Analysis
-
max time kernel
61s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
03-04-2023 18:56
General
-
Target
23b1389e0bc1950937eac0ef9d351c4d070dee12c4a9e01ca44a6f3184ce4811.exe
-
Size
660KB
-
MD5
cf08b08ebb0393723b58889f050abd38
-
SHA1
f907515d24da608ffe418b15483a5034af0d3383
-
SHA256
23b1389e0bc1950937eac0ef9d351c4d070dee12c4a9e01ca44a6f3184ce4811
-
SHA512
cbdb928e3ef94d1c916dfe14ab649cb64a1b6c2ade676c1b87ed9640c7be50e52d655dca098c159471de4160a5fa8ef5f2bf30abb3a17e4727a795edf80f63ad
-
SSDEEP
12288:tMr4y90yRdkGa/U0CbCKjYW43lF+qf57+rUKc18qRBqZSIpm+fl6TW3ds6kE0Uti:5y/OpsjjYXVx+rwRDIplsTW3X/0Uti
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 17 IoCs
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\23b1389e0bc1950937eac0ef9d351c4d070dee12c4a9e01ca44a6f3184ce4811.exe"C:\Users\Admin\AppData\Local\Temp\23b1389e0bc1950937eac0ef9d351c4d070dee12c4a9e01ca44a6f3184ce4811.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un378143.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un378143.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8454.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8454.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8454.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8454.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0319.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0319.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 19364⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si990286.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si990286.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2932 -ip 29321⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si990286.exeFilesize
175KB
MD5dac40aba5c320f4a99a88f7224ee9a4d
SHA1932a382f01b67be32988de391a57179c9960ccaf
SHA2565d1a8316c55b3a27ee5e654b1851dce937dedff7858a8c3e1b291bfaff15ead8
SHA512e8cff01f2020500d6ac28a6ae0bfc5199a9d00950ca9a85744ae775db6edabc96d3f05f88ae266a70d3ea8e496ed644b2c507f4274a1f2bb4c562245344051a2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si990286.exeFilesize
175KB
MD5dac40aba5c320f4a99a88f7224ee9a4d
SHA1932a382f01b67be32988de391a57179c9960ccaf
SHA2565d1a8316c55b3a27ee5e654b1851dce937dedff7858a8c3e1b291bfaff15ead8
SHA512e8cff01f2020500d6ac28a6ae0bfc5199a9d00950ca9a85744ae775db6edabc96d3f05f88ae266a70d3ea8e496ed644b2c507f4274a1f2bb4c562245344051a2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un378143.exeFilesize
518KB
MD5575b47155139a932d609391d7c10e9b8
SHA126710b54a5e59354a06f7b8f8e64a5702c84716e
SHA256495e0c48254fb71ad939c2afb9d860b277a43bee5405c176abbfbba2763a6c1c
SHA512fba554484183a1223f827575d7303829b1c1da45314cdb7d8409ad3dc968ea0d282c19b0ed36c888c6c6eea318b34387e5141e6201c6a6d451cdd0542374738b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un378143.exeFilesize
518KB
MD5575b47155139a932d609391d7c10e9b8
SHA126710b54a5e59354a06f7b8f8e64a5702c84716e
SHA256495e0c48254fb71ad939c2afb9d860b277a43bee5405c176abbfbba2763a6c1c
SHA512fba554484183a1223f827575d7303829b1c1da45314cdb7d8409ad3dc968ea0d282c19b0ed36c888c6c6eea318b34387e5141e6201c6a6d451cdd0542374738b
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8454.exeFilesize
237KB
MD5e6023532f06b4cad6c9e9eaf317dea64
SHA10104cde5fb6a8f630e6f3167598d40e8eda0a8fd
SHA2564283a583ae963e1538c57e0641c849e127dfba8fbe71ac268b826cd512e68dec
SHA51268185a7614f460872004fe02f209132df694cf6ac3cadf62bab9325b739c4c19bd3b6fd84b33de83bb60e10061d9cca9912860e4b8d62a32dc8044a9fc957be2
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8454.exeFilesize
237KB
MD5e6023532f06b4cad6c9e9eaf317dea64
SHA10104cde5fb6a8f630e6f3167598d40e8eda0a8fd
SHA2564283a583ae963e1538c57e0641c849e127dfba8fbe71ac268b826cd512e68dec
SHA51268185a7614f460872004fe02f209132df694cf6ac3cadf62bab9325b739c4c19bd3b6fd84b33de83bb60e10061d9cca9912860e4b8d62a32dc8044a9fc957be2
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8454.exeFilesize
237KB
MD5e6023532f06b4cad6c9e9eaf317dea64
SHA10104cde5fb6a8f630e6f3167598d40e8eda0a8fd
SHA2564283a583ae963e1538c57e0641c849e127dfba8fbe71ac268b826cd512e68dec
SHA51268185a7614f460872004fe02f209132df694cf6ac3cadf62bab9325b739c4c19bd3b6fd84b33de83bb60e10061d9cca9912860e4b8d62a32dc8044a9fc957be2
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0319.exeFilesize
294KB
MD5a9572d31fbfc5a1bdaa77868e517b1ae
SHA11625afaa3457e428bd48e4ee093d0c56dcc21db3
SHA256e5408d90308cf69c711c6d6ef90bc926a31ad3850d505511033b2f8661930533
SHA51280bbc014fe8e7558c6417e9a220567c381f23ff484cf13b5f28f1948af803928d3287daeed59b2545e2df23cb7705f04a779fd573534bee597d031cc977408c1
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0319.exeFilesize
294KB
MD5a9572d31fbfc5a1bdaa77868e517b1ae
