Analysis
-
max time kernel
85s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
31-03-2023 20:32
General
-
Target
b209a1046658d4ea4f5d77daf73b08f7da429d5b2479a2582d60e17d3aa9f64d.exe
-
Size
672KB
-
MD5
618428ec48a3686c0d414eaffb6c61e6
-
SHA1
e8b9164b87f4e61762e280a7ad34ce94da1767c9
-
SHA256
b209a1046658d4ea4f5d77daf73b08f7da429d5b2479a2582d60e17d3aa9f64d
-
SHA512
d0eb93c6a1753dc33202152604088e75fe169869313c5f6d48054825e15f23e3743dcb9fe8180f2ed60b2f2a51ccc59be99cc8deae7b99a25d3b2c917c97ac61
-
SSDEEP
12288:4Mr8y90abOxyBtQPkiu49WkSd4Gl0NZRLLqw27DhkrRExNBL:kybCx+tQPko9WkSdcZRLGwcDhARGb
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 17 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b209a1046658d4ea4f5d77daf73b08f7da429d5b2479a2582d60e17d3aa9f64d.exe"C:\Users\Admin\AppData\Local\Temp\b209a1046658d4ea4f5d77daf73b08f7da429d5b2479a2582d60e17d3aa9f64d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un715875.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un715875.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0957.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0957.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 10844⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2719.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2719.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 15404⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si312199.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si312199.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3140 -ip 31401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4508 -ip 45081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si312199.exeFilesize
175KB
MD50a24c5ce003adc3db1db805d6e9b2504
SHA107f50ba0406dc6c916e669730457ba6758723493
SHA256448925f5acd9bd8a372bc4eb234accdcf2250e7250672675a728d09843cbecbf
SHA5122c1665e7ffe2d8435bcedf73e645b27c3d361b7c36faaca8277a7364bf88269a3b8dca50a9f63e54f7059185516ff7069fee7728df03ccf0415d2cb9ecd9ae9f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si312199.exeFilesize
175KB
MD50a24c5ce003adc3db1db805d6e9b2504
SHA107f50ba0406dc6c916e669730457ba6758723493
SHA256448925f5acd9bd8a372bc4eb234accdcf2250e7250672675a728d09843cbecbf
SHA5122c1665e7ffe2d8435bcedf73e645b27c3d361b7c36faaca8277a7364bf88269a3b8dca50a9f63e54f7059185516ff7069fee7728df03ccf0415d2cb9ecd9ae9f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un715875.exeFilesize
530KB
MD5e3c9f9ed58e84802033b3994abad6fc3
SHA122ce33966f3ac174fe87d7d476cf31a2179df7ba
SHA2563f2808e311065dc79b7877bb83b88590b63a9328be95f449cf03dad330938826
SHA512824014613f772ebc8ec9500040bcca860febd9ee7e0ccee87ca3c6fea155f84e5b608f64b4e2faee90442d39dfa9e71c1fa14e08506ada89265b2c55ec63ed1a
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un715875.exeFilesize
530KB
MD5e3c9f9ed58e84802033b3994abad6fc3
SHA122ce33966f3ac174fe87d7d476cf31a2179df7ba
SHA2563f2808e311065dc79b7877bb83b88590b63a9328be95f449cf03dad330938826
SHA512824014613f772ebc8ec9500040bcca860febd9ee7e0ccee87ca3c6fea155f84e5b608f64b4e2faee90442d39dfa9e71c1fa14e08506ada89265b2c55ec63ed1a
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0957.exeFilesize
260KB
MD5458f08e1eab9ef11c4c2f8545073f88a
SHA191a7f8408d9c1a256d5eb935dd89cb402bb4c70f
SHA256fb3048b8823859c4c09e1006db38f8a33520d3800d558a42c4956f062ce5c17d
SHA5123018ce9a3eaaa2ec62baf5d75ae82accef6f1f51c168e24560a300547a01c36681ce954e1aa1c38dcb650d05edbaa73387c39b1ea4da34507fa011614e582d2f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0957.exeFilesize
260KB
MD5458f08e1eab9ef11c4c2f8545073f88a
SHA191a7f8408d9c1a256d5eb935dd89cb402bb4c70f
SHA256fb3048b8823859c4c09e1006db38f8a33520d3800d558a42c4956f062ce5c17d
SHA5123018ce9a3eaaa2ec62baf5d75ae82accef6f1f51c168e24560a300547a01c36681ce954e1aa1c38dcb650d05edbaa73387c39b1ea4da34507fa011614e582d2f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2719.exeFilesize
359KB
MD5b93c989cad926e55db74c5294bebe3f3
SHA1e737ebf14411790990cefccbbf3113a6b5fb6be4
SHA2560b04b7c8afd2bdbc745021e93b105f0000659abc2124a1f629bb9f8b124e06e7
SHA512eb6bf061ecee823650953d6d8d0dbe1f3a2b0d7cf55826bf3c9c10102fb54eeb9db8c1eb53c70c66231816d7c72b2409468f436f8e8c5a76c7d2aa3e2e711ff7
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2719.exeFilesize
359KB
MD5b93c989cad926e55db74c5294bebe3f3
SHA1e737ebf14411790990cefccbbf3113a6b5fb6be4
SHA2560b04b7c8afd2bdbc745021e93b105f0000659abc2124a1f629bb9f8b124e06e7
SHA512eb6bf061ecee823650953d6d8d0dbe1f3a2b0d7cf55826bf3c9c10102fb54eeb9db8c1eb53c70c66231816d7c72b2409468f436f8e8c5a76c7d2aa3e2e711ff7
-
memory/1740-1124-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/1740-1123-0x0000000000040000-0x0000000000072000-memory.dmpFilesize
200KB
-
memory/3140-158-0x0000000004B60000-0x0000000004B70000-memory.dmpFilesize
64KB
-
memory/3140-170-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-151-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-152-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-154-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-156-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-149-0x0000000004B60000-0x0000000004B70000-memory.dmpFilesize
64KB
-
memory/3140-160-0x0000000004B60000-0x0000000004B70000-memory.dmpFilesize
64KB
-
memory/3140-162-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-159-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-164-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-166-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-168-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-150-0x0000000004B70000-0x0000000005114000-memory.dmpFilesize
5.6MB
-
memory/3140-172-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-174-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-176-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-178-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-180-0x00000000025D0000-0x00000000025E2000-memory.dmpFilesize
72KB
-
memory/3140-181-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/3140-182-0x0000000004B60000-0x0000000004B70000-memory.dmpFilesize
64KB
-
memory/3140-183-0x0000000004B60000-0x0000000004B70000-memory.dmpFilesize
64KB
-
memory/3140-184-0x0000000004B60000-0x0000000004B70000-memory.dmpFilesize
64KB
-
memory/3140-186-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/3140-148-0x0000000000620000-0x000000000064D000-memory.dmpFilesize
180KB
-
memory/4508-193-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-195-0x0000000001D90000-0x0000000001DDB000-memory.dmpFilesize
300KB
-
memory/4508-199-0x0000000006110000-0x0000000006120000-memory.dmpFilesize
64KB
-
memory/4508-197-0x0000000006110000-0x0000000006120000-memory.dmpFilesize
64KB
-
memory/4508-196-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-200-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-203-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-202-0x0000000006110000-0x0000000006120000-memory.dmpFilesize
64KB
-
memory/4508-205-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-207-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-209-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-211-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-213-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-215-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-217-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-219-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-221-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-223-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-225-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-227-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-1102-0x0000000006700000-0x0000000006D18000-memory.dmpFilesize
6.1MB
-
memory/4508-1103-0x0000000006DA0000-0x0000000006EAA000-memory.dmpFilesize
1.0MB
-
memory/4508-1104-0x0000000006EE0000-0x0000000006EF2000-memory.dmpFilesize
72KB
-
memory/4508-1105-0x0000000006F00000-0x0000000006F3C000-memory.dmpFilesize
240KB
-
memory/4508-1106-0x0000000006110000-0x0000000006120000-memory.dmpFilesize
64KB
-
memory/4508-1108-0x0000000006110000-0x0000000006120000-memory.dmpFilesize
64KB
-
memory/4508-1109-0x0000000006110000-0x0000000006120000-memory.dmpFilesize
64KB
-
memory/4508-1110-0x00000000071F0000-0x0000000007282000-memory.dmpFilesize
584KB
-
memory/4508-1111-0x0000000006110000-0x0000000006120000-memory.dmpFilesize
64KB
-
memory/4508-1112-0x0000000007290000-0x00000000072F6000-memory.dmpFilesize
408KB
-
memory/4508-1113-0x00000000079C0000-0x0000000007B82000-memory.dmpFilesize
1.8MB
-
memory/4508-192-0x00000000060A0000-0x00000000060DF000-memory.dmpFilesize
252KB
-
memory/4508-1114-0x0000000007B90000-0x00000000080BC000-memory.dmpFilesize
5.2MB
-
memory/4508-1116-0x00000000082F0000-0x0000000008366000-memory.dmpFilesize
472KB
-
memory/4508-1117-0x0000000008380000-0x00000000083D0000-memory.dmpFilesize
320KB