b9a6e4fb7befbd480e90848a18c0f2a23e02f22881ed5db97203ed148a27
SHA512020456d197c5b3241fc2ba1875ee90a90c39dc9111f404fa2616d68dc9c353397bed57d4871e957f59e90609543c0a334e25fd88ab5e92427bff146cf3761b56
-
Filesize
547KB
MD5dba977459ce5a5a3550edee6d10b5239
SHA15049ed00a132e84071f6ebecf3be36d8e27cc63e
SHA256576838bc02731d7516a646f578e8514ade289d0ada3afa0a77b72dbf8dc00ced
SHA5125e50516f4a84998efe1978e374fe53dd32eb2c91c21757c26e66b6f09687b786c3d70b19cb5ae8521c72418750a2cf49bfeb00d15cec48a857f1c79ea8bfe0d7
-
Filesize
547KB
MD5dba977459ce5a5a3550edee6d10b5239
SHA15049ed00a132e84071f6ebecf3be36d8e27cc63e
SHA256576838bc02731d7516a646f578e8514ade289d0ada3afa0a77b72dbf8dc00ced
SHA5125e50516f4a84998efe1978e374fe53dd32eb2c91c21757c26e66b6f09687b786c3d70b19cb5ae8521c72418750a2cf49bfeb00d15cec48a857f1c79ea8bfe0d7
-
Filesize
291KB
MD5c78c6540a4984b65c9ee2ba44f441284
SHA1c8c850ccc2819e00501386c67409bcccb0ac449e
SHA2563dcb33ea08a7b3afa8b96fb5f206cded7b22bf64fb6c9ad5be7f07fb5085f845
SHA51216503672d91ac686be296382bef1b35ac6f19583114ea6ecdf1d609a9434edfd981857eff1cfcd41a180500702d5d023adf129ece087c17ca5514a055f9e92ba
-
Filesize
291KB
MD5c78c6540a4984b65c9ee2ba44f441284
SHA1c8c850ccc2819e00501386c67409bcccb0ac449e
SHA2563dcb33ea08a7b3afa8b96fb5f206cded7b22bf64fb6c9ad5be7f07fb5085f845
SHA51216503672d91ac686be296382bef1b35ac6f19583114ea6ecdf1d609a9434edfd981857eff1cfcd41a180500702d5d023adf129ece087c17ca5514a055f9e92ba
-
Filesize
345KB
MD5634eb7798af67569fa87141ea91047df
SHA182ea7c79e6f3ecb3941062fc55df4bd5dc205c89
SHA256b7c660c4177e7043f045a8ba29caaba442088709a1f268b3ae0fe0bb403fa393
SHA512758a1c832358f6fd390f2cc3d6269ca653e8b8a00e1b8addfeaa29c25c2e63e622b4827247a9f319bb54d8376e46c9c317711126f6365f472ef00b611fdd0263
-
Filesize
345KB
MD5634eb7798af67569fa87141ea91047df
SHA182ea7c79e6f3ecb3941062fc55df4bd5dc205c89
SHA256b7c660c4177e7043f045a8ba29caaba442088709a1f268b3ae0fe0bb403fa393
SHA512758a1c832358f6fd390f2cc3d6269ca653e8b8a00e1b8addfeaa29c25c2e63e622b4827247a9f319bb54d8376e46c9c317711126f6365f472ef00b611fdd0263