SHA11625afaa3457e428bd48e4ee093d0c56dcc21db3
SHA256e5408d90308cf69c711c6d6ef90bc926a31ad3850d505511033b2f8661930533
SHA51280bbc014fe8e7558c6417e9a220567c381f23ff484cf13b5f28f1948af803928d3287daeed59b2545e2df23cb7705f04a779fd573534bee597d031cc977408c1
-
memory/2168-1111-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/2168-1107-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2168-156-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2168-151-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2168-161-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-1118-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2168-166-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-162-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-1112-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/2168-200-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-171-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-1108-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/2168-173-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/2168-152-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2168-220-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-177-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-216-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-212-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-182-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/2168-183-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-186-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/2168-188-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-208-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-204-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-193-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-196-0x0000000002520000-0x0000000002532000-memory.dmpFilesize
72KB
-
memory/2168-148-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2932-192-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-1104-0x0000000004C40000-0x0000000004C50000-memory.dmpFilesize
64KB
-
memory/2932-201-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-184-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-189-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-205-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-209-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-172-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-213-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-217-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-176-0x0000000004C40000-0x0000000004C50000-memory.dmpFilesize
64KB
-
memory/2932-179-0x0000000004C40000-0x0000000004C50000-memory.dmpFilesize
64KB
-
memory/2932-221-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-223-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-225-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-1100-0x0000000005200000-0x0000000005818000-memory.dmpFilesize
6.1MB
-
memory/2932-1101-0x00000000058A0000-0x00000000059AA000-memory.dmpFilesize
1.0MB
-
memory/2932-1102-0x00000000059E0000-0x00000000059F2000-memory.dmpFilesize
72KB
-
memory/2932-1103-0x0000000005A40000-0x0000000005A7C000-memory.dmpFilesize
240KB
-
memory/2932-197-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-178-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-170-0x0000000000640000-0x000000000068B000-memory.dmpFilesize
300KB
-
memory/2932-1109-0x0000000004C40000-0x0000000004C50000-memory.dmpFilesize
64KB
-
memory/2932-1110-0x0000000004C40000-0x0000000004C50000-memory.dmpFilesize
64KB
-
memory/2932-167-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-160-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-1113-0x0000000005CF0000-0x0000000005D82000-memory.dmpFilesize
584KB
-
memory/2932-1114-0x0000000005D90000-0x0000000005DF6000-memory.dmpFilesize
408KB
-
memory/2932-163-0x0000000004AA0000-0x0000000004ADF000-memory.dmpFilesize
252KB
-
memory/2932-1119-0x00000000065B0000-0x0000000006772000-memory.dmpFilesize
1.8MB
-
memory/2932-1120-0x0000000006790000-0x0000000006CBC000-memory.dmpFilesize
5.2MB
-
memory/2932-1121-0x0000000007000000-0x0000000007076000-memory.dmpFilesize
472KB
-
memory/2932-1122-0x0000000007080000-0x00000000070D0000-memory.dmpFilesize
320KB
-
memory/2932-1123-0x0000000004C40000-0x0000000004C50000-memory.dmpFilesize
64KB
-
memory/2932-159-0x0000000004C50000-0x00000000051F4000-memory.dmpFilesize
5.6MB
-
memory/3920-1129-0x0000000000950000-0x0000000000982000-memory.dmpFilesize
200KB
-
memory/3920-1130-0x00000000051F0000-0x0000000005200000-memory.dmpFilesize
64KB
-
memory/4340-150-0x0000000002100000-0x000000000212E000-memory.dmpFilesize
184KB