Analysis
-
max time kernel
91s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 09:46
Static task
static1
Behavioral task
behavioral1
Sample
64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe
Resource
win10v2004-20230220-en
General
-
Target
64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe
-
Size
713KB
-
MD5
984d835e61f1441dec76229a129b8dcc
-
SHA1
eeb96a29b87b062d6c0309a8e42578bf4811721d
-
SHA256
64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a
-
SHA512
187d4d4bdd271cd69ea98f839c83eaae7fe91fecd2cbed4cd7a39369edf92fceb1c8b92230a1b2ca89c796097ff2bdc5cd3df92a905a40bdce1e4585d9c86b45
-
SSDEEP
12288:k8oWJCJY3DCEhwEiaYJVx4rdv1GV5uREe6TFgpEAMSgQ6nC8DEsLRhjKWYIBoFi:S2oYGEhGa6VxUdtGrKEcAFQ6RRlBBoM
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
Processes:
jr155826.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr155826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr155826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr155826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr155826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr155826.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr155826.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 32 IoCs
Processes:
resource yara_rule behavioral1/memory/1524-161-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-162-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-164-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-166-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-168-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-170-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-172-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-174-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-176-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-178-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-180-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-182-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-186-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-184-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-190-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-188-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-192-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-194-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-196-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-198-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-200-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-202-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-204-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-206-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-208-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-212-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-210-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-214-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-216-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-218-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-220-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline behavioral1/memory/1524-222-0x0000000007280000-0x00000000072BF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
zinW6705.exejr155826.exeku638698.exelr892963.exepid process 1392 zinW6705.exe 1840 jr155826.exe 1524 ku638698.exe 1224 lr892963.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
jr155826.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr155826.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exezinW6705.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zinW6705.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zinW6705.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5052 1524 WerFault.exe ku638698.exe 3420 1992 WerFault.exe 64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
jr155826.exeku638698.exelr892963.exepid process 1840 jr155826.exe 1840 jr155826.exe 1524 ku638698.exe 1524 ku638698.exe 1224 lr892963.exe 1224 lr892963.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
jr155826.exeku638698.exelr892963.exedescription pid process Token: SeDebugPrivilege 1840 jr155826.exe Token: SeDebugPrivilege 1524 ku638698.exe Token: SeDebugPrivilege 1224 lr892963.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exezinW6705.exedescription pid process target process PID 1992 wrote to memory of 1392 1992 64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe zinW6705.exe PID 1992 wrote to memory of 1392 1992 64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe zinW6705.exe PID 1992 wrote to memory of 1392 1992 64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe zinW6705.exe PID 1392 wrote to memory of 1840 1392 zinW6705.exe jr155826.exe PID 1392 wrote to memory of 1840 1392 zinW6705.exe jr155826.exe PID 1392 wrote to memory of 1524 1392 zinW6705.exe ku638698.exe PID 1392 wrote to memory of 1524 1392 zinW6705.exe ku638698.exe PID 1392 wrote to memory of 1524 1392 zinW6705.exe ku638698.exe PID 1992 wrote to memory of 1224 1992 64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe lr892963.exe PID 1992 wrote to memory of 1224 1992 64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe lr892963.exe PID 1992 wrote to memory of 1224 1992 64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe lr892963.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe"C:\Users\Admin\AppData\Local\Temp\64ab7c4e2ba95df3dc31e51f4a3217d516f7868625ff1b30ee3d955994d8606a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinW6705.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinW6705.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr155826.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr155826.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku638698.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku638698.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 17964⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr892963.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr892963.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 4922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1524 -ip 15241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1992 -ip 19921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr892963.exeFilesize
175KB
MD5c5dd023f8011ccb36487cbb5c9d0badf
SHA1a67e24c344df3cefdd1dc924db45ca67e101e3d4
SHA2567016afd4aa13923a95ff6fd67b2e42b91f55fd31e20930af14f289cd9b19ec0c
SHA5122373e18ce0dc56b3067e3b989fc857e0b1c337dc3bf00e3066c082de5d4879f11d8d4d020473f2b56eeb67e1effb919e5af7442c762c273943a6fc25f58a5412
