redline | 03eac5f268888368a3e20f41ce36f1eb17647646ea0c79080a0be9023911383a

Analysis

max time kernel
22s
max time network
24s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03eac5f268888368a3e20f41ce36f1eb17647646ea0c79080a0be9023911383a.exe
Size

696KB
MD5

dd9b35d755f5802dc0478d284cd2a91b
SHA1

5fa02181e26973c91f853a5ef17d0d5c9b70e0c0
SHA256

03eac5f268888368a3e20f41ce36f1eb17647646ea0c79080a0be9023911383a
SHA512

1aadb0e0e3d8ac0d9d3f62509792d9ab69cc5f4b2f53087a9449cd0a5512a8538767117de7d215328c5877e50de6d1e30238d5ddbb14edfcc6cc2be14b202b92
SSDEEP

12288:WMrVy90S7tU76YqZZhrp/Y/x8Pbq77JvwCJXL6kWGjJAxI9gcy5nci:ryFto6YqZHExMO3mCpYGjCI9Rti

Score

10^/10

redline rosn evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pro9360.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9360.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9360.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9360.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9360.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9360.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9360.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4152-195-0x0000000004D10000-0x0000000004D4F000-memory.dmp	family_redline
behavioral1/memory/4152-196-0x0000000004D10000-0x0000000004D4F000-memory.dmp	family_redline
behavioral1/memory/4152-198-0x0000000004D10000-0x0000000004D4F000-memory.dmp	family_redline
behavioral1/memory/4152-200-0x0000000004D10000-0x0000000004D4F000-memory.dmp	family_redline
behavioral1/memory/4152-202-0x0000000004D10000-0x0000000004D4F000-memory.dmp	family_redline
behavioral1/memory/4152-204-0x0000000004D10000-0x0000000004D4F000-memory.dmp	family_redline
behavioral1/memory/4152-206-0x0000000004D10000-0x0000000004D4F000-memory.dmp	family_redline
behavioral1/memory/4152-208-0x0000000004D10000-0x0000000004D4F000-memory.dmp	family_redline
behavioral1/memory/4152-210-0x0000000004D10000-0x0000000004D4F000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

un897306.exepro9360.exequ7772.exe

pid process

2920 un897306.exe
3536 pro9360.exe
4152 qu7772.exe

pid	process
2920	un897306.exe
3536	pro9360.exe
4152	qu7772.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pro9360.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro9360.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9360.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

un897306.exe03eac5f268888368a3e20f41ce36f1eb17647646ea0c79080a0be9023911383a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un897306.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	03eac5f268888368a3e20f41ce36f1eb17647646ea0c79080a0be9023911383a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	03eac5f268888368a3e20f41ce36f1eb17647646ea0c79080a0be9023911383a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un897306.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1572 3536 WerFault.exe pro9360.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro9360.exe

pid process

3536 pro9360.exe
3536 pro9360.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro9360.exequ7772.exe

description pid process

Token: SeDebugPrivilege 3536 pro9360.exe
Token: SeDebugPrivilege 4152 qu7772.exe

pid	pid_target	process	target process
1572	3536	WerFault.exe	pro9360.exe

pid	process
3536	pro9360.exe
3536	pro9360.exe

description	pid	process
Token: SeDebugPrivilege	3536	pro9360.exe
Token: SeDebugPrivilege	4152	qu7772.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

03eac5f268888368a3e20f41ce36f1eb17647646ea0c79080a0be9023911383a.exeun897306.exe

description	pid	process	target process
PID 2544 wrote to memory of 2920	2544	03eac5f268888368a3e20f41ce36f1eb17647646ea0c79080a0be9023911383a.exe	un897306.exe
PID 2544 wrote to memory of 2920	2544	03eac5f268888368a3e20f41ce36f1eb17647646ea0c79080a0be9023911383a.exe	un897306.exe
PID 2544 wrote to memory of 2920	2544	03eac5f268888368a3e20f41ce36f1eb17647646ea0c79080a0be9023911383a.exe	un897306.exe
PID 2920 wrote to memory of 3536	2920	un897306.exe	pro9360.exe
PID 2920 wrote to memory of 3536	2920	un897306.exe	pro9360.exe
PID 2920 wrote to memory of 3536	2920	un897306.exe	pro9360.exe
PID 2920 wrote to memory of 4152	2920	un897306.exe	qu7772.exe
PID 2920 wrote to memory of 4152	2920	un897306.exe	qu7772.exe
PID 2920 wrote to memory of 4152	2920	un897306.exe	qu7772.exe

C:\Users\Admin\AppData\Local\Temp\03eac5f268888368a3e20f41ce36f1eb17647646ea0c79080a0be9023911383a.exe
"C:\Users\Admin\AppData\Local\Temp\03eac5f268888368a3e20f41ce36f1eb17647646ea0c79080a0be9023911383a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un897306.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un897306.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9360.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9360.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1080
4⤵
- Program crash
PID:1572

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7772.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7772.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3536 -ip 3536
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un897306.exe

