Analysis
-
max time kernel
55s -
max time network
57s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
28-03-2023 10:30
General
-
Target
6023948ffc2ef30e286faac62e83a27c0ba285ddc4e4e12cace7a8de42be6b87.exe
-
Size
696KB
-
MD5
8141072dc6c63da52789b43cadf3b77d
-
SHA1
4f818f78653cd681285c5ccb0178c7fac7fe6643
-
SHA256
6023948ffc2ef30e286faac62e83a27c0ba285ddc4e4e12cace7a8de42be6b87
-
SHA512
782743bc657521075bb3552cfdc4c1b1c20cc771ecdbd46ee9668b267b783000e9a3b5d3a821e0f298e09b3be07fdd685d6bb032fde64021132dce4ac43260e0
-
SSDEEP
12288:TMrny90W4wuvPJuWL8IN8/+e/Ymxy/rQI6QL63SGjmAxI9gQZG:oykrPJj7NKzx8TGjbI9TM
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
muse
176.113.115.145:4125
-
auth_value
b91988a63a24940038d9262827a5320c
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6023948ffc2ef30e286faac62e83a27c0ba285ddc4e4e12cace7a8de42be6b87.exe"C:\Users\Admin\AppData\Local\Temp\6023948ffc2ef30e286faac62e83a27c0ba285ddc4e4e12cace7a8de42be6b87.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un247152.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un247152.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4770.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4770.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3850.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3850.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si705634.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si705634.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si705634.exeFilesize
175KB
MD5187b720cc050d1eae5cc93dee07ec921
SHA172022fba4b239c37a19cf152324272b6dc1a9921
SHA256434586fb9e38972f332a857329c463af77de0a40e9ffbd818ab5c69d933a7a29
SHA512ce5262168d5979536ceda652f13617c2662cf8589d1205d3b162a8b61f03fe27fec2a2def9c3b3b6f8544ade7cf1c323aea05e6d6055a03eee4efa4f63f432f8
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si705634.exeFilesize
175KB
MD5187b720cc050d1eae5cc93dee07ec921
SHA172022fba4b239c37a19cf152324272b6dc1a9921
SHA256434586fb9e38972f332a857329c463af77de0a40e9ffbd818ab5c69d933a7a29
SHA512ce5262168d5979536ceda652f13617c2662cf8589d1205d3b162a8b61f03fe27fec2a2def9c3b3b6f8544ade7cf1c323aea05e6d6055a03eee4efa4f63f432f8
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un247152.exeFilesize
555KB
MD570901743f64cd26857abc8e335878078
SHA11a3906fea7e7807576c3ca41b95058b196b1a1eb
SHA256f2f4db617c1b65b246c12f0868b2cdb669283303ff963f147c8738ae32c37189
SHA51248f925e5810961b4c13f6ddc391a1e271bb1ba3c841056893807373ee0d623d0524b7b04b62b1731b007b66b4adfd90b0f4c728003903ed6928589c71f6b5ab1
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un247152.exeFilesize
555KB
MD570901743f64cd26857abc8e335878078
SHA11a3906fea7e7807576c3ca41b95058b196b1a1eb
SHA256f2f4db617c1b65b246c12f0868b2cdb669283303ff963f147c8738ae32c37189
SHA51248f925e5810961b4c13f6ddc391a1e271bb1ba3c841056893807373ee0d623d0524b7b04b62b1731b007b66b4adfd90b0f4c728003903ed6928589c71f6b5ab1
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4770.exeFilesize
347KB
MD55d33471a00e7081730ef0ea3ab6e91bf
SHA145b30beb53fdef89933090f6a317ae22ddefdca3
SHA256569cb2c65876450661e2178e262db4059aeb796191776d18edce14f4f0c085ed
SHA512935f71bda4ca9507f1c17c526a26cfdbdcb01562ca4e0e40433c0d1b22b50c7553e5e94e7ea451c9e83578c50d037a44bee49847876d27d14ba0c2fd789aec3a
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4770.exeFilesize
347KB
MD55d33471a00e7081730ef0ea3ab6e91bf
SHA145b30beb53fdef89933090f6a317ae22ddefdca3
SHA256569cb2c65876450661e2178e262db4059aeb796191776d18edce14f4f0c085ed
SHA512935f71bda4ca9507f1c17c526a26cfdbdcb01562ca4e0e40433c0d1b22b50c7553e5e94e7ea451c9e83578c50d037a44bee49847876d27d14ba0c2fd789aec3a
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3850.exeFilesize
406KB
MD5348202decd952225b6ae98cf1d837cb8
SHA1d700a41f92b335667945a518ad9bb9861e99eb10
SHA256305436e43164aaffda1878f65a55efc8a95c28bede3eadb8b0f39618c59f1cd4
SHA512c0a35fce835550086315bbd7fb77d76ae753f7e719d9d4abf5c32ffce3e9afcf9993ce25e4ac687481e8d39847a2e00b8da2ab7cce6774e0f20b543cbebc4ae5
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3850.exeFilesize
406KB
MD5348202decd952225b6ae98cf1d837cb8
SHA1d700a41f92b335667945a518ad9bb9861e99eb10
SHA256305436e43164aaffda1878f65a55efc8a95c28bede3eadb8b0f39618c59f1cd4
SHA512c0a35fce835550086315bbd7fb77d76ae753f7e719d9d4abf5c32ffce3e9afcf9993ce25e4ac687481e8d39847a2e00b8da2ab7cce6774e0f20b543cbebc4ae5
-
memory/1832-132-0x0000000007020000-0x000000000703A000-memory.dmpFilesize
104KB
-
memory/1832-133-0x0000000007180000-0x000000000767E000-memory.dmpFilesize
5.0MB
-
memory/1832-135-0x0000000007170000-0x0000000007180000-memory.dmpFilesize
64KB
-
memory/1832-134-0x0000000002B90000-0x0000000002BBD000-memory.dmpFilesize
180KB
-
memory/1832-136-0x0000000007170000-0x0000000007180000-memory.dmpFilesize
64KB
-
memory/1832-138-0x00000000070B0000-0x00000000070C8000-memory.dmpFilesize
96KB
-
memory/1832-137-0x0000000007170000-0x0000000007180000-memory.dmpFilesize
64KB
-
memory/1832-139-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-140-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-142-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-144-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-146-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-148-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-150-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-152-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-154-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-156-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-158-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-160-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-162-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-164-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-166-0x00000000070B0000-0x00000000070C2000-memory.dmpFilesize
72KB
-
memory/1832-167-0x0000000000400000-0x0000000002B84000-memory.dmpFilesize
39.5MB
-
memory/1832-168-0x0000000007170000-0x0000000007180000-memory.dmpFilesize
64KB
-
memory/1832-169-0x0000000007170000-0x0000000007180000-memory.dmpFilesize
64KB
-
memory/1832-170-0x0000000007170000-0x0000000007180000-memory.dmpFilesize
64KB
-
memory/1832-172-0x0000000000400000-0x0000000002B84000-memory.dmpFilesize
39.5MB
-
memory/4100-1111-0x0000000000310000-0x0000000000342000-memory.dmpFilesize
200KB
-
memory/4100-1113-0x0000000004EC0000-0x0000000004ED0000-memory.dmpFilesize
64KB
-
memory/4100-1112-0x0000000004D50000-0x0000000004D9B000-memory.dmpFilesize
300KB
-
memory/4912-179-0x0000000004AC0000-0x0000000004B04000-memory.dmpFilesize
272KB
-
memory/4912-212-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-181-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4912-182-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4912-183-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-184-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-186-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-188-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-190-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-192-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-194-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-196-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-198-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-200-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-202-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-204-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-206-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-208-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-210-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-180-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4912-214-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-216-0x0000000004AC0000-0x0000000004AFF000-memory.dmpFilesize
252KB
-
memory/4912-1089-0x0000000007E80000-0x0000000008486000-memory.dmpFilesize
6.0MB
-
memory/4912-1090-0x0000000007870000-0x000000000797A000-memory.dmpFilesize
1.0MB
-
memory/4912-1091-0x00000000079B0000-0x00000000079C2000-memory.dmpFilesize
72KB
-
memory/4912-1092-0x00000000079D0000-0x0000000007A0E000-memory.dmpFilesize
248KB
-
memory/4912-1093-0x0000000007B20000-0x0000000007B6B000-memory.dmpFilesize
300KB
-
memory/4912-1094-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4912-1096-0x0000000007CB0000-0x0000000007D42000-memory.dmpFilesize
584KB
-
memory/4912-1097-0x0000000007D50000-0x0000000007DB6000-memory.dmpFilesize
408KB
-
memory/4912-1098-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4912-1099-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4912-1100-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4912-1101-0x0000000008B60000-0x0000000008BD6000-memory.dmpFilesize
472KB
-
memory/4912-1102-0x0000000008BE0000-0x0000000008C30000-memory.dmpFilesize
320KB
-
memory/4912-178-0x0000000002C70000-0x0000000002CBB000-memory.dmpFilesize
300KB
-
memory/4912-177-0x00000000048D0000-0x0000000004916000-memory.dmpFilesize
280KB
-
memory/4912-1103-0x0000000007260000-0x0000000007270000-memory.dmpFilesize
64KB
-
memory/4912-1104-0x0000000008EE0000-0x00000000090A2000-memory.dmpFilesize
1.8MB
-
memory/4912-1105-0x00000000090B0000-0x00000000095DC000-memory.dmpFilesize
5.2MB