Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
31-03-2023 19:06
General
-
Target
d0d90025adf34010405a59740552f0cbce845b4cab057ef5761c0d5f04e25095.exe
-
Size
673KB
-
MD5
cd76634914ac243399bbcc14e3dbfa94
-
SHA1
eb587abd0dfd67bdbf8ffd06fae03cc77b49d4d4
-
SHA256
d0d90025adf34010405a59740552f0cbce845b4cab057ef5761c0d5f04e25095
-
SHA512
3bfa6b038a9c594cc4e4824eb756d5d54b323082349bc953434d9dab11017cc86be9437752757136d3d52388f64f41f9d190d85358a2d410afd2168cc6c8b673
-
SSDEEP
12288:PMrcy90dWccTbkZCyBfXZPyGerGJDb/OKJ+8S/a85AYjmd/I:PyImjyBPFtJ+hi8GYM/I
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0d90025adf34010405a59740552f0cbce845b4cab057ef5761c0d5f04e25095.exe"C:\Users\Admin\AppData\Local\Temp\d0d90025adf34010405a59740552f0cbce845b4cab057ef5761c0d5f04e25095.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un279004.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un279004.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1402.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1402.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 10804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2042.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2042.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 11964⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si963962.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si963962.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2072 -ip 20721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4048 -ip 40481⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si963962.exeFilesize
175KB
MD50acf1c7d0ff7e4e828d86a7f1ef6ceba
SHA1024b084cb5623653f5405c98722fcb1c4f510377
SHA256c587fd77a93d7638ff072dcf404b6a62040abafaad2a4c84dece14cda6a52f87
SHA51272fc2994386102fc9d0e8ac6545012c80615f4524a83103a83117a7bcb3dc1334b095f1e278d67c226fa97f1072b5d1e09f3695ff793bbf7b7f33f352dd4f921
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si963962.exeFilesize
175KB
MD50acf1c7d0ff7e4e828d86a7f1ef6ceba
SHA1024b084cb5623653f5405c98722fcb1c4f510377
SHA256c587fd77a93d7638ff072dcf404b6a62040abafaad2a4c84dece14cda6a52f87
SHA51272fc2994386102fc9d0e8ac6545012c80615f4524a83103a83117a7bcb3dc1334b095f1e278d67c226fa97f1072b5d1e09f3695ff793bbf7b7f33f352dd4f921
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un279004.exeFilesize
530KB
MD53b17cb929356b19ad051fac266d26641
SHA1dafaff284cb59289382e9eca56d47b9d762f846f
SHA2568009357366ae6e72ea16ada690192ea827c4b81ef17054e265ee3f3b90b35b04
SHA512033601be96cccd0abda5f79112e9946d2f1cadd5ae8d94abfd49c5ec4dda721e2d51f23bc6242c07d96cb1bd6b625cdfc2fbad9a9920b9ada731825a529fdf76
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un279004.exeFilesize
530KB
MD53b17cb929356b19ad051fac266d26641
SHA1dafaff284cb59289382e9eca56d47b9d762f846f
SHA2568009357366ae6e72ea16ada690192ea827c4b81ef17054e265ee3f3b90b35b04
SHA512033601be96cccd0abda5f79112e9946d2f1cadd5ae8d94abfd49c5ec4dda721e2d51f23bc6242c07d96cb1bd6b625cdfc2fbad9a9920b9ada731825a529fdf76
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1402.exeFilesize
259KB
MD56e67a271b1720aae882cc4ed4a03a249
SHA156a039d7598569126a283669178510f8e15ea511
SHA2560773a3c699b8163eb1faa9fa62e6c258ffb82764c5b030962a2c8c6edc87d3cf
SHA512a508ef88b90899bf48a058d8e67368ec10775e1c7cad9608fb943ba881559eb8f96642df2cd675cbbebd3a3917b0cc14a97e5b879173371a5fddc13c75d082c7
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1402.exeFilesize
259KB
MD56e67a271b1720aae882cc4ed4a03a249
SHA156a039d7598569126a283669178510f8e15ea511
SHA2560773a3c699b8163eb1faa9fa62e6c258ffb82764c5b030962a2c8c6edc87d3cf
SHA512a508ef88b90899bf48a058d8e67368ec10775e1c7cad9608fb943ba881559eb8f96642df2cd675cbbebd3a3917b0cc14a97e5b879173371a5fddc13c75d082c7
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2042.exeFilesize
318KB
MD53491e11d8e7a635b30c382b6a26a512a
SHA1e4076e503144f2e2df245be8f14932e05c6b5833
SHA2566d53c6c0f22e994977805aaee557a7e0bdd03387d667af12af3c2deaa298fefb
SHA51210f9b3731348244448b07170048fff237282b50da46fd947e8cf9fc88538071506d42d9ea6f3e4ff832560843366a25ad6f07ca3e4b8704a97979af0ef8f058e
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2042.exeFilesize
318KB
MD53491e11d8e7a635b30c382b6a26a512a
SHA1e4076e503144f2e2df245be8f14932e05c6b5833
SHA2566d53c6c0f22e994977805aaee557a7e0bdd03387d667af12af3c2deaa298fefb
