Analysis

  • max time kernel
    42s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2023 01:16

General

  • Target

    68fc6b0656d121268b06b0f09fc424b6.exe

  • Size

    690KB

  • MD5

    68fc6b0656d121268b06b0f09fc424b6

  • SHA1

    babd10ea8de31b975276e5261da44ffe3ed4174d

  • SHA256

    77b345f70904c2a0e72b84d707007138631f63b633d4deac15edfcb630e20763

  • SHA512

    7d621839e39f212f31e5920558dbede87305f51a90b0575c75540d1ab0aabf7849d25bedca7e5273d5ea7df7e0af3519402d62bfec852d8ab41addd83d80ee49

  • SSDEEP

    12288:7Mrsy90l5EVwgG7rBGG/jiyk1MK/Xa8OW6aiOvoXFxvAFOvfigGcJlnLKsg:Lyg5HtH4CNEqnaiOg1xYOvagGOJm

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68fc6b0656d121268b06b0f09fc424b6.exe
    "C:\Users\Admin\AppData\Local\Temp\68fc6b0656d121268b06b0f09fc424b6.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un511369.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un511369.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1148
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si473057.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si473057.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si473057.exe

    Filesize

    175KB

    MD5

    cc6cbdda0c8e2d6161e2116e00214160

    SHA1

    25c93b0aca1125339dc9922bcda480a04cef326c

    SHA256

    d070c857be09bad34225cd33542f6c943351e52f1d53ca9c81bfb9cb4b697d86

    SHA512

    acc211ec34fb60007a253ba8c0acacc8869224567e308b5700ebe72b0ae634d3b0a37e24929cf5b9b920bb463bcb272a357c29cb9a1cf686e155eb469f9357de

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si473057.exe

    Filesize

    175KB

    MD5

    cc6cbdda0c8e2d6161e2116e00214160

    SHA1

    25c93b0aca1125339dc9922bcda480a04cef326c

    SHA256

    d070c857be09bad34225cd33542f6c943351e52f1d53ca9c81bfb9cb4b697d86

    SHA512

    acc211ec34fb60007a253ba8c0acacc8869224567e308b5700ebe72b0ae634d3b0a37e24929cf5b9b920bb463bcb272a357c29cb9a1cf686e155eb469f9357de

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un511369.exe

    Filesize

    548KB

    MD5

    01fa3d15d87613a53d157dacfec9ca15

    SHA1

    c48ecd9e28f6e295e4bb2a59684b0cd6fc2e00b8

    SHA256

    d2354db3eecc93841fd0492d23b76956df30b6045e6350608544b37ab4dc25f1

    SHA512

    e18857b884508015fe299e05ac12c2d65f62620782bed2ad0d237e1d34ed31899acb97736897aad294f3b42adddc33bdd9a5bdb1ce60e09af72c7fba3d713c13

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un511369.exe

    Filesize

    548KB

    MD5

    01fa3d15d87613a53d157dacfec9ca15

    SHA1

    c48ecd9e28f6e295e4bb2a59684b0cd6fc2e00b8

    SHA256

    d2354db3eecc93841fd0492d23b76956df30b6045e6350608544b37ab4dc25f1

    SHA512

    e18857b884508015fe299e05ac12c2d65f62620782bed2ad0d237e1d34ed31899acb97736897aad294f3b42adddc33bdd9a5bdb1ce60e09af72c7fba3d713c13

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe

    Filesize

    291KB

    MD5

    65774cd2be736251e4393d8b5f1ddc90

    SHA1

    0a2c3403372f0bdb6b4b80d99e29b0e0031009a3

    SHA256

    c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec

    SHA512

    bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe

    Filesize

    291KB

    MD5

    65774cd2be736251e4393d8b5f1ddc90

    SHA1

    0a2c3403372f0bdb6b4b80d99e29b0e0031009a3

    SHA256

    c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec

    SHA512

    bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe

    Filesize

    291KB

    MD5

    65774cd2be736251e4393d8b5f1ddc90

    SHA1

    0a2c3403372f0bdb6b4b80d99e29b0e0031009a3

    SHA256

    c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec

    SHA512

    bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe

    Filesize

    345KB

    MD5

    168bb60ae888a71f8058a66b05252b97

    SHA1

    48be8d8b31179d5641c06263e378584bb31428c8

    SHA256

    16938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1

    SHA512

    a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe

    Filesize

    345KB

    MD5

    168bb60ae888a71f8058a66b05252b97

    SHA1

    48be8d8b31179d5641c06263e378584bb31428c8

    SHA256

    16938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1

    SHA512

    a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe

    Filesize

    345KB

    MD5

    168bb60ae888a71f8058a66b05252b97

    SHA1

    48be8d8b31179d5641c06263e378584bb31428c8

    SHA256

    16938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1

    SHA512

    a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\si473057.exe

    Filesize

    175KB

    MD5

    cc6cbdda0c8e2d6161e2116e00214160

    SHA1

    25c93b0aca1125339dc9922bcda480a04cef326c

    SHA256

    d070c857be09bad34225cd33542f6c943351e52f1d53ca9c81bfb9cb4b697d86

    SHA512

    acc211ec34fb60007a253ba8c0acacc8869224567e308b5700ebe72b0ae634d3b0a37e24929cf5b9b920bb463bcb272a357c29cb9a1cf686e155eb469f9357de

