Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
31-03-2023 18:10
General
-
Target
3f6c8596465d748bf6da7af9281735899b1241019a4e6babfc3362d848979fbb.exe
-
Size
672KB
-
MD5
f22fb5de03403c045006c0d56ae050b5
-
SHA1
346e2f503019e7daf9f9a5840f46920d27633af5
-
SHA256
3f6c8596465d748bf6da7af9281735899b1241019a4e6babfc3362d848979fbb
-
SHA512
2857907112c730360bbec634fdb780dc0490f7c1416d5c1f59b988f7541ce2fe23695d099de886472b9077f8b50937dd52cba96d368ec30e57358e0485e4e2ce
-
SSDEEP
12288:GMriy90NCCcvUSaom4hmBmN/XNsKRomEQ+Y+IwcpvJqbFZk:oyz13F1sooBhiVcbFK
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f6c8596465d748bf6da7af9281735899b1241019a4e6babfc3362d848979fbb.exe"C:\Users\Admin\AppData\Local\Temp\3f6c8596465d748bf6da7af9281735899b1241019a4e6babfc3362d848979fbb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864771.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864771.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9965.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9965.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 10844⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2573.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2573.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 17924⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si003009.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si003009.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1980 -ip 19801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1176 -ip 11761⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si003009.exeFilesize
175KB
MD51d9b3e6244d47b0e217535ca018aa62a
SHA1f2a7b6a102362d816917410c950600ec6e8db5ab
SHA256831830652fc9616663df1c32515b9dac07312d52f8cc7ccff5e07757435f8589
SHA5129846ba3e671544b9282dd676d4daea317fe808d346de8a64579d770c737c2bafd06983e316ae4dad8cbb303e356668fd442687df4940c90f0d0fc376e4ae7fd2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si003009.exeFilesize
175KB
MD51d9b3e6244d47b0e217535ca018aa62a
SHA1f2a7b6a102362d816917410c950600ec6e8db5ab
SHA256831830652fc9616663df1c32515b9dac07312d52f8cc7ccff5e07757435f8589
SHA5129846ba3e671544b9282dd676d4daea317fe808d346de8a64579d770c737c2bafd06983e316ae4dad8cbb303e356668fd442687df4940c90f0d0fc376e4ae7fd2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864771.exeFilesize
530KB
MD51237d686f24cfe3d73c122d102597843
SHA1d37c238036d038d11b7e545d35e61961dd4e327c
SHA25694e4e93734121cb23e26964b4b9d13d799959e1632db24239cd02bb533549fbe
SHA51277b9ca256c59295095179acc7d33516b699a7884e5e951c91e965bbc71c86cd455da92d0b76bfd8f9407d99ca1a2416261efeaa0913dd02a8e2d1eb802250d74
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864771.exeFilesize
530KB
MD51237d686f24cfe3d73c122d102597843
SHA1d37c238036d038d11b7e545d35e61961dd4e327c
SHA25694e4e93734121cb23e26964b4b9d13d799959e1632db24239cd02bb533549fbe
SHA51277b9ca256c59295095179acc7d33516b699a7884e5e951c91e965bbc71c86cd455da92d0b76bfd8f9407d99ca1a2416261efeaa0913dd02a8e2d1eb802250d74
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9965.exeFilesize
259KB
MD5b8101718f534fd13a7b857f565d60182
SHA160c335e55b412ac040a1a016e4f83253ceaab118
SHA2563f7ca2e18266aa3fd8cf6e8e3aa79850e20fa30b4fcfb7507519af42a60c769f
SHA5123489270cb569dfcc55f58ba23cc9ea20b716a2916880ff07d2387dc12336b6aba4b8c6961a461da142f3086d5ac25b6fef6e08fb515b73e575262945ca65a205
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9965.exeFilesize
259KB
MD5b8101718f534fd13a7b857f565d60182
SHA160c335e55b412ac040a1a016e4f83253ceaab118
SHA2563f7ca2e18266aa3fd8cf6e8e3aa79850e20fa30b4fcfb7507519af42a60c769f
SHA5123489270cb569dfcc55f58ba23cc9ea20b716a2916880ff07d2387dc12336b6aba4b8c6961a461da142f3086d5ac25b6fef6e08fb515b73e575262945ca65a205
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2573.exeFilesize
318KB
MD5d40c7d8bbf38c401a370200a9ab4bfbe
SHA1fdcfd4489b11e6b5261542eb6bf3021d2b00ec15
SHA2564085141f078ef52e2eae666686e71dd6a1d459156061702acd9edefc73566366
SHA5122525da36605398bb103438ed563f34fc9839826e3c4a86abcc96bd7aaa823bed0ce0e3fbb6d7483b7a22c36e639c73b20e8229bc8e208e22e73270c0dfcfefb5
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2573.exeFilesize
318KB
MD5d40c7d8bbf38c401a370200a9ab4bfbe
SHA1fdcfd4489b11e6b5261542eb6bf3021d2b00ec15
SHA2564085141f078ef52e2eae666686e71dd6a1d459156061702acd9edefc73566366
SHA5122525da36605398bb103438ed563f34fc9839826e3c4a86abcc96bd7aaa823bed0ce0e3fbb6d7483b7a22c36e639c73b20e8229bc8e208e22e73270c0dfcfefb5
-
