Analysis
-
max time kernel
113s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 01:35
Static task
static1
Behavioral task
behavioral1
Sample
59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a.exe
Resource
win10v2004-20230220-en
General
-
Target
59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a.exe
-
Size
689KB
-
MD5
beaa4d6e1646645141f5f4ad5b6abed5
-
SHA1
22f887d6d78b1ec93e4d2cd3db560fdef3715af9
-
SHA256
59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a
-
SHA512
9288828aa794882f6fc56d0acbcbeb79bf9b6782092d4b6add1aab34384a6caec29ae5a7656bc6b04ff742f2ba60535880bfd1449cb1bfd986d07af89ab92997
-
SSDEEP
12288:QMr6y90JIsAKSfE/TOSbuyZ65hLutJMy+D22l/oXikZ9IivHFlPfig6E+v1uDSyR:6yTfE/y6kfat9+D2SuTNdlPagzq1ySyR
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro4782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro4782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro4782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro4782.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro4782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro4782.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/4956-190-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-191-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-193-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-196-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-200-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-202-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-204-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-206-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-208-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-210-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-212-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-214-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-216-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-218-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-220-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-222-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-224-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-226-0x0000000005FD0000-0x000000000600F000-memory.dmp family_redline behavioral1/memory/4956-1105-0x0000000006190000-0x00000000061A0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3244 un626834.exe 3008 pro4782.exe 4956 qu2242.exe 400 si834240.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro4782.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro4782.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un626834.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un626834.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1384 3008 WerFault.exe 87 3044 4956 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3008 pro4782.exe 3008 pro4782.exe 4956 qu2242.exe 4956 qu2242.exe 400 si834240.exe 400 si834240.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3008 pro4782.exe Token: SeDebugPrivilege 4956 qu2242.exe Token: SeDebugPrivilege 400 si834240.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4900 wrote to memory of 3244 4900 59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a.exe 86 PID 4900 wrote to memory of 3244 4900 59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a.exe 86 PID 4900 wrote to memory of 3244 4900 59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a.exe 86 PID 3244 wrote to memory of 3008 3244 un626834.exe 87 PID 3244 wrote to memory of 3008 3244 un626834.exe 87 PID 3244 wrote to memory of 3008 3244 un626834.exe 87 PID 3244 wrote to memory of 4956 3244 un626834.exe 93 PID 3244 wrote to memory of 4956 3244 un626834.exe 93 PID 3244 wrote to memory of 4956 3244 un626834.exe 93 PID 4900 wrote to memory of 400 4900 59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a.exe 97 PID 4900 wrote to memory of 400 4900 59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a.exe 97 PID 4900 wrote to memory of 400 4900 59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a.exe"C:\Users\Admin\AppData\Local\Temp\59f241b9261acba1a73b6455644c0752ea52b25eb2be5ec68679e44ed234962a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un626834.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un626834.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4782.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4782.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 10644⤵
- Program crash
PID:1384
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2242.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2242.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 15964⤵
- Program crash
PID:3044
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si834240.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si834240.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3008 -ip 30081⤵PID:2168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4956 -ip 49561⤵PID:3952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5ab9b1ca81b7f73cd7fcd618df42b58c5
SHA18140a4b2d50a5cd4ca3926e84f59f697cdbfae70
SHA256a240e52df904592e984aee2e3022be9f35816f2ff7f71fad38059c7266c4afcf
SHA512ec0487305c7a8cc3f1730b0628d0562c7900ae19c374dcd36d3d66c7632ed1f7acd6e4154aa6b57d54ed57ae2c12d8e8a80dc902013005b07ae30087684f45a8
-
Filesize
175KB
MD5ab9b1ca81b7f73cd7fcd618df42b58c5
SHA18140a4b2d50a5cd4ca3926e84f59f697cdbfae70
SHA256a240e52df904592e984aee2e3022be9f35816f2ff7f71fad38059c7266c4afcf
SHA512ec0487305c7a8cc3f1730b0628d0562c7900ae19c374dcd36d3d66c7632ed1f7acd6e4154aa6b57d54ed57ae2c12d8e8a80dc902013005b07ae30087684f45a8
-
Filesize
548KB
MD5cdbb28ad93139c89a1c4ffbeb3bee519
SHA1e1943d782125dcd22d1499c06f85eec2e8d5c7af
SHA25677d066f486158aaab7ede0b51d8d43871373134c5cc9e59257c4c7a2cae708d4
SHA512e62809cf6cf3c3b8590a2a2c8775259132b45b5431e8ef6fe9f2d3cee73490328cf4410503b05949f4c8fb2110917ab8e965dda68a64361728ba06e51aa1194a
-
Filesize
548KB
MD5cdbb28ad93139c89a1c4ffbeb3bee519
SHA1e1943d782125dcd22d1499c06f85eec2e8d5c7af
SHA25677d066f486158aaab7ede0b51d8d43871373134c5cc9e59257c4c7a2cae708d4
SHA512e62809cf6cf3c3b8590a2a2c8775259132b45b5431e8ef6fe9f2d3cee73490328cf4410503b05949f4c8fb2110917ab8e965dda68a64361728ba06e51aa1194a
-
Filesize
291KB
MD58eb154d867bbbd48b974fbfb3a94da2c
SHA13b8b7f8716d54c0503e4b54db05e3eab2b9d4f8e
SHA25640f57e568c8eb69cdde154bdb953fb858281069b1289f9594e9c35ece08cf503
SHA512a42b66ca3e1a26e05b79b795c6855b08ea23652c9c7883048f5d700fd12499227143efb5edf081ba3507a0378e1847f20375aff7f22a666962c5ebc8a6b7df01
-
Filesize
291KB
MD58eb154d867bbbd48b974fbfb3a94da2c
SHA13b8b7f8716d54c0503e4b54db05e3eab2b9d4f8e
SHA25640f57e568c8eb69cdde154bdb953fb858281069b1289f9594e9c35ece08cf503
SHA512a42b66ca3e1a26e05b79b795c6855b08ea23652c9c7883048f5d700fd12499227143efb5edf081ba3507a0378e1847f20375aff7f22a666962c5ebc8a6b7df01
-
Filesize
345KB
MD56d8aa5d5c05ddec712e7a521be2fe56a
SHA1e60309cadc36c3c0020b5c0a9de7228e7c0057c2
SHA256f5f29dfd9b6c06a046f9c7320f4655bb508eb01f5fdd52492b929cc8d8f242fc
SHA5126bb2826e5f31025da302222f695730548f1a54d1c5846657473563c81ece6fb7cd5a3c4766276432318e3b1d3b9ec702ff7176bb224082fc74112476c93f8142
-
Filesize
345KB
MD56d8aa5d5c05ddec712e7a521be2fe56a
SHA1e60309cadc36c3c0020b5c0a9de7228e7c0057c2
SHA256f5f29dfd9b6c06a046f9c7320f4655bb508eb01f5fdd52492b929cc8d8f242fc
SHA5126bb2826e5f31025da302222f695730548f1a54d1c5846657473563c81ece6fb7cd5a3c4766276432318e3b1d3b9ec702ff7176bb224082fc74112476c93f8142