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr892963.exeFilesize
175KB
MD5c5dd023f8011ccb36487cbb5c9d0badf
SHA1a67e24c344df3cefdd1dc924db45ca67e101e3d4
SHA2567016afd4aa13923a95ff6fd67b2e42b91f55fd31e20930af14f289cd9b19ec0c
SHA5122373e18ce0dc56b3067e3b989fc857e0b1c337dc3bf00e3066c082de5d4879f11d8d4d020473f2b56eeb67e1effb919e5af7442c762c273943a6fc25f58a5412
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinW6705.exeFilesize
407KB
MD5cabb3463f51c332c467c2ff736fe05bb
SHA1aadc455ffed9978efd77f729064bb0d4b178f595
SHA2564fad65b6cabba38e0ec7b35cd8a81c916f5d73b24e5428a2107e115a1daad86d
SHA512b4146c8234fdfcbf3fdceee02951896dc408f98ffc93a255239e1e6943a1a960c8f29ffaffd70e14fcd4d4c18f64b83603efef8e7615f330082880e6c0aff9d4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinW6705.exeFilesize
407KB
MD5cabb3463f51c332c467c2ff736fe05bb
SHA1aadc455ffed9978efd77f729064bb0d4b178f595
SHA2564fad65b6cabba38e0ec7b35cd8a81c916f5d73b24e5428a2107e115a1daad86d
SHA512b4146c8234fdfcbf3fdceee02951896dc408f98ffc93a255239e1e6943a1a960c8f29ffaffd70e14fcd4d4c18f64b83603efef8e7615f330082880e6c0aff9d4
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr155826.exeFilesize
11KB
MD55fa07e8ccf055edf11bd2372900432f0
SHA1ddc5d6fc54d06df47d85955411b5036334f194a0
SHA25681e8f55b18c82e85455874813ef9da8e01a50963ee05cf8a8763c05b146037c6
SHA512353b21e2294e81b3b324e9e2ad7157fbe8ad0ad5e51f2020d1ab080783c20c11ee176240f8a06b37bfc70f694a272981c3fea65729415d7bd0ecd00a7ae272ea
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr155826.exeFilesize
11KB
MD55fa07e8ccf055edf11bd2372900432f0
SHA1ddc5d6fc54d06df47d85955411b5036334f194a0
SHA25681e8f55b18c82e85455874813ef9da8e01a50963ee05cf8a8763c05b146037c6
SHA512353b21e2294e81b3b324e9e2ad7157fbe8ad0ad5e51f2020d1ab080783c20c11ee176240f8a06b37bfc70f694a272981c3fea65729415d7bd0ecd00a7ae272ea
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku638698.exeFilesize
380KB
MD56e32a72abf890a2c9a13c750398cc48d
SHA10e684f0273666a9129c94c15c7426dcf803928f4
SHA2568e26a07ce5e3e1a02b7f5eb9f6c8ef802ebc58fb8b2d9c2dd03b63cedfb76082
SHA512a52d4cb4d29f9c5d7029c168ca693b9b844525866eb6944ff72274ae6ba83a2657bade67028e15d16abc2e62a0b20f4470db769fa501ad34624790c9cc08aa77
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku638698.exeFilesize
380KB
MD56e32a72abf890a2c9a13c750398cc48d
SHA10e684f0273666a9129c94c15c7426dcf803928f4
SHA2568e26a07ce5e3e1a02b7f5eb9f6c8ef802ebc58fb8b2d9c2dd03b63cedfb76082
SHA512a52d4cb4d29f9c5d7029c168ca693b9b844525866eb6944ff72274ae6ba83a2657bade67028e15d16abc2e62a0b20f4470db769fa501ad34624790c9cc08aa77
-
memory/1224-1090-0x0000000004E90000-0x0000000004EA0000-memory.dmpFilesize
64KB
-
memory/1224-1089-0x0000000000280000-0x00000000002B2000-memory.dmpFilesize
200KB
-
memory/1524-200-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-212-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-161-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-162-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-164-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-166-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-168-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-170-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-172-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-174-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-176-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-178-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-180-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-182-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-186-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-184-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-190-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-188-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-192-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-194-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-196-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-198-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-160-0x00000000073A0000-0x00000000073B0000-memory.dmpFilesize
64KB
-
memory/1524-202-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-204-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-206-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-208-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-157-0x00000000073A0000-0x00000000073B0000-memory.dmpFilesize
64KB
-
memory/1524-210-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-214-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-216-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-218-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-220-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-222-0x0000000007280000-0x00000000072BF000-memory.dmpFilesize
252KB
-
memory/1524-1067-0x0000000007960000-0x0000000007F78000-memory.dmpFilesize
6.1MB
-
memory/1524-1068-0x0000000007F80000-0x000000000808A000-memory.dmpFilesize
1.0MB
-
memory/1524-1069-0x00000000080B0000-0x00000000080C2000-memory.dmpFilesize
72KB
-
memory/1524-1070-0x00000000080D0000-0x000000000810C000-memory.dmpFilesize
240KB
-
memory/1524-1071-0x00000000073A0000-0x00000000073B0000-memory.dmpFilesize
64KB
-
memory/1524-1074-0x00000000083C0000-0x0000000008426000-memory.dmpFilesize
408KB
-
memory/1524-1075-0x0000000008A80000-0x0000000008B12000-memory.dmpFilesize
584KB
-
memory/1524-1076-0x00000000073A0000-0x00000000073B0000-memory.dmpFilesize
64KB
-
memory/1524-1077-0x00000000073A0000-0x00000000073B0000-memory.dmpFilesize
64KB
-
memory/1524-1078-0x0000000008B80000-0x0000000008D42000-memory.dmpFilesize
1.8MB
-
memory/1524-1079-0x0000000008D60000-0x000000000928C000-memory.dmpFilesize
5.2MB
-
memory/1524-1080-0x0000000009510000-0x0000000009586000-memory.dmpFilesize
472KB
-
memory/1524-1081-0x0000000009590000-0x00000000095E0000-memory.dmpFilesize
320KB
-
memory/1524-158-0x00000000073A0000-0x00000000073B0000-memory.dmpFilesize
64KB
-
memory/1524-159-0x00000000073B0000-0x0000000007954000-memory.dmpFilesize
5.6MB
-
memory/1524-156-0x0000000002F70000-0x0000000002FBB000-memory.dmpFilesize
300KB
-
memory/1524-1082-0x00000000073A0000-0x00000000073B0000-memory.dmpFilesize
64KB
-
memory/1840-149-0x00000000000D0000-0x00000000000DA000-memory.dmpFilesize
40KB
-
memory/1992-138-0x00000000049F0000-0x0000000004A7B000-memory.dmpFilesize
556KB
-
memory/1992-150-0x0000000000400000-0x0000000002BE0000-memory.dmpFilesize
39.9MB