SHA51210f9b3731348244448b07170048fff237282b50da46fd947e8cf9fc88538071506d42d9ea6f3e4ff832560843366a25ad6f07ca3e4b8704a97979af0ef8f058e
-
memory/2072-148-0x0000000000560000-0x000000000058D000-memory.dmpFilesize
180KB
-
memory/2072-149-0x0000000004C00000-0x00000000051A4000-memory.dmpFilesize
5.6MB
-
memory/2072-150-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2072-151-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2072-152-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2072-153-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-154-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-156-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-158-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-160-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-162-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-164-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-166-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-168-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-170-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-172-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-174-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-176-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-178-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-180-0x0000000004A30000-0x0000000004A42000-memory.dmpFilesize
72KB
-
memory/2072-181-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2072-182-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2072-183-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2072-184-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2072-186-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2544-1122-0x0000000000E60000-0x0000000000E92000-memory.dmpFilesize
200KB
-
memory/2544-1124-0x0000000005AA0000-0x0000000005AB0000-memory.dmpFilesize
64KB
-
memory/2544-1123-0x0000000005AA0000-0x0000000005AB0000-memory.dmpFilesize
64KB
-
memory/4048-194-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-228-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-198-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-200-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-202-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-204-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-206-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-207-0x0000000002040000-0x000000000208B000-memory.dmpFilesize
300KB
-
memory/4048-209-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4048-211-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4048-210-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-213-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4048-214-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-216-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-218-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-220-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-222-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-224-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-226-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-196-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-1101-0x0000000005140000-0x0000000005758000-memory.dmpFilesize
6.1MB
-
memory/4048-1102-0x0000000005760000-0x000000000586A000-memory.dmpFilesize
1.0MB
-
memory/4048-1103-0x00000000058A0000-0x00000000058B2000-memory.dmpFilesize
72KB
-
memory/4048-1104-0x0000000005900000-0x000000000593C000-memory.dmpFilesize
240KB
-
memory/4048-1105-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4048-1106-0x0000000005BB0000-0x0000000005C16000-memory.dmpFilesize
408KB
-
memory/4048-1108-0x00000000063B0000-0x0000000006442000-memory.dmpFilesize
584KB
-
memory/4048-1109-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4048-1110-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4048-1111-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/4048-1112-0x00000000066F0000-0x0000000006766000-memory.dmpFilesize
472KB
-
memory/4048-1113-0x0000000006780000-0x00000000067D0000-memory.dmpFilesize
320KB
-
memory/4048-192-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-191-0x0000000004AF0000-0x0000000004B2F000-memory.dmpFilesize
252KB
-
memory/4048-1114-0x00000000067E0000-0x00000000069A2000-memory.dmpFilesize
1.8MB
-
memory/4048-1115-0x00000000069B0000-0x0000000006EDC000-memory.dmpFilesize
5.2MB
-
memory/4048-1116-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB