Analysis
-
max time kernel
137s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2023 08:37
Static task
static1
Behavioral task
behavioral1
Sample
9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05.exe
Resource
win10v2004-20230221-en
General
-
Target
9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05.exe
-
Size
659KB
-
MD5
858d004d1b9b856f706a0d97fbb9d0ab
-
SHA1
350a2913035e977c1453d5787370236029834408
-
SHA256
9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05
-
SHA512
55309767f7bf668ef76a409bbc93d00c5e80ba40d891bc2356050f25a471c87379248968dc72ad0596c630e7f71040d0cc7e8bfb108742059ed6645327e61990
-
SSDEEP
12288:QMrqy90tMPJme/yD1sV+hkpQHd9wCVaoNPHixeFBlRLZeaOKeUw7ZeS+:qyVJmPCU6pQHd9UqHixeFX5OKep7V+
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8097.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/5040-191-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-192-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-194-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-196-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-198-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-200-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-202-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-204-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-206-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-208-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-210-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-212-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-214-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-216-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-218-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-222-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-226-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline behavioral1/memory/5040-228-0x0000000002A80000-0x0000000002ABF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1708 un580426.exe 868 pro8097.exe 5040 qu9436.exe 4320 si611358.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8097.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un580426.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un580426.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1308 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 5072 868 WerFault.exe 77 2712 5040 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 868 pro8097.exe 868 pro8097.exe 5040 qu9436.exe 5040 qu9436.exe 4320 si611358.exe 4320 si611358.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 868 pro8097.exe Token: SeDebugPrivilege 5040 qu9436.exe Token: SeDebugPrivilege 4320 si611358.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4104 wrote to memory of 1708 4104 9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05.exe 76 PID 4104 wrote to memory of 1708 4104 9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05.exe 76 PID 4104 wrote to memory of 1708 4104 9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05.exe 76 PID 1708 wrote to memory of 868 1708 un580426.exe 77 PID 1708 wrote to memory of 868 1708 un580426.exe 77 PID 1708 wrote to memory of 868 1708 un580426.exe 77 PID 1708 wrote to memory of 5040 1708 un580426.exe 86 PID 1708 wrote to memory of 5040 1708 un580426.exe 86 PID 1708 wrote to memory of 5040 1708 un580426.exe 86 PID 4104 wrote to memory of 4320 4104 9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05.exe 91 PID 4104 wrote to memory of 4320 4104 9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05.exe 91 PID 4104 wrote to memory of 4320 4104 9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05.exe"C:\Users\Admin\AppData\Local\Temp\9c55b7c731c3bf85b78a85cbdc06e4f7899572f76c10cb24d67e32660bfe3d05.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un580426.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un580426.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8097.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8097.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 10804⤵
- Program crash
PID:5072
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9436.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9436.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 19484⤵
- Program crash
PID:2712
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si611358.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si611358.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 868 -ip 8681⤵PID:796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5040 -ip 50401⤵PID:5024
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5b9b31e723583035633294169a7c114f4
SHA181fc639a1a056bb99e1253e122e5d8116cd7e36b
SHA256223b50264cfd52440a77c9edc843418fc2a0d6d6f2b407711542d2bd03c75d87
SHA5129ed4b45ff4cdd30b54ae01210f22d2f98d195220300ce2028f6d4a80ce7f26be252dabad0ae478ecfe67ff598f3dc0ddde65240bb0531ebba87e32b5ecf0ed69
-
Filesize
176KB
MD5b9b31e723583035633294169a7c114f4
SHA181fc639a1a056bb99e1253e122e5d8116cd7e36b
SHA256223b50264cfd52440a77c9edc843418fc2a0d6d6f2b407711542d2bd03c75d87
SHA5129ed4b45ff4cdd30b54ae01210f22d2f98d195220300ce2028f6d4a80ce7f26be252dabad0ae478ecfe67ff598f3dc0ddde65240bb0531ebba87e32b5ecf0ed69
-
Filesize
517KB
MD5be1967d55398afbf4563b6f0c31985d9
SHA1d715d2608409cd8f9a2dcebb3cf0c66344113999
SHA2562b0df1e353a80274e83e7e1326a0db2ce0073d58611e8d8b47018729cc6a7e16
SHA512de6f3d5c7a5e0d811ae1652a9698931f79c7066d7eba8bd970871a751faae3bbe69a766cf3ad33364eec4bd7fb4de06962430bbed712504a7df6bc84c400f3d1
-
Filesize
517KB
MD5be1967d55398afbf4563b6f0c31985d9
SHA1d715d2608409cd8f9a2dcebb3cf0c66344113999
SHA2562b0df1e353a80274e83e7e1326a0db2ce0073d58611e8d8b47018729cc6a7e16
SHA512de6f3d5c7a5e0d811ae1652a9698931f79c7066d7eba8bd970871a751faae3bbe69a766cf3ad33364eec4bd7fb4de06962430bbed712504a7df6bc84c400f3d1
-
Filesize
295KB
MD5ba3c4c11cbe3bba85038223da43424f9
SHA14771246c35f4286e5f3be14d20931f04959ab882
SHA2560838703b9438f7d1712a67d96b3d6664387f87d925f1d126826745e8b49c604f
SHA51225bd1a9f6193d9f74bb58be7d95f36311667342fc7488f898fea444e109c28b3d1d883508c24f83e7f4fb567c46eb06853bb00ad5da12e6ccdf44ec974544f92
-
Filesize
295KB
MD5ba3c4c11cbe3bba85038223da43424f9
SHA14771246c35f4286e5f3be14d20931f04959ab882
SHA2560838703b9438f7d1712a67d96b3d6664387f87d925f1d126826745e8b49c604f
SHA51225bd1a9f6193d9f74bb58be7d95f36311667342fc7488f898fea444e109c28b3d1d883508c24f83e7f4fb567c46eb06853bb00ad5da12e6ccdf44ec974544f92
-
Filesize
353KB
MD5f06316fe91f2f828cca8ac13a055e09c
SHA113f63d26ddefd1a6fff113bd7018088634e9f014
SHA256041b851de47c3608e1a9266770718ac5c8b4ce235edf9ef627fadcf205445ad8
SHA512fbae5c3ac68f97dd4a586ff2e17130e731966888b91427a308ae57af4ed62b34b748c6ae3d139719677121e9474b542e3fbb8686d618e9a6714069fec9d37755
-
Filesize
353KB
MD5f06316fe91f2f828cca8ac13a055e09c
SHA113f63d26ddefd1a6fff113bd7018088634e9f014
SHA256041b851de47c3608e1a9266770718ac5c8b4ce235edf9ef627fadcf205445ad8
SHA512fbae5c3ac68f97dd4a586ff2e17130e731966888b91427a308ae57af4ed62b34b748c6ae3d139719677121e9474b542e3fbb8686d618e9a6714069fec9d37755