Analysis
-
max time kernel
133s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 01:07
Static task
static1
Behavioral task
behavioral1
Sample
8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3.exe
Resource
win10v2004-20230220-en
General
-
Target
8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3.exe
-
Size
689KB
-
MD5
31a01aabbc83012dee609c1d04413703
-
SHA1
8b9c44d9dde188302559503d0d26c5ce1d623f99
-
SHA256
8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3
-
SHA512
0edf7762ec54259fdbb1069996f4c886db35af7c020fa8a5da6c21e42ecb33ce1bd3e45636f1680efad174edf9b42a0d2c70f401d8b452ad95e2f7840c2841e4
-
SSDEEP
12288:NMray90a61rTvD4LFDuigNhE1Beon9W+DT4Tcd2EUlb9PoK0smJGvHFtnfigxwUV:Lyb6VTvD4LTTel+DTyEabNBmJG9tnagl
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro2668.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro2668.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro2668.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro2668.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro2668.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro2668.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/1260-189-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-190-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-192-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-194-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-196-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-198-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-200-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-202-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-204-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-206-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-210-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-208-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-212-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-214-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-216-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-218-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-220-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-222-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/1260-264-0x00000000060C0000-0x00000000060D0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3984 un929604.exe 988 pro2668.exe 1260 qu4791.exe 1352 si284137.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro2668.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro2668.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un929604.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un929604.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3664 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2816 988 WerFault.exe 86 4568 1260 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 988 pro2668.exe 988 pro2668.exe 1260 qu4791.exe 1260 qu4791.exe 1352 si284137.exe 1352 si284137.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 988 pro2668.exe Token: SeDebugPrivilege 1260 qu4791.exe Token: SeDebugPrivilege 1352 si284137.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2320 wrote to memory of 3984 2320 8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3.exe 85 PID 2320 wrote to memory of 3984 2320 8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3.exe 85 PID 2320 wrote to memory of 3984 2320 8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3.exe 85 PID 3984 wrote to memory of 988 3984 un929604.exe 86 PID 3984 wrote to memory of 988 3984 un929604.exe 86 PID 3984 wrote to memory of 988 3984 un929604.exe 86 PID 3984 wrote to memory of 1260 3984 un929604.exe 94 PID 3984 wrote to memory of 1260 3984 un929604.exe 94 PID 3984 wrote to memory of 1260 3984 un929604.exe 94 PID 2320 wrote to memory of 1352 2320 8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3.exe 98 PID 2320 wrote to memory of 1352 2320 8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3.exe 98 PID 2320 wrote to memory of 1352 2320 8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3.exe"C:\Users\Admin\AppData\Local\Temp\8e73eecaf65cbd353da015f61bbe85a57287df004f2acff1e06192644a46a9d3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un929604.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un929604.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2668.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2668.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 10804⤵
- Program crash
PID:2816
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4791.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4791.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 13604⤵
- Program crash
PID:4568
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si284137.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si284137.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 988 -ip 9881⤵PID:2608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1260 -ip 12601⤵PID:4524
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5c4da4900e3b6fb91d5596f6ec9efb106
SHA130de96a9ed420e78daf9ba05cd632c50a81b8979
SHA2564addd6e19e46476031e90928ac5026b82a965a5b71a89763a81c6fe9c1a70b7d
SHA5120c522f85739e77216032b1318b8850063dfc80ab5ffd6bdf2fbd4cf2dfb210ed6528b5ced7318969938591e731634e68806307b59448d2bf28fff33c5ad6db6b
-
Filesize
175KB
MD5c4da4900e3b6fb91d5596f6ec9efb106
SHA130de96a9ed420e78daf9ba05cd632c50a81b8979
SHA2564addd6e19e46476031e90928ac5026b82a965a5b71a89763a81c6fe9c1a70b7d
SHA5120c522f85739e77216032b1318b8850063dfc80ab5ffd6bdf2fbd4cf2dfb210ed6528b5ced7318969938591e731634e68806307b59448d2bf28fff33c5ad6db6b
-
Filesize
547KB
MD55ba2dc387d7a1909770aaf728ea63535
SHA1a3b5a24eae8a1113ea6c8bd5147bbf47659db5ca
SHA256876a4bca4cbc6e95103091ac2b620f68e028115cee4920fb40aa646e5c4d52df
SHA5129528447d9565fef43441ca1a4fb705aeb85f25d481ec01e02ff1de3ccc6dbb7aa59572ad3e4df4a939b22986d3af188a2b9cea5945e5b7283e636a09df1b8333
-
Filesize
547KB
MD55ba2dc387d7a1909770aaf728ea63535
SHA1a3b5a24eae8a1113ea6c8bd5147bbf47659db5ca
SHA256876a4bca4cbc6e95103091ac2b620f68e028115cee4920fb40aa646e5c4d52df
SHA5129528447d9565fef43441ca1a4fb705aeb85f25d481ec01e02ff1de3ccc6dbb7aa59572ad3e4df4a939b22986d3af188a2b9cea5945e5b7283e636a09df1b8333
-
Filesize
291KB
MD5721e50845379bb18a06d3755de50a3e8
SHA13eb89d1353c6da7c8e0a5b379686e4acb88200b4
SHA256f7116dc0ed5a576f9ba530975a294eb871089380c078378c76159689dc4bd50c
SHA5123d468bbe1d908d59131e0a468b628cfd6c6472a6e89792144cbcabd63a838f2acbf0a9324e4634a3fa9862a2a544c196dff6c9bd9c549ee72b3a7c5738985179
-
Filesize
291KB
MD5721e50845379bb18a06d3755de50a3e8
SHA13eb89d1353c6da7c8e0a5b379686e4acb88200b4
SHA256f7116dc0ed5a576f9ba530975a294eb871089380c078378c76159689dc4bd50c
SHA5123d468bbe1d908d59131e0a468b628cfd6c6472a6e89792144cbcabd63a838f2acbf0a9324e4634a3fa9862a2a544c196dff6c9bd9c549ee72b3a7c5738985179
-
Filesize
345KB
MD53d5a2cb9d3def634c0d88cc7841d6614
SHA10a616501113defb70377a4ecf56386069ee75bbf
SHA256f8a77bb909a092cc81169ce09ba65c14f6718263656ea32939b65bdaa0c5d351
SHA512763f21340c5775a62a3df21195a89fec5425e2882d8ce172eabf5a75329044b29165d5c5960038d5be456fa89d29bb0c67785e5cbc914d4847d5926cb781159a
-
Filesize
345KB
MD53d5a2cb9d3def634c0d88cc7841d6614
SHA10a616501113defb70377a4ecf56386069ee75bbf
SHA256f8a77bb909a092cc81169ce09ba65c14f6718263656ea32939b65bdaa0c5d351
SHA512763f21340c5775a62a3df21195a89fec5425e2882d8ce172eabf5a75329044b29165d5c5960038d5be456fa89d29bb0c67785e5cbc914d4847d5926cb781159a