Analysis
-
max time kernel
105s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 01:09
Static task
static1
Behavioral task
behavioral1
Sample
e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b.exe
Resource
win10v2004-20230220-en
General
-
Target
e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b.exe
-
Size
689KB
-
MD5
b99d2d2c45c84cc3753989d8b6b0814a
-
SHA1
337c5b310c7d39701c441243c3fb6e592d4bc09a
-
SHA256
e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b
-
SHA512
c39744679ae21413ada5f79bca0bf435b231d9b9bf140ac05e72d4a8d7bc76523e04b27616c3753ad9adb38196ab7af91f8386aa58a9989e04ed815a8b7a1905
-
SSDEEP
12288:EMrcy90YzSGQMFR7GjR/FzcKntoyY65hLuVwzoag8JMBJ+OgmJ2v+FEjfigYEd3O:wytlHocKtpXfa6g8J4g/mJ26EjagYEde
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6215.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6215.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/2484-194-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-195-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-197-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-199-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-201-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-203-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-205-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-209-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-207-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-211-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-213-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-215-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-217-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-219-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-221-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-223-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-225-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline behavioral1/memory/2484-227-0x0000000005FE0000-0x000000000601F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2012 un768069.exe 3384 pro6215.exe 2484 qu3084.exe 60 si010712.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6215.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un768069.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un768069.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 856 3384 WerFault.exe 87 3280 2484 WerFault.exe 95 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3384 pro6215.exe 3384 pro6215.exe 2484 qu3084.exe 2484 qu3084.exe 60 si010712.exe 60 si010712.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3384 pro6215.exe Token: SeDebugPrivilege 2484 qu3084.exe Token: SeDebugPrivilege 60 si010712.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4252 wrote to memory of 2012 4252 e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b.exe 86 PID 4252 wrote to memory of 2012 4252 e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b.exe 86 PID 4252 wrote to memory of 2012 4252 e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b.exe 86 PID 2012 wrote to memory of 3384 2012 un768069.exe 87 PID 2012 wrote to memory of 3384 2012 un768069.exe 87 PID 2012 wrote to memory of 3384 2012 un768069.exe 87 PID 2012 wrote to memory of 2484 2012 un768069.exe 95 PID 2012 wrote to memory of 2484 2012 un768069.exe 95 PID 2012 wrote to memory of 2484 2012 un768069.exe 95 PID 4252 wrote to memory of 60 4252 e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b.exe 101 PID 4252 wrote to memory of 60 4252 e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b.exe 101 PID 4252 wrote to memory of 60 4252 e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b.exe"C:\Users\Admin\AppData\Local\Temp\e7f602c0768d84a897ccf1ec16918b97d86ff772e36e4cc094f6340bbd8ad92b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un768069.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un768069.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6215.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6215.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 10844⤵
- Program crash
PID:856
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3084.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3084.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 18284⤵
- Program crash
PID:3280
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si010712.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si010712.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3384 -ip 33841⤵PID:2692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2484 -ip 24841⤵PID:4368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5ccac3ee75d221ec382036061a329e5d2
SHA1d5ba3e99e65965437f727064f47ce1206a3f3234
SHA256e6c5941c8920dee39fe3029e52be4b33df9cab552e1fed1aa0941d066641d8ea
SHA51293fb26549ba87c5bf079ffba4f0a96e40f1e84027e5dcca014f2658d1b19b511060db873d27e2ddc33e5eea900c0b3a789bb58fae89b49ebd1293b62c9b47a6c
-
Filesize
175KB
MD5ccac3ee75d221ec382036061a329e5d2
SHA1d5ba3e99e65965437f727064f47ce1206a3f3234
SHA256e6c5941c8920dee39fe3029e52be4b33df9cab552e1fed1aa0941d066641d8ea
SHA51293fb26549ba87c5bf079ffba4f0a96e40f1e84027e5dcca014f2658d1b19b511060db873d27e2ddc33e5eea900c0b3a789bb58fae89b49ebd1293b62c9b47a6c
-
Filesize
547KB
MD52147afb19b7630015310edaf9eba0288
SHA19193ccb846b1a9fea43d09b1cc69f9e864ff6b52
SHA256486affad1cd3d6fc9a7324afdb3cea75b6aa2b4fce7f4753cb7ab7b983909a3f
SHA512c4592d29d1f9d7f0e436889d77cbd03b0f4cefce47a36c53270ea1988c8cdcccf3c8e82f41dd7e01c952051062f7e836f7e6d8aef4a33fab666f182aef165c64
-
Filesize
547KB
MD52147afb19b7630015310edaf9eba0288
SHA19193ccb846b1a9fea43d09b1cc69f9e864ff6b52
SHA256486affad1cd3d6fc9a7324afdb3cea75b6aa2b4fce7f4753cb7ab7b983909a3f
SHA512c4592d29d1f9d7f0e436889d77cbd03b0f4cefce47a36c53270ea1988c8cdcccf3c8e82f41dd7e01c952051062f7e836f7e6d8aef4a33fab666f182aef165c64
-
Filesize
291KB
MD5a47440ddb3970f801c4dacfb482bba99
SHA1780bba5bdaba4dc3add52b0ace390295584049f6
SHA2560beb7f6c85da9e2bfd456c5213de2e7d6e5c86671b19d621870e005b1c579863
SHA5122d3b32912c0450060fb5a8e5f24d2894b8c45ccc868460b6ffeb48d091afa6a112784e5cadba2a9c49883138264b575b140710700485c21776fb78841d74a190
-
Filesize
291KB
MD5a47440ddb3970f801c4dacfb482bba99
SHA1780bba5bdaba4dc3add52b0ace390295584049f6
SHA2560beb7f6c85da9e2bfd456c5213de2e7d6e5c86671b19d621870e005b1c579863
SHA5122d3b32912c0450060fb5a8e5f24d2894b8c45ccc868460b6ffeb48d091afa6a112784e5cadba2a9c49883138264b575b140710700485c21776fb78841d74a190
-
Filesize
345KB
MD5197907df1528d04a6774ab78a33464b2
SHA125d3c1413eefe5e521ea422bcaa8289abcc8f1dc
SHA2564a73710089d41704a4de23f963ceabcad044e8d366c3d398ecb9f60ca83b2301
SHA5123be396e5817ae4b0736fc6bb3adc8d78c20063c75ede5dc6b2612811286d209eb7ddb15e3a50022b010acd96afb155b8cbc941ecffa6598f670e1bc6559b2289
-
Filesize
345KB
MD5197907df1528d04a6774ab78a33464b2
SHA125d3c1413eefe5e521ea422bcaa8289abcc8f1dc
SHA2564a73710089d41704a4de23f963ceabcad044e8d366c3d398ecb9f60ca83b2301
SHA5123be396e5817ae4b0736fc6bb3adc8d78c20063c75ede5dc6b2612811286d209eb7ddb15e3a50022b010acd96afb155b8cbc941ecffa6598f670e1bc6559b2289