Analysis
-
max time kernel
45s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03/04/2023, 02:10
Static task
static1
Behavioral task
behavioral1
Sample
103ea6eab3c8319c68efe3357bcc5325.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
103ea6eab3c8319c68efe3357bcc5325.exe
Resource
win10v2004-20230221-en
General
-
Target
103ea6eab3c8319c68efe3357bcc5325.exe
-
Size
666KB
-
MD5
103ea6eab3c8319c68efe3357bcc5325
-
SHA1
1efcc6693842eeafc6512a8e54c55258eebfd1cd
-
SHA256
9ad0e30aa9644a1156e04b683dbf5b3c3459e62b3178a36e900352c0428181b3
-
SHA512
47067d9bb7cfe04039dd9dc68ee655aa16ceff10d6ec7295529ea0d55109c0df221eb951119ef643a02b9e5e16aa964bcf8d8296c2ecd846af5054f3583d0cd3
-
SSDEEP
12288:6Mrny90Xqb9ZIEE477gUm8ZaErJcL9he+ArU8Ry/w5xvcr5gt1:ByWqb9dJ8Um8IE9cZg+ArTMw5xEmt1
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection pro3291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3291.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
resource yara_rule behavioral1/memory/1012-122-0x00000000023F0000-0x0000000002436000-memory.dmp family_redline behavioral1/memory/1012-123-0x0000000002730000-0x0000000002774000-memory.dmp family_redline behavioral1/memory/1012-124-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-125-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-127-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-129-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-131-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-133-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-135-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-137-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-139-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-141-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-143-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-145-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-147-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-149-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-151-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-153-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-155-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-157-0x0000000002730000-0x000000000276F000-memory.dmp family_redline behavioral1/memory/1012-1033-0x0000000004DA0000-0x0000000004DE0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1804 un299443.exe 296 pro3291.exe 1012 qu9487.exe 1608 si585112.exe -
Loads dropped DLL 10 IoCs
pid Process 836 103ea6eab3c8319c68efe3357bcc5325.exe 1804 un299443.exe 1804 un299443.exe 1804 un299443.exe 296 pro3291.exe 1804 un299443.exe 1804 un299443.exe 1012 qu9487.exe 836 103ea6eab3c8319c68efe3357bcc5325.exe 1608 si585112.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features pro3291.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3291.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 103ea6eab3c8319c68efe3357bcc5325.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce un299443.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un299443.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 103ea6eab3c8319c68efe3357bcc5325.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 296 pro3291.exe 296 pro3291.exe 1012 qu9487.exe 1012 qu9487.exe 1608 si585112.exe 1608 si585112.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 296 pro3291.exe Token: SeDebugPrivilege 1012 qu9487.exe Token: SeDebugPrivilege 1608 si585112.