Analysis
-
max time kernel
106s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 01:20
Static task
static1
Behavioral task
behavioral1
Sample
3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47.exe
Resource
win10v2004-20230220-en
General
-
Target
3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47.exe
-
Size
690KB
-
MD5
7299d0f566de007c9fe2c2733c0bdbc4
-
SHA1
68c7f45d72f30eaffbbe00de59cf8d67d77b72a5
-
SHA256
3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47
-
SHA512
55f29eb436e8956d23eb9477a9e4b0f9ef75d299e5fcc0745ad905e98339ea53ebf31f29384aabf56ecbff798e32e183907b8ca56509f1166942dbbfba6e5e13
-
SSDEEP
12288:kMrWy90OBCcrpV1oMPya65hLumvAMSKI3VenfcdmQP3vdFPYfig775zo2fHLRkFp:iytB7l7oMqpfamvALZ3Vefs3PPYagtox
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3712.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3712.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4076-191-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-192-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-194-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-196-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-198-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-200-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-202-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-204-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-206-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-208-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-210-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-212-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-214-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-216-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-218-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-220-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-222-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-224-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4076-393-0x0000000006080000-0x0000000006090000-memory.dmp family_redline behavioral1/memory/4076-1110-0x0000000006080000-0x0000000006090000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3928 un200204.exe 4172 pro3712.exe 4076 qu9420.exe 2624 si418623.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3712.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3712.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un200204.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un200204.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1840 4172 WerFault.exe 86 4440 4076 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4172 pro3712.exe 4172 pro3712.exe 4076 qu9420.exe 4076 qu9420.exe 2624 si418623.exe 2624 si418623.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4172 pro3712.exe Token: SeDebugPrivilege 4076 qu9420.exe Token: SeDebugPrivilege 2624 si418623.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2080 wrote to memory of 3928 2080 3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47.exe 85 PID 2080 wrote to memory of 3928 2080 3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47.exe 85 PID 2080 wrote to memory of 3928 2080 3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47.exe 85 PID 3928 wrote to memory of 4172 3928 un200204.exe 86 PID 3928 wrote to memory of 4172 3928 un200204.exe 86 PID 3928 wrote to memory of 4172 3928 un200204.exe 86 PID 3928 wrote to memory of 4076 3928 un200204.exe 92 PID 3928 wrote to memory of 4076 3928 un200204.exe 92 PID 3928 wrote to memory of 4076 3928 un200204.exe 92 PID 2080 wrote to memory of 2624 2080 3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47.exe 96 PID 2080 wrote to memory of 2624 2080 3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47.exe 96 PID 2080 wrote to memory of 2624 2080 3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47.exe"C:\Users\Admin\AppData\Local\Temp\3fccf4fc820f37cbd99790b681e34beee053c1c3a3699c5e7df9da5f7313bd47.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un200204.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un200204.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3712.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3712.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 10844⤵
- Program crash
PID:1840
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9420.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9420.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 13164⤵
- Program crash
PID:4440
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si418623.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si418623.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4172 -ip 41721⤵PID:4680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4076 -ip 40761⤵PID:4256
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD50561455944e3e5075321bfd62f2ea727
SHA1fd0e7d445b7d8317c34cb0b650173a5156ba958e
SHA256f6e141f6bda8a81209d472c529483ee8699cb130fdce463851eb5aa1368b3447
SHA512bfa402f0ac776cd4e97620d80f0a125ec258e035a512e0eaf83efe500b2948c069102760b2c4224e38e6cab769fd069a2d69d648c63ab276cb4a4ac4a9480ca5
-
Filesize
175KB
MD50561455944e3e5075321bfd62f2ea727
SHA1fd0e7d445b7d8317c34cb0b650173a5156ba958e
SHA256f6e141f6bda8a81209d472c529483ee8699cb130fdce463851eb5aa1368b3447
SHA512bfa402f0ac776cd4e97620d80f0a125ec258e035a512e0eaf83efe500b2948c069102760b2c4224e38e6cab769fd069a2d69d648c63ab276cb4a4ac4a9480ca5
-
Filesize
548KB
MD5a6643c7b43e6c278ce2b5e4a729fd434
SHA1937e302d46dfd1b63f38e09211d3d89e859b0abe
SHA256da722c221c26da815c6bdcbf77a2666c24dca6ba35bae7e007eb054353a9691c
SHA512be229c36422a5bd91696fd58daa8ec4744f83803aa937f132c3ea9a75e4402be3717700eafcf06123ae93ae45f34e3c5794adad391c88dab726c79f87032a3b6
-
Filesize
548KB
MD5a6643c7b43e6c278ce2b5e4a729fd434
SHA1937e302d46dfd1b63f38e09211d3d89e859b0abe
SHA256da722c221c26da815c6bdcbf77a2666c24dca6ba35bae7e007eb054353a9691c
SHA512be229c36422a5bd91696fd58daa8ec4744f83803aa937f132c3ea9a75e4402be3717700eafcf06123ae93ae45f34e3c5794adad391c88dab726c79f87032a3b6
-
Filesize
291KB
MD551428e1d10a3f7bb4c8fdc04ad148d16
SHA1c2cfd1f053bffbbaccadfa7b69053ccf0039f8d1
SHA256fad931d1819061cdb8ea6352a8e33e727c5c4cd9d943c0fbd31798277e599602
SHA512b58201cec2283718fd79da73ef33ed2423f54c2e3f3f25ba42dab7dc4f865fc0ed359caaef5f3bfb12faac39efc2542a193ed59f928a839721f259670fcac178
-
Filesize
291KB
MD551428e1d10a3f7bb4c8fdc04ad148d16
SHA1c2cfd1f053bffbbaccadfa7b69053ccf0039f8d1
SHA256fad931d1819061cdb8ea6352a8e33e727c5c4cd9d943c0fbd31798277e599602
SHA512b58201cec2283718fd79da73ef33ed2423f54c2e3f3f25ba42dab7dc4f865fc0ed359caaef5f3bfb12faac39efc2542a193ed59f928a839721f259670fcac178
-
Filesize
345KB
MD519d5e8c9d5bfebf47c7803b2dee2a940
SHA1f286f2aa998cb23ee97382584bdfb04363fa3f18
SHA256c6cca9ffa7b49b6abc4c2cea6bc24b6046f8f1e393b321dcca283432bbdbbdce
SHA51276d35f551f9380da7dc2aff675cb044c618843c1f1fdda4cef64c31247ca0e48929459bb67f34592f0fc9b5d2a50fcfaa5c529beb1e88c9f82f5fb24129bcdf0
-
Filesize
345KB
MD519d5e8c9d5bfebf47c7803b2dee2a940
SHA1f286f2aa998cb23ee97382584bdfb04363fa3f18
SHA256c6cca9ffa7b49b6abc4c2cea6bc24b6046f8f1e393b321dcca283432bbdbbdce
SHA51276d35f551f9380da7dc2aff675cb044c618843c1f1fdda4cef64c31247ca0e48929459bb67f34592f0fc9b5d2a50fcfaa5c529beb1e88c9f82f5fb24129bcdf0