Filesize
555KB

MD5
1dd1539ce1473ae83858e195da349d04

SHA1
f56a13725e88a1d1ee886c6525dd2ea208fe2a87

SHA256
e98ddd50f1ea3fd4ddcc6dee3c196dff5f0556797a0bffef46f30a3acb8e92ad

SHA512
d3460f8b08637296a77c43d94a75381fed0c3ba4aa07ed829df9cfbac9936dd5ae5e48fc8e9dc72c8ee5581f50e894809b2d932e990acaf4c0d62f9b76d21342

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un897306.exe

Filesize
555KB

MD5
1dd1539ce1473ae83858e195da349d04

SHA1
f56a13725e88a1d1ee886c6525dd2ea208fe2a87

SHA256
e98ddd50f1ea3fd4ddcc6dee3c196dff5f0556797a0bffef46f30a3acb8e92ad

SHA512
d3460f8b08637296a77c43d94a75381fed0c3ba4aa07ed829df9cfbac9936dd5ae5e48fc8e9dc72c8ee5581f50e894809b2d932e990acaf4c0d62f9b76d21342

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9360.exe

Filesize
347KB

MD5
c6ac14b25c17c4befb6cc61f240d022b

SHA1
ad924ed17e121237550efc79b6731074b519b651

SHA256
9922833ca2982f1ca392c4605280fbb5bc9f17f97548f06b5b8207713d44305c

SHA512
af279e8ee42d2e7a5200d5f32740ecdf0807b87be300763f73a69780b0413666b4e077fa959566f29dd6ee272620168ca6b1d3e4e41eb8ff8a16a8e6b1d521e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9360.exe

Filesize
347KB

MD5
c6ac14b25c17c4befb6cc61f240d022b

SHA1
ad924ed17e121237550efc79b6731074b519b651

SHA256
9922833ca2982f1ca392c4605280fbb5bc9f17f97548f06b5b8207713d44305c

SHA512
af279e8ee42d2e7a5200d5f32740ecdf0807b87be300763f73a69780b0413666b4e077fa959566f29dd6ee272620168ca6b1d3e4e41eb8ff8a16a8e6b1d521e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7772.exe

Filesize
406KB

MD5
50eb0d09131f21c7fe28729de2c94b01

SHA1
5af5ed58cd3a70b10f062f808f0c08a1edfd01dd

SHA256
09b2edf636d356b74dceadd5eaa50e31b508e70e0ccb7673dc336962af04a952

SHA512
b525b38612aa4863305eac1dad7ef07d36fdbc36edc1447a1f3e34c2ddca6418683d7f42fd552f247e0babc235cf8a9f226853a0eb00d99276e2df534c727e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7772.exe

Filesize
406KB

MD5
50eb0d09131f21c7fe28729de2c94b01

SHA1
5af5ed58cd3a70b10f062f808f0c08a1edfd01dd

SHA256
09b2edf636d356b74dceadd5eaa50e31b508e70e0ccb7673dc336962af04a952

SHA512
b525b38612aa4863305eac1dad7ef07d36fdbc36edc1447a1f3e34c2ddca6418683d7f42fd552f247e0babc235cf8a9f226853a0eb00d99276e2df534c727e6a

Download Submit
memory/3536-179-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/3536-182-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/3536-152-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-154-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-158-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-156-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-160-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-162-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-164-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-166-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-168-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-172-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-170-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-174-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-178-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-176-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-150-0x00000000071C0000-0x0000000007764000-memory.dmp

Filesize
5.6MB

Download
memory/3536-180-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/3536-181-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/3536-151-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/3536-184-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/3536-185-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/3536-186-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/3536-149-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/3536-148-0x0000000002C90000-0x0000000002CBD000-memory.dmp

Filesize
180KB

Download
memory/4152-198-0x0000000004D10000-0x0000000004D4F000-memory.dmp

Filesize
252KB

Download
memory/4152-192-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/4152-193-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/4152-194-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/4152-195-0x0000000004D10000-0x0000000004D4F000-memory.dmp

Filesize
252KB

Download
memory/4152-196-0x0000000004D10000-0x0000000004D4F000-memory.dmp

Filesize
252KB

Download
memory/4152-191-0x0000000002BF0000-0x0000000002C3B000-memory.dmp

Filesize
300KB

Download
memory/4152-200-0x0000000004D10000-0x0000000004D4F000-memory.dmp

Filesize
252KB

Download
memory/4152-202-0x0000000004D10000-0x0000000004D4F000-memory.dmp

Filesize
252KB

Download
memory/4152-204-0x0000000004D10000-0x0000000004D4F000-memory.dmp

Filesize
252KB

Download
memory/4152-206-0x0000000004D10000-0x0000000004D4F000-memory.dmp

Filesize
252KB

Download
memory/4152-208-0x0000000004D10000-0x0000000004D4F000-memory.dmp

Filesize
252KB

Download
memory/4152-210-0x0000000004D10000-0x0000000004D4F000-memory.dmp

Filesize
252KB

Download