Overview

overview

10

Static

static

1

68fc6b0656...b6.exe

windows7-x64

10

68fc6b0656...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68fc6b0656d121268b06b0f09fc424b6.exe

  • Size

    690KB

  • MD5

    68fc6b0656d121268b06b0f09fc424b6

  • SHA1

    babd10ea8de31b975276e5261da44ffe3ed4174d

  • SHA256

    77b345f70904c2a0e72b84d707007138631f63b633d4deac15edfcb630e20763

  • SHA512

    7d621839e39f212f31e5920558dbede87305f51a90b0575c75540d1ab0aabf7849d25bedca7e5273d5ea7df7e0af3519402d62bfec852d8ab41addd83d80ee49

  • SSDEEP

    12288:7Mrsy90l5EVwgG7rBGG/jiyk1MK/Xa8OW6aiOvoXFxvAFOvfigGcJlnLKsg:Lyg5HtH4CNEqnaiOg1xYOvagGOJm

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68fc6b0656d121268b06b0f09fc424b6.exe
    "C:\Users\Admin\AppData\Local\Temp\68fc6b0656d121268b06b0f09fc424b6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un511369.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un511369.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4704
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1080
          4⤵
          • Program crash
          PID:5028
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1328
          4⤵
          • Program crash
          PID:3620
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si473057.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si473057.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3352
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4704 -ip 4704
    1⤵
      PID:3100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2756 -ip 2756
      1⤵
        PID:880

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si473057.exe
        Filesize

        175KB

        MD5

        cc6cbdda0c8e2d6161e2116e00214160

        SHA1

        25c93b0aca1125339dc9922bcda480a04cef326c

        SHA256

        d070c857be09bad34225cd33542f6c943351e52f1d53ca9c81bfb9cb4b697d86

        SHA512

        acc211ec34fb60007a253ba8c0acacc8869224567e308b5700ebe72b0ae634d3b0a37e24929cf5b9b920bb463bcb272a357c29cb9a1cf686e155eb469f9357de

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si473057.exe
        Filesize

        175KB

        MD5

        cc6cbdda0c8e2d6161e2116e00214160

        SHA1

        25c93b0aca1125339dc9922bcda480a04cef326c

        SHA256

        d070c857be09bad34225cd33542f6c943351e52f1d53ca9c81bfb9cb4b697d86

        SHA512

        acc211ec34fb60007a253ba8c0acacc8869224567e308b5700ebe72b0ae634d3b0a37e24929cf5b9b920bb463bcb272a357c29cb9a1cf686e155eb469f9357de

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un511369.exe
        Filesize

        548KB

        MD5

        01fa3d15d87613a53d157dacfec9ca15

        SHA1

        c48ecd9e28f6e295e4bb2a59684b0cd6fc2e00b8

        SHA256

        d2354db3eecc93841fd0492d23b76956df30b6045e6350608544b37ab4dc25f1

        SHA512

        e18857b884508015fe299e05ac12c2d65f62620782bed2ad0d237e1d34ed31899acb97736897aad294f3b42adddc33bdd9a5bdb1ce60e09af72c7fba3d713c13

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un511369.exe
        Filesize

        548KB

        MD5

        01fa3d15d87613a53d157dacfec9ca15

        SHA1

        c48ecd9e28f6e295e4bb2a59684b0cd6fc2e00b8

        SHA256

        d2354db3eecc93841fd0492d23b76956df30b6045e6350608544b37ab4dc25f1

        SHA512

        e18857b884508015fe299e05ac12c2d65f62620782bed2ad0d237e1d34ed31899acb97736897aad294f3b42adddc33bdd9a5bdb1ce60e09af72c7fba3d713c13

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe
        Filesize

        291KB

        MD5

        65774cd2be736251e4393d8b5f1ddc90

        SHA1

        0a2c3403372f0bdb6b4b80d99e29b0e0031009a3

        SHA256

        c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec

        SHA512

        bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7877.exe
        Filesize

        291KB

        MD5

        65774cd2be736251e4393d8b5f1ddc90

        SHA1

        0a2c3403372f0bdb6b4b80d99e29b0e0031009a3

        SHA256

        c6950075c56304a7b18ef3bc4804fa36006bf68d82d7275620cf8bf80bde0aec

        SHA512

        bfb32245b1e10f55d516f3e45ee58090552e908a55900156825b6ee1fb26862661ef373ad709c7b36fa7d9ac186bafe45ced00e70ec15531163645c5721ecf6b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe
        Filesize

        345KB

        MD5

        168bb60ae888a71f8058a66b05252b97

        SHA1

        48be8d8b31179d5641c06263e378584bb31428c8

        SHA256

        16938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1

        SHA512

        a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7703.exe
        Filesize

        345KB

        MD5

        168bb60ae888a71f8058a66b05252b97

        SHA1

        48be8d8b31179d5641c06263e378584bb31428c8

        SHA256

        16938ee990c6361c1fd2c8c16819505cb3e7d46a49f11fe886f185c96dfa73a1

        SHA512

        a7c7534c627d6c8b026f26025c5e1bbd1f4c108cdd3fde8b2b5ee1eb9ba3bbb6aae10300aa6aebcf0a3322b445022587e1e39f467e53be69cf868c83805c0a1e

        Download Submit

      • memory/2756-296-0x00000000061B0000-0x00000000061C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2756-1102-0x0000000006F50000-0x0000000006F62000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2756-1114-0x00000000061B0000-0x00000000061C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2756-1113-0x0000000007DE0000-0x000000000830C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2756-1112-0x0000000007C10000-0x0000000007DD2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2756-1111-0x0000000007BB0000-0x0000000007C00000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2756-1110-0x0000000007B20000-0x0000000007B96000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2756-1109-0x00000000061B0000-0x00000000061C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2756-1108-0x00000000061B0000-0x00000000061C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2756-1107-0x0000000007920000-0x00000000079B2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2756-1106-0x0000000007260000-0x00000000072C6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2756-1104-0x00000000061B0000-0x00000000061C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2756-1103-0x0000000006FB0000-0x0000000006FEC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2756-1101-0x0000000006E10000-0x0000000006F1A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2756-1100-0x0000000006770000-0x0000000006D88000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2756-294-0x00000000061B0000-0x00000000061C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2756-292-0x0000000001B60000-0x0000000001BAB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2756-224-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-222-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-220-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-218-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-216-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-214-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-191-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-192-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-194-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-196-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-198-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-200-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-202-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-206-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-204-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-208-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-210-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2756-212-0x0000000003C80000-0x0000000003CBF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3352-1120-0x00000000004E0000-0x0000000000512000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3352-1121-0x0000000005130000-0x0000000005140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4704-174-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-181-0x0000000000400000-0x000000000070B000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4704-170-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-182-0x0000000000970000-0x0000000000980000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4704-168-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-180-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-150-0x0000000000970000-0x0000000000980000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4704-166-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-176-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-153-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-151-0x0000000000970000-0x0000000000980000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4704-172-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-183-0x0000000000970000-0x0000000000980000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4704-184-0x0000000000970000-0x0000000000980000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4704-178-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-164-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-162-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-160-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-158-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-156-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-154-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4704-149-0x0000000000970000-0x0000000000980000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4704-148-0x0000000000810000-0x000000000083D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4704-186-0x0000000000400000-0x000000000070B000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4704-152-0x0000000004DC0000-0x0000000005364000-memory.dmp

        Filesize

        5.6MB

        Download