Analysis
-
max time kernel
62s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2023, 19:08
Static task
static1
Behavioral task
behavioral1
Sample
fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f.exe
Resource
win10v2004-20230221-en
General
-
Target
fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f.exe
-
Size
699KB
-
MD5
e9247415d15c3bf0d0f456b94f66d279
-
SHA1
f9a72e11626d26469a7a52ff95d3330867be003b
-
SHA256
fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f
-
SHA512
52e2fd7f7b90f5ed0a68f2cfccf424d989c55cacc925882415ebf142ec5dc02ae0d681de4015995f0dd4bb2c55283f12e099a78fc4a87bf9e4a12ab0b8fc7ffa
-
SSDEEP
12288:1MrHy90bFwQVr7Fw9Sl0mvwdeE5cIgxx+uWoN8/Fsqc2Ux6E:6yRIy4GOwjcI8xnO/FW2UX
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
muse
176.113.115.145:4125
-
auth_value
b91988a63a24940038d9262827a5320c
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro0097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0097.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/5104-190-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-191-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-193-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-195-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-197-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-199-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-201-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-203-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-205-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-207-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-209-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-211-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-214-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-218-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-221-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-223-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-225-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-227-0x0000000004D30000-0x0000000004D6F000-memory.dmp family_redline behavioral1/memory/5104-1112-0x0000000004D20000-0x0000000004D30000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1400 un422574.exe 2176 pro0097.exe 5104 qu1140.exe 3836 si619368.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0097.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un422574.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un422574.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3904 2176 WerFault.exe 83 3860 5104 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2176 pro0097.exe 2176 pro0097.exe 5104 qu1140.exe 5104 qu1140.exe 3836 si619368.exe 3836 si619368.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2176 pro0097.exe Token: SeDebugPrivilege 5104 qu1140.exe Token: SeDebugPrivilege 3836 si619368.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4616 wrote to memory of 1400 4616 fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f.exe 82 PID 4616 wrote to memory of 1400 4616 fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f.exe 82 PID 4616 wrote to memory of 1400 4616 fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f.exe 82 PID 1400 wrote to memory of 2176 1400 un422574.exe 83 PID 1400 wrote to memory of 2176 1400 un422574.exe 83 PID 1400 wrote to memory of 2176 1400 un422574.exe 83 PID 1400 wrote to memory of 5104 1400 un422574.exe 89 PID 1400 wrote to memory of 5104 1400 un422574.exe 89 PID 1400 wrote to memory of 5104 1400 un422574.exe 89 PID 4616 wrote to memory of 3836 4616 fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f.exe 93 PID 4616 wrote to memory of 3836 4616 fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f.exe 93 PID 4616 wrote to memory of 3836 4616 fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f.exe"C:\Users\Admin\AppData\Local\Temp\fc421254213df5ee8771db7a54f45406681d68f44cdfbfb30df538638e46c44f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un422574.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un422574.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0097.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0097.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 10804⤵
- Program crash
PID:3904
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1140.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1140.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 11804⤵
- Program crash
PID:3860
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si619368.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si619368.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2176 -ip 21761⤵PID:4596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5104 -ip 51041⤵PID:1668
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5478840a65c4fd3a2cd13b16e1e17a90e
SHA199b84994909e0598333c678850916a8e8ce362c2
SHA25625bbbb5c97816f9559cf7db3a5edc12debcbff1bd48c469296c0e8a8452100a6
SHA512fac3219806fcccc787513e74fa72633968e349a86dc36a4bd5c4ad100736adb60f7e14ea24a7748f4648e76d0e4bf7c2bf972f5e6c971e06a95b0bb47ac02937
-
Filesize
175KB
MD5478840a65c4fd3a2cd13b16e1e17a90e
SHA199b84994909e0598333c678850916a8e8ce362c2
SHA25625bbbb5c97816f9559cf7db3a5edc12debcbff1bd48c469296c0e8a8452100a6
SHA512fac3219806fcccc787513e74fa72633968e349a86dc36a4bd5c4ad100736adb60f7e14ea24a7748f4648e76d0e4bf7c2bf972f5e6c971e06a95b0bb47ac02937
-
Filesize
557KB
MD51ce3d136b8967d554848d76463f79b9b
SHA14967bcf87221b688d617b1944d05e69ce690a147
SHA25686a733ef7937851a81a93232dbdf5175c543fa9eb086762445eaee505af36a9f
SHA5126ec5e7dbcc5232a9a3310064bf3d2d97ed39ff793eb8a8cf4d0ae053ba5d0b3144097cbc93fa924344b2f591090c3258475f0f17b694d86d915c5e966fdad801
-
Filesize
557KB
MD51ce3d136b8967d554848d76463f79b9b
SHA14967bcf87221b688d617b1944d05e69ce690a147
SHA25686a733ef7937851a81a93232dbdf5175c543fa9eb086762445eaee505af36a9f
SHA5126ec5e7dbcc5232a9a3310064bf3d2d97ed39ff793eb8a8cf4d0ae053ba5d0b3144097cbc93fa924344b2f591090c3258475f0f17b694d86d915c5e966fdad801
-
Filesize
348KB
MD567a28391644c24f4616b185ca69d3366
SHA1436854a0cec6014c48b64ba1ebcdc9aa327e9c3e
SHA256f1d8181f6cf705fb474ba6a62020fcb93cb189244784d81c35a3d25e57c06535
SHA512c67a45f172dda44580a081b98e99d36864d87cf3c0a82faad4f078dfd47c4c21e005a1cb87d85f28eee3f505fdb9e063f248ca69f2f0d54082ce2ed08f90bd90
-
Filesize
348KB
MD567a28391644c24f4616b185ca69d3366
SHA1436854a0cec6014c48b64ba1ebcdc9aa327e9c3e
SHA256f1d8181f6cf705fb474ba6a62020fcb93cb189244784d81c35a3d25e57c06535
SHA512c67a45f172dda44580a081b98e99d36864d87cf3c0a82faad4f078dfd47c4c21e005a1cb87d85f28eee3f505fdb9e063f248ca69f2f0d54082ce2ed08f90bd90
-
Filesize
406KB
MD5bc3e85f8da3697ef048871d728155513
SHA11b350e6b656fe5fd33c274a44af70e5733485d72
SHA256eb31df6d619c6fefc6b8083b53b8ba6e8c9e319fd7159fa18be813b62ed6f4fd
SHA5125f5ce87d1612a406a4a413c3cba99317d0ab1e8e2abbd96259b6001132f81c6812a37d0efdd15274d56218c1737f2cc272d3632e6cf14c47e6fca6d222aa2d91
-
Filesize
406KB
MD5bc3e85f8da3697ef048871d728155513
SHA11b350e6b656fe5fd33c274a44af70e5733485d72
SHA256eb31df6d619c6fefc6b8083b53b8ba6e8c9e319fd7159fa18be813b62ed6f4fd
SHA5125f5ce87d1612a406a4a413c3cba99317d0ab1e8e2abbd96259b6001132f81c6812a37d0efdd15274d56218c1737f2cc272d3632e6cf14c47e6fca6d222aa2d91