Analysis
-
max time kernel
87s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 01:06
Static task
static1
Behavioral task
behavioral1
Sample
e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92.exe
Resource
win10v2004-20230220-en
General
-
Target
e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92.exe
-
Size
689KB
-
MD5
9eb6b607fa7c57e1a4ce70f7c1dfec1c
-
SHA1
ca1e785fc9502bd70f5703845fd61fcff6d075d3
-
SHA256
e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92
-
SHA512
1b4a078aa09ba6f8ce961d57e3f03d60e066758e67d9b8aad8a92c8aeb90d6955c5eabbc8f369eae44748f652a72316656d7db044c4452d7ce35a23276961913
-
SSDEEP
12288:NMray90LDLvnfD7GjfPWuKsvYyb65hLuch2qP7Ohi/jllsaBv1wmJ9vOFW0figt4:fywDbGbPW2ZGfaLIOhssaBymJ9aW0agq
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3491.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3491.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/4340-190-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-189-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-192-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-194-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-196-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-198-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-200-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-202-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-204-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-206-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-208-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-210-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-212-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-214-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-216-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-218-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-220-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline behavioral1/memory/4340-222-0x0000000003890000-0x00000000038CF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 5072 un730324.exe 1800 pro3491.exe 4340 qu7208.exe 796 si194320.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3491.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3491.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un730324.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un730324.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 368 1800 WerFault.exe 85 4352 4340 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1800 pro3491.exe 1800 pro3491.exe 4340 qu7208.exe 4340 qu7208.exe 796 si194320.exe 796 si194320.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1800 pro3491.exe Token: SeDebugPrivilege 4340 qu7208.exe Token: SeDebugPrivilege 796 si194320.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2364 wrote to memory of 5072 2364 e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92.exe 84 PID 2364 wrote to memory of 5072 2364 e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92.exe 84 PID 2364 wrote to memory of 5072 2364 e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92.exe 84 PID 5072 wrote to memory of 1800 5072 un730324.exe 85 PID 5072 wrote to memory of 1800 5072 un730324.exe 85 PID 5072 wrote to memory of 1800 5072 un730324.exe 85 PID 5072 wrote to memory of 4340 5072 un730324.exe 92 PID 5072 wrote to memory of 4340 5072 un730324.exe 92 PID 5072 wrote to memory of 4340 5072 un730324.exe 92 PID 2364 wrote to memory of 796 2364 e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92.exe 96 PID 2364 wrote to memory of 796 2364 e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92.exe 96 PID 2364 wrote to memory of 796 2364 e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92.exe"C:\Users\Admin\AppData\Local\Temp\e303a7dbcc1dce6b01cccfa9f5336bd8a429ff433efed401dcb400197ffc0a92.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un730324.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un730324.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3491.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3491.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 10164⤵
- Program crash
PID:368
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7208.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7208.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 18164⤵
- Program crash
PID:4352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si194320.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si194320.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1800 -ip 18001⤵PID:668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4340 -ip 43401⤵PID:908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5f2f0c0a81d7b82e7bf3c7893b1a0eedf
SHA1848d68d3d76a2a73e3b274d852948f14e88b63d2
SHA25691aa3b26a7590f0cbe94dc0fa8ccb43e29f850ce21cac7950c3322d2d5bfcf76
SHA512e6bff05c9f281c4f83740c990199774bde026cd6e6e544a89d8000dbd0d594c50188a28202cd34c44590d5f2f07457c99a70611d1e313dc4f6d9e9702afb377a
-
Filesize
175KB
MD5f2f0c0a81d7b82e7bf3c7893b1a0eedf
SHA1848d68d3d76a2a73e3b274d852948f14e88b63d2
SHA25691aa3b26a7590f0cbe94dc0fa8ccb43e29f850ce21cac7950c3322d2d5bfcf76
SHA512e6bff05c9f281c4f83740c990199774bde026cd6e6e544a89d8000dbd0d594c50188a28202cd34c44590d5f2f07457c99a70611d1e313dc4f6d9e9702afb377a
-
Filesize
547KB
MD5192f2e6ff6b03e8958560666143967b0
SHA1dc05d2068e118e46023134ddad01b4c9c0e2c471
SHA256692869522de3fafae03ae3bdafb6f338ab44bd16f64762b82a69e4aa7b25077e
SHA5120ef4bc5d4fe4c7d0973f3737aae5c4e39c34887612ba1287798084e4944633ae4b7fd4ec630976ccd9aee563ae6106dc497e33afa1140a2632245baf186827b6
-
Filesize
547KB
MD5192f2e6ff6b03e8958560666143967b0
SHA1dc05d2068e118e46023134ddad01b4c9c0e2c471
SHA256692869522de3fafae03ae3bdafb6f338ab44bd16f64762b82a69e4aa7b25077e
SHA5120ef4bc5d4fe4c7d0973f3737aae5c4e39c34887612ba1287798084e4944633ae4b7fd4ec630976ccd9aee563ae6106dc497e33afa1140a2632245baf186827b6
-
Filesize
291KB
MD56545c51a989d0668b9877d9658935556
SHA1687429672bf79c5acbdb32045d2bf5ceac8bfed8
SHA25622335cdf4af76a72d27e85d105b978bd9b190586a60ea2eb9e400b70279cd20d
SHA512879b5fadfb28f75c68e880c6583aed3fcc6ba78b57844fe3983979b8b9c6556a39fbfd772b649e3760c90bfbf93afd7de97b3f6ac8d12e83c90f4db5902ebf46
-
Filesize
291KB
MD56545c51a989d0668b9877d9658935556
SHA1687429672bf79c5acbdb32045d2bf5ceac8bfed8
SHA25622335cdf4af76a72d27e85d105b978bd9b190586a60ea2eb9e400b70279cd20d
SHA512879b5fadfb28f75c68e880c6583aed3fcc6ba78b57844fe3983979b8b9c6556a39fbfd772b649e3760c90bfbf93afd7de97b3f6ac8d12e83c90f4db5902ebf46
-
Filesize
345KB
MD57c754f909797bbe562b6f311dd84caf1
SHA1fb1670cfbc7cacf2167a6167522880e8b17c2102
SHA2567ce3094165d05a6b673d1cf57aecacd7c613010303bf25daa54efa7afa79860c
SHA5128ea06664d5477f5fc3fdd21223d84ffae7eb3830b354a3bcf0d2ec74b29e4b49e0bea24d4561d203ba63cf02be2bb425f4f384d94d9571afd4ef3475280e5af2
-
Filesize
345KB
MD57c754f909797bbe562b6f311dd84caf1
SHA1fb1670cfbc7cacf2167a6167522880e8b17c2102
SHA2567ce3094165d05a6b673d1cf57aecacd7c613010303bf25daa54efa7afa79860c
SHA5128ea06664d5477f5fc3fdd21223d84ffae7eb3830b354a3bcf0d2ec74b29e4b49e0bea24d4561d203ba63cf02be2bb425f4f384d94d9571afd4ef3475280e5af2