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\si473057.exe

    Filesize

    175KB

    MD5

    cc6cbdda0c8e2d6161e2116e00214160

    SHA1

    25c93b0aca1125339dc9922bcda480a04cef326c

    SHA256

    d070c857be09bad34225cd33542f6c943351e52f1d53ca9c81bfb9cb4b697d86

    SHA512

    acc211ec34fb60007a253ba8c0acacc8869224567e308b5700ebe72b0ae634d3b0a37e24929cf5b9b920bb463bcb272a357c29cb9a1cf686e155eb469f9357de

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\un511369.exe

    Filesize

    548KB

    MD5

    01fa3d15d87613a53d157dacfec9ca15

    SHA1

    c48ecd9e28f6e295e4bb2a59684b0cd6fc2e00b8

    SHA256

    d2354db3eecc93841fd0492d23b76956df30b6045e6350608544b37ab4dc25f1

    SHA512

    e18857b884508015fe299e05ac12c2d65f62620782bed2ad0d237e1d34ed31899acb97736897aad294f3b42adddc33bdd9a5bdb1ce60e09af72c7fba3d713c13

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\un511369.exe

    Filesize

    548KB

    MD5

    01fa3d15d87613a53d157dacfec9ca15

    SHA1

    c48ecd9e28f6e295e4bb2a59684b0cd6fc2e00b8

    SHA256

    d2354db3eecc93841fd0492d23b76956df30b6045e6350608544b37ab4dc25f1

    SHA512

    e18857b884508015fe299e05ac12c2d65f62620782bed2ad0d237e1d34ed31899acb97736897aad294f3b42adddc33bdd9a5bdb1ce60e09af72c7fba3d713c13

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe

    Filesize

    291KB

    MD5

    65774cd2be736251e4393d8b5f1ddc90

    SHA1

    0a2c3403372f0bdb6b4b80d99e29b0e0031009a3

    SHA256

    c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec

    SHA512

    bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe

    Filesize

    291KB

    MD5

    65774cd2be736251e4393d8b5f1ddc90

    SHA1

    0a2c3403372f0bdb6b4b80d99e29b0e0031009a3

    SHA256

    c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec

    SHA512

    bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe

    Filesize

    291KB

    MD5

    65774cd2be736251e4393d8b5f1ddc90

    SHA1

    0a2c3403372f0bdb6b4b80d99e29b0e0031009a3

    SHA256

    c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec

    SHA512

    bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe

    Filesize

    345KB

    MD5

    168bb60ae888a71f8058a66b05252b97

    SHA1

    48be8d8b31179d5641c06263e378584bb31428c8

    SHA256

    16938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1

    SHA512

    a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe

    Filesize

    345KB

    MD5

    168bb60ae888a71f8058a66b05252b97

    SHA1

    48be8d8b31179d5641c06263e378584bb31428c8

    SHA256

    16938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1

    SHA512

    a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe

    Filesize

    345KB

    MD5

    168bb60ae888a71f8058a66b05252b97

    SHA1

    48be8d8b31179d5641c06263e378584bb31428c8

    SHA256

    16938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1

    SHA512

    a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e

  • memory/1148-84-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-94-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-96-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-98-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-100-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-102-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-104-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-106-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-108-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-110-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-111-0x0000000000400000-0x000000000070B000-memory.dmp

    Filesize

    3.0MB

  • memory/1148-112-0x0000000000400000-0x000000000070B000-memory.dmp

    Filesize

    3.0MB

  • memory/1148-92-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-90-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-88-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-86-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-83-0x00000000020A0000-0x00000000020B2000-memory.dmp

    Filesize

    72KB

  • memory/1148-80-0x0000000000310000-0x000000000033D000-memory.dmp

    Filesize

    180KB

  • memory/1148-78-0x00000000003E0000-0x00000000003FA000-memory.dmp

    Filesize

    104KB

  • memory/1148-79-0x00000000020A0000-0x00000000020B8000-memory.dmp

    Filesize

    96KB

  • memory/1148-82-0x0000000004DF0000-0x0000000004E30000-memory.dmp

    Filesize

    256KB

  • memory/1148-81-0x0000000004DF0000-0x0000000004E30000-memory.dmp

    Filesize

    256KB

  • memory/1736-130-0x0000000005FE0000-0x0000000006020000-memory.dmp

    Filesize

    256KB

  • memory/1736-152-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-129-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-132-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-134-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-136-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-138-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-140-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-142-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-144-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-146-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-148-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-150-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-128-0x00000000003A0000-0x00000000003EB000-memory.dmp

    Filesize

    300KB

  • memory/1736-154-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-156-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-158-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-160-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-1033-0x0000000005FE0000-0x0000000006020000-memory.dmp

    Filesize

    256KB

  • memory/1736-126-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-125-0x0000000003870000-0x00000000038AF000-memory.dmp

    Filesize

    252KB

  • memory/1736-124-0x0000000003870000-0x00000000038B4000-memory.dmp

    Filesize

    272KB

  • memory/1736-123-0x00000000034E0000-0x0000000003526000-memory.dmp

    Filesize

    280KB

  • memory/2028-1042-0x00000000000B0000-0x00000000000E2000-memory.dmp

    Filesize

    200KB

  • memory/2028-1043-0x00000000020F0000-0x0000000002130000-memory.dmp

    Filesize

    256KB