Analysis
-
max time kernel
55s -
max time network
182s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
28-03-2023 03:37
Static task
static1
Behavioral task
behavioral1
Sample
4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe
Resource
win10-20230220-en
General
-
Target
4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe
-
Size
689KB
-
MD5
c85548b6946888e2a7fb365c1724d5cf
-
SHA1
32c66e64d1cc558782cb306fc89cac89b8540623
-
SHA256
4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13
-
SHA512
1606f9b776900d5d537a48b3f3af09d9fc8ac2fcc387c63504d668be1f2df8c164eba7a45e7c72e8da30e0de5513c5c37209f5c496b4b809099395d7c158957f
-
SSDEEP
12288:KMrcy90OY2IdlfEUuOyu65hLuWaMSKx3b1mdfOJ/3fvkFblfig7gTz9D5vmh/rfe:Cy5rVL1faWaLw3hOEP8blag8BD5v8e
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
Processes:
pro8273.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8273.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8273.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
Processes:
resource yara_rule behavioral2/memory/5000-180-0x00000000037B0000-0x00000000037F6000-memory.dmp family_redline behavioral2/memory/5000-181-0x0000000003B50000-0x0000000003B94000-memory.dmp family_redline behavioral2/memory/5000-182-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-183-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-185-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-187-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-189-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-191-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-193-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-195-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-197-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-201-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-199-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-203-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-206-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-211-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-210-0x00000000062E0000-0x00000000062F0000-memory.dmp family_redline behavioral2/memory/5000-213-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-215-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-217-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline behavioral2/memory/5000-219-0x0000000003B50000-0x0000000003B8F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
un721044.exepro8273.exequ3031.exesi407314.exepid process 2144 un721044.exe 2512 pro8273.exe 5000 qu3031.exe 4824 si407314.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
pro8273.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8273.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8273.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exeun721044.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un721044.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un721044.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
pro8273.exequ3031.exesi407314.exepid process 2512 pro8273.exe 2512 pro8273.exe 5000 qu3031.exe 5000 qu3031.exe 4824 si407314.exe 4824 si407314.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
pro8273.exequ3031.exesi407314.exedescription pid process Token: SeDebugPrivilege 2512 pro8273.exe Token: SeDebugPrivilege 5000 qu3031.exe Token: SeDebugPrivilege 4824 si407314.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exeun721044.exedescription pid process target process PID 1804 wrote to memory of 2144 1804 4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe un721044.exe PID 1804 wrote to memory of 2144 1804 4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe un721044.exe PID 1804 wrote to memory of 2144 1804 4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe un721044.exe PID 2144 wrote to memory of 2512 2144 un721044.exe pro8273.exe PID 2144 wrote to memory of 2512 2144 un721044.exe pro8273.exe PID 2144 wrote to memory of 2512 2144 un721044.exe pro8273.exe PID 2144 wrote to memory of 5000 2144 un721044.exe qu3031.exe PID 2144 wrote to memory of 5000 2144 un721044.exe qu3031.exe PID 2144 wrote to memory of 5000 2144 un721044.exe qu3031.exe PID 1804 wrote to memory of 4824 1804 4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe si407314.exe PID 1804 wrote to memory of 4824 1804 4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe si407314.exe PID 1804 wrote to memory of 4824 1804 4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe si407314.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe"C:\Users\Admin\AppData\Local\Temp\4011153d88f0ee86c96fc32f11ae0c334b787dd4f1cde886540e83cb01567f13.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721044.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721044.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8273.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8273.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3031.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3031.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si407314.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si407314.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5b17d163cab93fb6128accfec989d5954
SHA103fd854eff4e73b14c8eb5549db7df4ddbb1f5ff
SHA256aee8f9d9da9d5c1d8d60d90ae41603396de64d2a84b3102ec7e538e41238b77d
SHA5125d6264d24292a0396376ea0c161c7e0fca2f44d2f4f46530ceb86449606292bf62b72dd2a190467f2a7f36465a88c07ccc8ce7a7c763bd88bc960d970733f50b
-
Filesize
175KB
MD5b17d163cab93fb6128accfec989d5954
SHA103fd854eff4e73b14c8eb5549db7df4ddbb1f5ff
SHA256aee8f9d9da9d5c1d8d60d90ae41603396de64d2a84b3102ec7e538e41238b77d
SHA5125d6264d24292a0396376ea0c161c7e0fca2f44d2f4f46530ceb86449606292bf62b72dd2a190467f2a7f36465a88c07ccc8ce7a7c763bd88bc960d970733f50b
-
Filesize
548KB
MD59ada29e54fd6f74ec56398e531c5db61
SHA13dad9eb9e047eaf98d22248db26e992e06dcf877
SHA256dc79794239171a96eac0bff86415cf9e5b997612ee0b4331ec21353a5ac291d3
SHA512e31e29a009e5a7b74b12ddecbed0f58bb254963dc389c09a31c3a39b56de0a4707d3d22eb747e245c2481c4bc4e15094137a988989072c92e5e336cfdd61fcb9
-
Filesize
548KB
MD59ada29e54fd6f74ec56398e531c5db61
SHA13dad9eb9e047eaf98d22248db26e992e06dcf877
SHA256dc79794239171a96eac0bff86415cf9e5b997612ee0b4331ec21353a5ac291d3
SHA512e31e29a009e5a7b74b12ddecbed0f58bb254963dc389c09a31c3a39b56de0a4707d3d22eb747e245c2481c4bc4e15094137a988989072c92e5e336cfdd61fcb9
-
Filesize
291KB
MD52d736d5d272c6368d1317311a5fadea2
SHA14e0129472a38b236634423862da9b1291aea91f2
SHA25686d2dc4dcfb919efaf433a2263b5e59252d8f823c5125e22befe8d16075f011b
SHA51297778ddf6d3316af47776e35d86fdbefd9ae566af4203fbed311141246881d4a46c17a46cf72a68c0a571e06fc444c58fc76601bb0fa057d4635075020897657
-
Filesize
291KB
MD52d736d5d272c6368d1317311a5fadea2
SHA14e0129472a38b236634423862da9b1291aea91f2
SHA25686d2dc4dcfb919efaf433a2263b5e59252d8f823c5125e22befe8d16075f011b
SHA51297778ddf6d3316af47776e35d86fdbefd9ae566af4203fbed311141246881d4a46c17a46cf72a68c0a571e06fc444c58fc76601bb0fa057d4635075020897657
-
Filesize
345KB
MD5123d4ad0b6ff03500edba05b11c1671b
SHA191e37cea652c56fa4a1392d23e81631f8a8a9e5f
SHA256295a967765f271e81098a48ad70905c64973266742d655e18c27369d00f13280
SHA512db03c1c4e8389706821820af0514faefda358f9ae3a9efd5a34bac78fd50dae8bc95498b3fd545e839cdd916373a7ebe1da8ddd8efa69b8029f891b780d0d9af
-
Filesize
345KB
MD5123d4ad0b6ff03500edba05b11c1671b
SHA191e37cea652c56fa4a1392d23e81631f8a8a9e5f
SHA256295a967765f271e81098a48ad70905c64973266742d655e18c27369d00f13280
SHA512db03c1c4e8389706821820af0514faefda358f9ae3a9efd5a34bac78fd50dae8bc95498b3fd545e839cdd916373a7ebe1da8ddd8efa69b8029f891b780d0d9af