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 836 wrote to memory of 1804 836 103ea6eab3c8319c68efe3357bcc5325.exe 28 PID 836 wrote to memory of 1804 836 103ea6eab3c8319c68efe3357bcc5325.exe 28 PID 836 wrote to memory of 1804 836 103ea6eab3c8319c68efe3357bcc5325.exe 28 PID 836 wrote to memory of 1804 836 103ea6eab3c8319c68efe3357bcc5325.exe 28 PID 836 wrote to memory of 1804 836 103ea6eab3c8319c68efe3357bcc5325.exe 28 PID 836 wrote to memory of 1804 836 103ea6eab3c8319c68efe3357bcc5325.exe 28 PID 836 wrote to memory of 1804 836 103ea6eab3c8319c68efe3357bcc5325.exe 28 PID 1804 wrote to memory of 296 1804 un299443.exe 29 PID 1804 wrote to memory of 296 1804 un299443.exe 29 PID 1804 wrote to memory of 296 1804 un299443.exe 29 PID 1804 wrote to memory of 296 1804 un299443.exe 29 PID 1804 wrote to memory of 296 1804 un299443.exe 29 PID 1804 wrote to memory of 296 1804 un299443.exe 29 PID 1804 wrote to memory of 296 1804 un299443.exe 29 PID 1804 wrote to memory of 1012 1804 un299443.exe 30 PID 1804 wrote to memory of 1012 1804 un299443.exe 30 PID 1804 wrote to memory of 1012 1804 un299443.exe 30 PID 1804 wrote to memory of 1012 1804 un299443.exe 30 PID 1804 wrote to memory of 1012 1804 un299443.exe 30 PID 1804 wrote to memory of 1012 1804 un299443.exe 30 PID 1804 wrote to memory of 1012 1804 un299443.exe 30 PID 836 wrote to memory of 1608 836 103ea6eab3c8319c68efe3357bcc5325.exe 32 PID 836 wrote to memory of 1608 836 103ea6eab3c8319c68efe3357bcc5325.exe 32 PID 836 wrote to memory of 1608 836 103ea6eab3c8319c68efe3357bcc5325.exe 32 PID 836 wrote to memory of 1608 836 103ea6eab3c8319c68efe3357bcc5325.exe 32 PID 836 wrote to memory of 1608 836 103ea6eab3c8319c68efe3357bcc5325.exe 32 PID 836 wrote to memory of 1608 836 103ea6eab3c8319c68efe3357bcc5325.exe 32 PID 836 wrote to memory of 1608 836 103ea6eab3c8319c68efe3357bcc5325.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\103ea6eab3c8319c68efe3357bcc5325.exe"C:\Users\Admin\AppData\Local\Temp\103ea6eab3c8319c68efe3357bcc5325.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un299443.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un299443.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3291.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3291.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9487.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9487.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si585112.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si585112.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5bf7ff324e2c405065bfb283ef9c141c5
SHA1a982b6b3a80c842e77f446e307b6bfcd56d70fb6
SHA256017341e12b2635419a78f7337c60de75a3181e53473fa7538f122c906b231d0b
SHA51294e97860cf92fbceee04b767c8443a02da16b280fa4bb61121279bd4e540903517bb9ad3ecce9eaf544a3d2aa766eee1b66060d1428a8134a1fa29471e57e983
-
Filesize
176KB
MD5bf7ff324e2c405065bfb283ef9c141c5
SHA1a982b6b3a80c842e77f446e307b6bfcd56d70fb6
SHA256017341e12b2635419a78f7337c60de75a3181e53473fa7538f122c906b231d0b
SHA51294e97860cf92fbceee04b767c8443a02da16b280fa4bb61121279bd4e540903517bb9ad3ecce9eaf544a3d2aa766eee1b66060d1428a8134a1fa29471e57e983
-
Filesize
524KB
MD54949aa06d69e20e55aa35f2912326b1d
SHA1caedb333ccac00d96c8df74f6ae44bf6f8b086df
SHA2564fb82c820096c41cd3340042b6725839cdece387419646e14e751fcbec737534
SHA51270b96e9b28d490465aca77b8b93c689a82abaaf7025cf95f8fe3c50b4c135bcb2ebf0343a616b4a39d2c3ca59ffe1841e983556ba7ac62c5a6537584d24964a5
-
Filesize
524KB
MD54949aa06d69e20e55aa35f2912326b1d
SHA1caedb333ccac00d96c8df74f6ae44bf6f8b086df
SHA2564fb82c820096c41cd3340042b6725839cdece387419646e14e751fcbec737534
SHA51270b96e9b28d490465aca77b8b93c689a82abaaf7025cf95f8fe3c50b4c135bcb2ebf0343a616b4a39d2c3ca59ffe1841e983556ba7ac62c5a6537584d24964a5
-
Filesize
294KB
MD566547802da6b11e357e7e2a1bb48d304
SHA1782407a5f57b00bf67f510e8695d25031985e396
SHA256f89177d4fec365309f0eb293ee7372ba3dc35dc67a735619de2737ddc22e4687
SHA512351130a2dc3bf70d7ed5bde9633e8565d777b50cf96e85a922f7fe6a5247de2479b3c496677661354da42404be23fa74ffe9c562733aa9aaf29110e56d8746ba
-
Filesize
294KB
MD566547802da6b11e357e7e2a1bb48d304
SHA1782407a5f57b00bf67f510e8695d25031985e396
SHA256f89177d4fec365309f0eb293ee7372ba3dc35dc67a735619de2737ddc22e4687
SHA512351130a2dc3bf70d7ed5bde9633e8565d777b50cf96e85a922f7fe6a5247de2479b3c496677661354da42404be23fa74ffe9c562733aa9aaf29110e56d8746ba
-
Filesize
294KB
MD566547802da6b11e357e7e2a1bb48d304
SHA1782407a5f57b00bf67f510e8695d25031985e396
SHA256f89177d4fec365309f0eb293ee7372ba3dc35dc67a735619de2737ddc22e4687
SHA512351130a2dc3bf70d7ed5bde9633e8565d777b50cf96e85a922f7fe6a5247de2479b3c496677661354da42404be23fa74ffe9c562733aa9aaf29110e56d8746ba