memory/1176-1102-0x00000000058A0000-0x00000000059AA000-memory.dmpFilesize
1.0MB
-
memory/1176-1103-0x00000000059E0000-0x00000000059F2000-memory.dmpFilesize
72KB
-
memory/1176-218-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-216-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-214-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-202-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB
-
memory/1176-1116-0x0000000007B30000-0x000000000805C000-memory.dmpFilesize
5.2MB
-
memory/1176-1115-0x0000000007960000-0x0000000007B22000-memory.dmpFilesize
1.8MB
-
memory/1176-1114-0x0000000006630000-0x0000000006680000-memory.dmpFilesize
320KB
-
memory/1176-1113-0x0000000006590000-0x0000000006606000-memory.dmpFilesize
472KB
-
memory/1176-1112-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB
-
memory/1176-1111-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB
-
memory/1176-1110-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB
-
memory/1176-206-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-1109-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB
-
memory/1176-1107-0x0000000005D90000-0x0000000005DF6000-memory.dmpFilesize
408KB
-
memory/1176-1106-0x0000000005CF0000-0x0000000005D82000-memory.dmpFilesize
584KB
-
memory/1176-1105-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB
-
memory/1176-1104-0x0000000005A00000-0x0000000005A3C000-memory.dmpFilesize
240KB
-
memory/1176-220-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-1101-0x0000000005270000-0x0000000005888000-memory.dmpFilesize
6.1MB
-
memory/1176-228-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-226-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-191-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-194-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-208-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-196-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-199-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-198-0x0000000002150000-0x000000000219B000-memory.dmpFilesize
300KB
-
memory/1176-200-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB
-
memory/1176-204-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB
-
memory/1176-203-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-224-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-222-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-192-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-210-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1176-212-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/1516-1122-0x0000000000D00000-0x0000000000D32000-memory.dmpFilesize
200KB
-
memory/1516-1123-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/1516-1124-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/1980-182-0x0000000002730000-0x0000000002740000-memory.dmpFilesize
64KB
-
memory/1980-176-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-160-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-152-0x0000000002730000-0x0000000002740000-memory.dmpFilesize
64KB
-
memory/1980-151-0x0000000002730000-0x0000000002740000-memory.dmpFilesize
64KB
-
memory/1980-186-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1980-150-0x0000000002730000-0x0000000002740000-memory.dmpFilesize
64KB
-
memory/1980-184-0x0000000002730000-0x0000000002740000-memory.dmpFilesize
64KB
-
memory/1980-183-0x0000000002730000-0x0000000002740000-memory.dmpFilesize
64KB
-
memory/1980-153-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-181-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1980-180-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-178-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-174-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-172-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-170-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-168-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-166-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-162-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-164-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-149-0x0000000004D80000-0x0000000005324000-memory.dmpFilesize
5.6MB
-
memory/1980-148-0x0000000000610000-0x000000000063D000-memory.dmpFilesize
180KB
-
memory/1980-158-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-156-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB
-
memory/1980-154-0x00000000024E0000-0x00000000024F2000-memory.dmpFilesize
72KB