Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
31-03-2023 20:15
General
-
Target
05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552.exe
-
Size
673KB
-
MD5
7bfb3b64685f99c63eb3635723496568
-
SHA1
cee4f47cbe2ceb6e488cfbc41ef9c355d6d0bff5
-
SHA256
05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552
-
SHA512
cdf24952e57d4423d5105c7aaf31e281ba7faec9c45f81241a6fd30502b48af0db45a1545188f62e5e604a47550e946283d8379bfa00e8d15fc3b1211e94f686
-
SSDEEP
12288:hMrAy90IYitemON2LhfZz4a8FrXhMm7BObWrHmrN8E/:lyJqmOULR5x8qmcbCyNd/
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552.exe"C:\Users\Admin\AppData\Local\Temp\05ed29ad8c43f4eb63cb327f0ebb037f869429773347b8b494b51f7806966552.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676855.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676855.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7663.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7663.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 10804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9285.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9285.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 13284⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si554249.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si554249.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5100 -ip 51001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2888 -ip 28881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si554249.exeFilesize
175KB
MD5b48ffb6a21429931d41cbd6275b013ce
SHA1ab3011607b0e183225d445d264b391b65b13c9a5
SHA256258ac511ee5a7cf1a9df76a430c65786d6d9f4922924f86de39b0600cc6f7750
SHA512cf35b2c4c6c0d240e5464f079eb30e5d9df693388d61481ce595e8f013456db8342e6dcd2404c811532e21c1299c68c5030add24b8a1912e679b3e752d2064a7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si554249.exeFilesize
175KB
MD5b48ffb6a21429931d41cbd6275b013ce
SHA1ab3011607b0e183225d445d264b391b65b13c9a5
SHA256258ac511ee5a7cf1a9df76a430c65786d6d9f4922924f86de39b0600cc6f7750
SHA512cf35b2c4c6c0d240e5464f079eb30e5d9df693388d61481ce595e8f013456db8342e6dcd2404c811532e21c1299c68c5030add24b8a1912e679b3e752d2064a7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676855.exeFilesize
531KB
MD5820b3ab1364b5efba99023d8bd43632a
SHA13616248d0560bdc8e28c2b38b3d0c3993615077c
SHA256c1978a026201e6c5ca98de841e0869b4f8f8870a110f2358dff3a5c3d2a57b1b
SHA512b9dec489a557900ced7688417d3682f40bbf8523cd293379e271a3c0e6f5e6b0bceee973a83b670a91797af37062d8c1b2e8ecd359df3d0e892a9da1cc1d4ce9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un676855.exeFilesize
531KB
MD5820b3ab1364b5efba99023d8bd43632a
SHA13616248d0560bdc8e28c2b38b3d0c3993615077c
SHA256c1978a026201e6c5ca98de841e0869b4f8f8870a110f2358dff3a5c3d2a57b1b
SHA512b9dec489a557900ced7688417d3682f40bbf8523cd293379e271a3c0e6f5e6b0bceee973a83b670a91797af37062d8c1b2e8ecd359df3d0e892a9da1cc1d4ce9
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7663.exeFilesize
260KB
MD5d5aae395cbfe6ba80a905e52cec9a116
SHA126bae0e02578c78e83f5c5e6749d1c6775163050
SHA256d0e6d857b769e57b7e93b831c4ba69fe4884dc4d11da7ed8d55812cf974a6da3
SHA512b34230224335da5e3f56c685792857f190a7ace32e21d98e62cdc62c5d69eea3c33b6a73fe0079f7ac4a31550dc50df3d7773064f23adeb09e340cbfce4588c9
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7663.exeFilesize
260KB
MD5d5aae395cbfe6ba80a905e52cec9a116
SHA126bae0e02578c78e83f5c5e6749d1c6775163050
SHA256d0e6d857b769e57b7e93b831c4ba69fe4884dc4d11da7ed8d55812cf974a6da3
SHA512b34230224335da5e3f56c685792857f190a7ace32e21d98e62cdc62c5d69eea3c33b6a73fe0079f7ac4a31550dc50df3d7773064f23adeb09e340cbfce4588c9
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9285.exeFilesize
318KB
MD5b99d71812d1e32e1eb538425774184d4
SHA12cea459d9195da6f6988e9cc68a57776aa6ab97c
SHA25691d56900ae7e954fbb654ae671cc5b9191ca03f5fac58965c749f96c4598886e
SHA512d42bb307569815096d20ffaf0a1fed0167d464891fa11efb4134996a503238d1d7d5adfe12b98f2a0f7c6055272ad62ae5cf05f073199ad25849071cbd6c153e
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9285.exeFilesize
318KB
MD5b99d71812d1e32e1eb538425774184d4
SHA12cea459d9195da6f6988e9cc68a57776aa6ab97c
SHA25691d56900ae7e954fbb654ae671cc5b9191ca03f5fac58965c749f96c4598886e
SHA512d42bb307569815096d20ffaf0a1fed0167d464891fa11efb4134996a503238d1d7d5adfe12b98f2a0f7c6055272ad62ae5cf05f073199ad25849071cbd6c153e
