Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2023, 01:05
Static task
static1
Behavioral task
behavioral1
Sample
f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe
Resource
win10v2004-20230220-en
General
-
Target
f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe
-
Size
666KB
-
MD5
bcb8de9e53fa651a77a1104f0420c317
-
SHA1
9ba2d1ec13ccb53b3dfd27c218a89c1d1b337e64
-
SHA256
f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711
-
SHA512
ebb46d95e9c9a3c85073d28d81897529d29ca89a4e45cdf02b2d91d69a68a29b22da3fe4334660d191428a864015dc561a51779edef19c57ce50d10231e8ade6
-
SSDEEP
12288:aMrGy90+myg0N6OdJsddju4OviXgHAXNrUvpY/w4vIe+2reOp:AyRwa4OviXgg9rI2wD2rnp
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro2884.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro2884.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro2884.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro2884.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro2884.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro2884.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/2768-192-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-191-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-194-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-196-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-198-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-200-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-202-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-204-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-206-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-208-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-210-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-212-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-214-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-216-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-218-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-220-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-222-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline behavioral1/memory/2768-224-0x00000000053A0000-0x00000000053DF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1120 un082371.exe 3788 pro2884.exe 2768 qu0407.exe 2988 si345831.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro2884.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro2884.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un082371.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un082371.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2428 3788 WerFault.exe 85 1412 2768 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3788 pro2884.exe 3788 pro2884.exe 2768 qu0407.exe 2768 qu0407.exe 2988 si345831.exe 2988 si345831.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3788 pro2884.exe Token: SeDebugPrivilege 2768 qu0407.exe Token: SeDebugPrivilege 2988 si345831.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3304 wrote to memory of 1120 3304 f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe 84 PID 3304 wrote to memory of 1120 3304 f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe 84 PID 3304 wrote to memory of 1120 3304 f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe 84 PID 1120 wrote to memory of 3788 1120 un082371.exe 85 PID 1120 wrote to memory of 3788 1120 un082371.exe 85 PID 1120 wrote to memory of 3788 1120 un082371.exe 85 PID 1120 wrote to memory of 2768 1120 un082371.exe 93 PID 1120 wrote to memory of 2768 1120 un082371.exe 93 PID 1120 wrote to memory of 2768 1120 un082371.exe 93 PID 3304 wrote to memory of 2988 3304 f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe 97 PID 3304 wrote to memory of 2988 3304 f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe 97 PID 3304 wrote to memory of 2988 3304 f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe"C:\Users\Admin\AppData\Local\Temp\f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un082371.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un082371.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2884.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2884.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 10804⤵
- Program crash
PID:2428
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0407.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0407.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 13284⤵
- Program crash
PID:1412
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si345831.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si345831.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3788 -ip 37881⤵PID:2916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2768 -ip 27681⤵PID:2432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD579c77455f002df32fb5ecf8549d6ebf8
SHA1791a93215112411a65b3a4ce651ac073819040fa
SHA25618a6f03c7760ae34810aa01bb9828a28020ccba84e2b000f7bd01b4a72a35461
SHA512e5b527185fee35d92892dffe81007d3d9b7928c7f1d27240098f9fb639ddc1d6c513a2dda484fe476b98e11e77e7120c7eb0670dce3a387437fe7d4a4611e9d7
-
Filesize
176KB
MD579c77455f002df32fb5ecf8549d6ebf8
SHA1791a93215112411a65b3a4ce651ac073819040fa
SHA25618a6f03c7760ae34810aa01bb9828a28020ccba84e2b000f7bd01b4a72a35461
SHA512e5b527185fee35d92892dffe81007d3d9b7928c7f1d27240098f9fb639ddc1d6c513a2dda484fe476b98e11e77e7120c7eb0670dce3a387437fe7d4a4611e9d7
-
Filesize
524KB
MD5ff2c268599a3ee0975c42ee22e07efcf
SHA1b0c1e8fcd80d5d953111c4ed0674b254ac7001b9
SHA256b4e5dbe0a345234aab21163cde531585f6c55e35b0e4d33d0c249b3bafd434de
SHA5124786cb558ffffb548bee46818eb5ba0b2d3d2a78cc52fa879da1291591f6d85965449c15a2afe6f53c0abb860f899c5bd2be626e96ff96bc1f4169831525604a
-
Filesize
524KB
MD5ff2c268599a3ee0975c42ee22e07efcf
SHA1b0c1e8fcd80d5d953111c4ed0674b254ac7001b9
SHA256b4e5dbe0a345234aab21163cde531585f6c55e35b0e4d33d0c249b3bafd434de
SHA5124786cb558ffffb548bee46818eb5ba0b2d3d2a78cc52fa879da1291591f6d85965449c15a2afe6f53c0abb860f899c5bd2be626e96ff96bc1f4169831525604a
-
Filesize
294KB
MD5f82c074ef1ed4a02767be5a173e6dfb6
SHA17e2257f1cdd60a3aa30756c8deb1cbd4b9c45826
SHA25610021ca64ec82bd15e75f64c3d1b45e9f4d90abcfe939ecde9c0f48087bf4d76
SHA5123bf322ed01fabf065d4789ab97f30268c1ce1fb9b69eb0eeff9d4d7ab6aa464ef318ed5388d6be548463826c049851458c3c4c0b2b86d2b634c86d667f916854
-
Filesize
294KB
MD5f82c074ef1ed4a02767be5a173e6dfb6
SHA17e2257f1cdd60a3aa30756c8deb1cbd4b9c45826
SHA25610021ca64ec82bd15e75f64c3d1b45e9f4d90abcfe939ecde9c0f48087bf4d76
SHA5123bf322ed01fabf065d4789ab97f30268c1ce1fb9b69eb0eeff9d4d7ab6aa464ef318ed5388d6be548463826c049851458c3c4c0b2b86d2b634c86d667f916854
-
Filesize
352KB
MD579fc02ff25d2998104346f2f62826810
SHA1c6e5f02638a236d9b86435ef862f40f8e8c09b18
SHA2562223e1416f13c027df7d0e776ef38752233dd95db6896a37846a45b5455297f3
SHA5125cb5f23ee40672321268e0a46c1b2f8fbfbcbf042ab7495b6ac9d9301984ca4a74c856fd8e0d7a302916ad36058347af2f096c5d5d2c99d5bb2d2e67c1cd2362
-
Filesize
352KB
MD579fc02ff25d2998104346f2f62826810
SHA1c6e5f02638a236d9b86435ef862f40f8e8c09b18
SHA2562223e1416f13c027df7d0e776ef38752233dd95db6896a37846a45b5455297f3
SHA5125cb5f23ee40672321268e0a46c1b2f8fbfbcbf042ab7495b6ac9d9301984ca4a74c856fd8e0d7a302916ad36058347af2f096c5d5d2c99d5bb2d2e67c1cd2362