-
Filesize
352KB
MD5bdc6aac7b75bf992adeb439c731b305a
SHA17164242630013fafc7bcc2196acbb9f83ea32374
SHA256136a124efa2d93c7e24a69c56f6ef051d9dabdfe88fb31b30ac9975b96dfadd2
SHA51203aad9e634ef39d4490162f3b9fd560850471459af0892f084f4eaea343f8aafd3a764410dd24a4acc6659340af3664cb618cd6eed83a737c994b5a544d8ed82
-
Filesize
352KB
MD5bdc6aac7b75bf992adeb439c731b305a
SHA17164242630013fafc7bcc2196acbb9f83ea32374
SHA256136a124efa2d93c7e24a69c56f6ef051d9dabdfe88fb31b30ac9975b96dfadd2
SHA51203aad9e634ef39d4490162f3b9fd560850471459af0892f084f4eaea343f8aafd3a764410dd24a4acc6659340af3664cb618cd6eed83a737c994b5a544d8ed82
-
Filesize
352KB
MD5bdc6aac7b75bf992adeb439c731b305a
SHA17164242630013fafc7bcc2196acbb9f83ea32374
SHA256136a124efa2d93c7e24a69c56f6ef051d9dabdfe88fb31b30ac9975b96dfadd2
SHA51203aad9e634ef39d4490162f3b9fd560850471459af0892f084f4eaea343f8aafd3a764410dd24a4acc6659340af3664cb618cd6eed83a737c994b5a544d8ed82
-
Filesize
176KB
MD5bf7ff324e2c405065bfb283ef9c141c5
SHA1a982b6b3a80c842e77f446e307b6bfcd56d70fb6
SHA256017341e12b2635419a78f7337c60de75a3181e53473fa7538f122c906b231d0b
SHA51294e97860cf92fbceee04b767c8443a02da16b280fa4bb61121279bd4e540903517bb9ad3ecce9eaf544a3d2aa766eee1b66060d1428a8134a1fa29471e57e983
-
Filesize
176KB
MD5bf7ff324e2c405065bfb283ef9c141c5
SHA1a982b6b3a80c842e77f446e307b6bfcd56d70fb6
SHA256017341e12b2635419a78f7337c60de75a3181e53473fa7538f122c906b231d0b
SHA51294e97860cf92fbceee04b767c8443a02da16b280fa4bb61121279bd4e540903517bb9ad3ecce9eaf544a3d2aa766eee1b66060d1428a8134a1fa29471e57e983
-
Filesize
524KB
MD54949aa06d69e20e55aa35f2912326b1d
SHA1caedb333ccac00d96c8df74f6ae44bf6f8b086df
SHA2564fb82c820096c41cd3340042b6725839cdece387419646e14e751fcbec737534
SHA51270b96e9b28d490465aca77b8b93c689a82abaaf7025cf95f8fe3c50b4c135bcb2ebf0343a616b4a39d2c3ca59ffe1841e983556ba7ac62c5a6537584d24964a5
-
Filesize
524KB
MD54949aa06d69e20e55aa35f2912326b1d
SHA1caedb333ccac00d96c8df74f6ae44bf6f8b086df
SHA2564fb82c820096c41cd3340042b6725839cdece387419646e14e751fcbec737534
SHA51270b96e9b28d490465aca77b8b93c689a82abaaf7025cf95f8fe3c50b4c135bcb2ebf0343a616b4a39d2c3ca59ffe1841e983556ba7ac62c5a6537584d24964a5
-
Filesize
294KB
MD566547802da6b11e357e7e2a1bb48d304
SHA1782407a5f57b00bf67f510e8695d25031985e396
SHA256f89177d4fec365309f0eb293ee7372ba3dc35dc67a735619de2737ddc22e4687
SHA512351130a2dc3bf70d7ed5bde9633e8565d777b50cf96e85a922f7fe6a5247de2479b3c496677661354da42404be23fa74ffe9c562733aa9aaf29110e56d8746ba
-
Filesize
294KB
MD566547802da6b11e357e7e2a1bb48d304
SHA1782407a5f57b00bf67f510e8695d25031985e396
SHA256f89177d4fec365309f0eb293ee7372ba3dc35dc67a735619de2737ddc22e4687
SHA512351130a2dc3bf70d7ed5bde9633e8565d777b50cf96e85a922f7fe6a5247de2479b3c496677661354da42404be23fa74ffe9c562733aa9aaf29110e56d8746ba
-
Filesize
294KB
MD566547802da6b11e357e7e2a1bb48d304
SHA1782407a5f57b00bf67f510e8695d25031985e396
SHA256f89177d4fec365309f0eb293ee7372ba3dc35dc67a735619de2737ddc22e4687
SHA512351130a2dc3bf70d7ed5bde9633e8565d777b50cf96e85a922f7fe6a5247de2479b3c496677661354da42404be23fa74ffe9c562733aa9aaf29110e56d8746ba
-
Filesize
352KB
MD5bdc6aac7b75bf992adeb439c731b305a
SHA17164242630013fafc7bcc2196acbb9f83ea32374
SHA256136a124efa2d93c7e24a69c56f6ef051d9dabdfe88fb31b30ac9975b96dfadd2
SHA51203aad9e634ef39d4490162f3b9fd560850471459af0892f084f4eaea343f8aafd3a764410dd24a4acc6659340af3664cb618cd6eed83a737c994b5a544d8ed82
-
Filesize
352KB
MD5bdc6aac7b75bf992adeb439c731b305a
SHA17164242630013fafc7bcc2196acbb9f83ea32374
SHA256136a124efa2d93c7e24a69c56f6ef051d9dabdfe88fb31b30ac9975b96dfadd2
SHA51203aad9e634ef39d4490162f3b9fd560850471459af0892f084f4eaea343f8aafd3a764410dd24a4acc6659340af3664cb618cd6eed83a737c994b5a544d8ed82
-
Filesize
352KB
MD5bdc6aac7b75bf992adeb439c731b305a
SHA17164242630013fafc7bcc2196acbb9f83ea32374
SHA256136a124efa2d93c7e24a69c56f6ef051d9dabdfe88fb31b30ac9975b96dfadd2
SHA51203aad9e634ef39d4490162f3b9fd560850471459af0892f084f4eaea343f8aafd3a764410dd24a4acc6659340af3664cb618cd6eed83a737c994b5a544d8ed82