-
memory/2888-1102-0x00000000058D0000-0x00000000059DA000-memory.dmpFilesize
1.0MB
-
memory/2888-1101-0x00000000052B0000-0x00000000058C8000-memory.dmpFilesize
6.1MB
-
memory/2888-219-0x0000000002110000-0x000000000215B000-memory.dmpFilesize
300KB
-
memory/2888-221-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2888-206-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-204-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-1115-0x00000000066D0000-0x0000000006892000-memory.dmpFilesize
1.8MB
-
memory/2888-1114-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2888-1113-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2888-1112-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2888-208-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-1111-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2888-1110-0x0000000006520000-0x0000000006570000-memory.dmpFilesize
320KB
-
memory/2888-1109-0x0000000006490000-0x0000000006506000-memory.dmpFilesize
472KB
-
memory/2888-1108-0x00000000063A0000-0x0000000006432000-memory.dmpFilesize
584KB
-
memory/2888-1106-0x0000000005CF0000-0x0000000005D56000-memory.dmpFilesize
408KB
-
memory/2888-1105-0x0000000005A00000-0x0000000005A3C000-memory.dmpFilesize
240KB
-
memory/2888-1104-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2888-1103-0x00000000059E0000-0x00000000059F2000-memory.dmpFilesize
72KB
-
memory/2888-223-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2888-228-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-226-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/2888-218-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-192-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-191-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-194-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-196-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-198-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-200-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-202-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-225-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-1116-0x00000000068A0000-0x0000000006DCC000-memory.dmpFilesize
5.2MB
-
memory/2888-222-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-210-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-212-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-214-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/2888-216-0x0000000002680000-0x00000000026BF000-memory.dmpFilesize
252KB
-
memory/4120-1122-0x00000000008F0000-0x0000000000922000-memory.dmpFilesize
200KB
-
memory/4120-1123-0x0000000005560000-0x0000000005570000-memory.dmpFilesize
64KB
-
memory/5100-181-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/5100-174-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-148-0x0000000004C50000-0x00000000051F4000-memory.dmpFilesize
5.6MB
-
memory/5100-152-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-154-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-186-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/5100-185-0x0000000004C40000-0x0000000004C50000-memory.dmpFilesize
64KB
-
memory/5100-150-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-184-0x0000000004C40000-0x0000000004C50000-memory.dmpFilesize
64KB
-
memory/5100-183-0x0000000004C40000-0x0000000004C50000-memory.dmpFilesize
64KB
-
memory/5100-156-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-180-0x0000000004C40000-0x0000000004C50000-memory.dmpFilesize
64KB
-
memory/5100-179-0x0000000004C40000-0x0000000004C50000-memory.dmpFilesize
64KB
-
memory/5100-178-0x0000000004C40000-0x0000000004C50000-memory.dmpFilesize
64KB
-
memory/5100-177-0x00000000020D0000-0x00000000020FD000-memory.dmpFilesize
180KB
-
memory/5100-176-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-172-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-170-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-168-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-166-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-164-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-149-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-160-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-162-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/5100-158-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB