Analysis
-
max time kernel
42s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 01:16
Static task
static1
Behavioral task
behavioral1
Sample
68fc6b0656d121268b06b0f09fc424b6.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
68fc6b0656d121268b06b0f09fc424b6.exe
Resource
win10v2004-20230220-en
General
-
Target
68fc6b0656d121268b06b0f09fc424b6.exe
-
Size
690KB
-
MD5
68fc6b0656d121268b06b0f09fc424b6
-
SHA1
babd10ea8de31b975276e5261da44ffe3ed4174d
-
SHA256
77b345f70904c2a0e72b84d707007138631f63b633d4deac15edfcb630e20763
-
SHA512
7d621839e39f212f31e5920558dbede87305f51a90b0575c75540d1ab0aabf7849d25bedca7e5273d5ea7df7e0af3519402d62bfec852d8ab41addd83d80ee49
-
SSDEEP
12288:7Mrsy90l5EVwgG7rBGG/jiyk1MK/Xa8OW6aiOvoXFxvAFOvfigGcJlnLKsg:Lyg5HtH4CNEqnaiOg1xYOvagGOJm
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro7877.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7877.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7877.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7877.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7877.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7877.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/1736-123-0x00000000034E0000-0x0000000003526000-memory.dmp family_redline behavioral1/memory/1736-124-0x0000000003870000-0x00000000038B4000-memory.dmp family_redline behavioral1/memory/1736-125-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-126-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-129-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-132-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-134-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-136-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-138-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-140-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-142-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-144-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-146-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-148-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-150-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-152-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-154-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-156-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-158-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline behavioral1/memory/1736-160-0x0000000003870000-0x00000000038AF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2040 un511369.exe 1148 pro7877.exe 1736 qu7703.exe 2028 si473057.exe -
Loads dropped DLL 10 IoCs
pid Process 1712 68fc6b0656d121268b06b0f09fc424b6.exe 2040 un511369.exe 2040 un511369.exe 2040 un511369.exe 1148 pro7877.exe 2040 un511369.exe 2040 un511369.exe 1736 qu7703.exe 1712 68fc6b0656d121268b06b0f09fc424b6.exe 2028 si473057.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7877.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features pro7877.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 68fc6b0656d121268b06b0f09fc424b6.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce un511369.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un511369.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 68fc6b0656d121268b06b0f09fc424b6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1148 pro7877.exe 1148 pro7877.exe 1736 qu7703.exe 1736 qu7703.exe 2028 si473057.exe 2028 si473057.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1148 pro7877.exe Token: SeDebugPrivilege 1736 qu7703.exe Token: SeDebugPrivilege 2028 si473057.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2040 1712 68fc6b0656d121268b06b0f09fc424b6.exe 28 PID 1712 wrote to memory of 2040 1712 68fc6b0656d121268b06b0f09fc424b6.exe 28 PID 1712 wrote to memory of 2040 1712 68fc6b0656d121268b06b0f09fc424b6.exe 28 PID 1712 wrote to memory of 2040 1712 68fc6b0656d121268b06b0f09fc424b6.exe 28 PID 1712 wrote to memory of 2040 1712 68fc6b0656d121268b06b0f09fc424b6.exe 28 PID 1712 wrote to memory of 2040 1712 68fc6b0656d121268b06b0f09fc424b6.exe 28 PID 1712 wrote to memory of 2040 1712 68fc6b0656d121268b06b0f09fc424b6.exe 28 PID 2040 wrote to memory of 1148 2040 un511369.exe 29 PID 2040 wrote to memory of 1148 2040 un511369.exe 29 PID 2040 wrote to memory of 1148 2040 un511369.exe 29 PID 2040 wrote to memory of 1148 2040 un511369.exe 29 PID 2040 wrote to memory of 1148 2040 un511369.exe 29 PID 2040 wrote to memory of 1148 2040 un511369.exe 29 PID 2040 wrote to memory of 1148 2040 un511369.exe 29 PID 2040 wrote to memory of 1736 2040 un511369.exe 30 PID 2040 wrote to memory of 1736 2040 un511369.exe 30 PID 2040 wrote to memory of 1736 2040 un511369.exe 30 PID 2040 wrote to memory of 1736 2040 un511369.exe 30 PID 2040 wrote to memory of 1736 2040 un511369.exe 30 PID 2040 wrote to memory of 1736 2040 un511369.exe 30 PID 2040 wrote to memory of 1736 2040 un511369.exe 30 PID 1712 wrote to memory of 2028 1712 68fc6b0656d121268b06b0f09fc424b6.exe 32 PID 1712 wrote to memory of 2028 1712 68fc6b0656d121268b06b0f09fc424b6.exe 32 PID 1712 wrote to memory of 2028 1712 68fc6b0656d121268b06b0f09fc424b6.exe 32 PID 1712 wrote to memory of 2028 1712 68fc6b0656d121268b06b0f09fc424b6.exe 32 PID 1712 wrote to memory of 2028 1712 68fc6b0656d121268b06b0f09fc424b6.exe 32 PID 1712 wrote to memory of 2028 1712 68fc6b0656d121268b06b0f09fc424b6.exe 32 PID 1712 wrote to memory of 2028 1712 68fc6b0656d121268b06b0f09fc424b6.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\68fc6b0656d121268b06b0f09fc424b6.exe"C:\Users\Admin\AppData\Local\Temp\68fc6b0656d121268b06b0f09fc424b6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un511369.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un511369.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si473057.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si473057.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5cc6cbdda0c8e2d6161e2116e00214160
SHA125c93b0aca1125339dc9922bcda480a04cef326c
SHA256d070c857be09bad34225cd33542f6c943351e52f1d53ca9c81bfb9cb4b697d86
SHA512acc211ec34fb60007a253ba8c0acacc8869224567e308b5700ebe72b0ae634d3b0a37e24929cf5b9b920bb463bcb272a357c29cb9a1cf686e155eb469f9357de
-
Filesize
175KB
MD5cc6cbdda0c8e2d6161e2116e00214160
SHA125c93b0aca1125339dc9922bcda480a04cef326c
SHA256d070c857be09bad34225cd33542f6c943351e52f1d53ca9c81bfb9cb4b697d86
SHA512acc211ec34fb60007a253ba8c0acacc8869224567e308b5700ebe72b0ae634d3b0a37e24929cf5b9b920bb463bcb272a357c29cb9a1cf686e155eb469f9357de
-
Filesize
548KB
MD501fa3d15d87613a53d157dacfec9ca15
SHA1c48ecd9e28f6e295e4bb2a59684b0cd6fc2e00b8
SHA256d2354db3eecc93841fd0492d23b76956df30b6045e6350608544b37ab4dc25f1
SHA512e18857b884508015fe299e05ac12c2d65f62620782bed2ad0d237e1d34ed31899acb97736897aad294f3b42adddc33bdd9a5bdb1ce60e09af72c7fba3d713c13
-
Filesize
548KB
MD501fa3d15d87613a53d157dacfec9ca15
SHA1c48ecd9e28f6e295e4bb2a59684b0cd6fc2e00b8
SHA256d2354db3eecc93841fd0492d23b76956df30b6045e6350608544b37ab4dc25f1
SHA512e18857b884508015fe299e05ac12c2d65f62620782bed2ad0d237e1d34ed31899acb97736897aad294f3b42adddc33bdd9a5bdb1ce60e09af72c7fba3d713c13
-
Filesize
291KB
MD565774cd2be736251e4393d8b5f1ddc90
SHA10a2c3403372f0bdb6b4b80d99e29b0e0031009a3
SHA256c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec
SHA512bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b
-
Filesize
291KB
MD565774cd2be736251e4393d8b5f1ddc90
SHA10a2c3403372f0bdb6b4b80d99e29b0e0031009a3
SHA256c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec
SHA512bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b
-
Filesize
291KB
MD565774cd2be736251e4393d8b5f1ddc90
SHA10a2c3403372f0bdb6b4b80d99e29b0e0031009a3
SHA256c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec
SHA512bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b
-
Filesize
345KB
MD5168bb60ae888a71f8058a66b05252b97
SHA148be8d8b31179d5641c06263e378584bb31428c8
SHA25616938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1
SHA512a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e
-
Filesize
345KB
MD5168bb60ae888a71f8058a66b05252b97
SHA148be8d8b31179d5641c06263e378584bb31428c8
SHA25616938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1
SHA512a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e
-
Filesize
345KB
MD5168bb60ae888a71f8058a66b05252b97
SHA148be8d8b31179d5641c06263e378584bb31428c8
SHA25616938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1
SHA512a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e
-
Filesize
175KB
MD5cc6cbdda0c8e2d6161e2116e00214160
SHA125c93b0aca1125339dc9922bcda480a04cef326c
SHA256d070c857be09bad34225cd33542f6c943351e52f1d53ca9c81bfb9cb4b697d86
SHA512acc211ec34fb60007a253ba8c0acacc8869224567e308b5700ebe72b0ae634d3b0a37e24929cf5b9b920bb463bcb272a357c29cb9a1cf686e155eb469f9357de
-
Filesize
175KB
MD5cc6cbdda0c8e2d6161e2116e00214160
SHA125c93b0aca1125339dc9922bcda480a04cef326c
SHA256d070c857be09bad34225cd33542f6c943351e52f1d53ca9c81bfb9cb4b697d86
SHA512acc211ec34fb60007a253ba8c0acacc8869224567e308b5700ebe72b0ae634d3b0a37e24929cf5b9b920bb463bcb272a357c29cb9a1cf686e155eb469f9357de
-
Filesize
548KB
MD501fa3d15d87613a53d157dacfec9ca15
SHA1c48ecd9e28f6e295e4bb2a59684b0cd6fc2e00b8
SHA256d2354db3eecc93841fd0492d23b76956df30b6045e6350608544b37ab4dc25f1
SHA512e18857b884508015fe299e05ac12c2d65f62620782bed2ad0d237e1d34ed31899acb97736897aad294f3b42adddc33bdd9a5bdb1ce60e09af72c7fba3d713c13
-
Filesize
548KB
MD501fa3d15d87613a53d157dacfec9ca15
SHA1c48ecd9e28f6e295e4bb2a59684b0cd6fc2e00b8
SHA256d2354db3eecc93841fd0492d23b76956df30b6045e6350608544b37ab4dc25f1
SHA512e18857b884508015fe299e05ac12c2d65f62620782bed2ad0d237e1d34ed31899acb97736897aad294f3b42adddc33bdd9a5bdb1ce60e09af72c7fba3d713c13
-
Filesize
291KB
MD565774cd2be736251e4393d8b5f1ddc90
SHA10a2c3403372f0bdb6b4b80d99e29b0e0031009a3
SHA256c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec
SHA512bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b
-
Filesize
291KB
MD565774cd2be736251e4393d8b5f1ddc90
SHA10a2c3403372f0bdb6b4b80d99e29b0e0031009a3
SHA256c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec
SHA512bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b
-
Filesize
291KB
MD565774cd2be736251e4393d8b5f1ddc90
SHA10a2c3403372f0bdb6b4b80d99e29b0e0031009a3
SHA256c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec
SHA512bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b
-
Filesize
345KB
MD5168bb60ae888a71f8058a66b05252b97
SHA148be8d8b31179d5641c06263e378584bb31428c8
SHA25616938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1
SHA512a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e
-
Filesize
345KB
MD5168bb60ae888a71f8058a66b05252b97
SHA148be8d8b31179d5641c06263e378584bb31428c8
SHA25616938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1
SHA512a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e
-
Filesize
345KB
MD5168bb60ae888a71f8058a66b05252b97
SHA148be8d8b31179d5641c06263e378584bb31428c8
SHA25616938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1
SHA512a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e