Overview

overview

10

Static

static

1

fcc4605384...08.exe

windows7-x64

10

fcc4605384...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2023 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exe

  • Size

    832KB

  • MD5

    1f84e0b6a95a5fe23d40592f6a6f7554

  • SHA1

    ef9eb5df7f4045d7b004e19986674c2c79dfb0d4

  • SHA256

    fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08

  • SHA512

    181c1ad898d7f8a6bbf6d766d6e6a0bc8d4e4271316ec4eadf6418ae7fd5fcab0e818849932526ff235d77a989649e7d1ee4dd12f0960fb460359ef45bc74736

  • SSDEEP

    12288:SLUZH/VUan5w5mvBedKBlsXopctdTquivPgSwo0Z38ywgmPRI:gyUan5eWo8BlsXoarT7p8p1u

Score
10/10
redlinedownevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 32 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exe
    "C:\Users\Admin\AppData\Local\Temp\fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipb1214.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipb1214.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr717328.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr717328.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1700
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku726757.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku726757.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:812
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipb1214.exe
    Filesize

    409KB

    MD5

    55501ed5af404985f25e1297f961c821

    SHA1

    3f719bec85aba7b5c4ee5b85e7089676a943630b

    SHA256

    2d6433912144cd6dd3525d6ef0c7706a115246a903d54b1c6e3bd3ea4b44d49d

    SHA512

    6d61d2bc593a61d2fbf6a6140bfd6b26c5711c14ffd30508c95b1523cce933cd84df88b2abc182215c36194c578b3bc1ea16bb79408601c0b5d53d99c0152132

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipb1214.exe
    Filesize

    409KB

    MD5

    55501ed5af404985f25e1297f961c821

    SHA1

    3f719bec85aba7b5c4ee5b85e7089676a943630b

    SHA256

    2d6433912144cd6dd3525d6ef0c7706a115246a903d54b1c6e3bd3ea4b44d49d

    SHA512

    6d61d2bc593a61d2fbf6a6140bfd6b26c5711c14ffd30508c95b1523cce933cd84df88b2abc182215c36194c578b3bc1ea16bb79408601c0b5d53d99c0152132

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr717328.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr717328.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku726757.exe
    Filesize

    497KB

    MD5

    9e569c650bc18f128349feee9adf5b31

    SHA1

    32eff4ac619d11ea21700a6e7bf4f37bd9c8acd6

    SHA256

    56b06a9b617cd8fa4b90a631d5721ac40f216a2d6e90d9f4ed65aab0af588807

    SHA512

    c5b564eac8ed32e149d1b6fa4fab7de2899b4542d4096c4c555d4ed59ff42f23383d979d28511d0a99275b0ae7842a8d8cfd360bedf1813e5b549ce190c62f96

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku726757.exe
    Filesize

    497KB

    MD5

    9e569c650bc18f128349feee9adf5b31

    SHA1

    32eff4ac619d11ea21700a6e7bf4f37bd9c8acd6

    SHA256

    56b06a9b617cd8fa4b90a631d5721ac40f216a2d6e90d9f4ed65aab0af588807

    SHA512

    c5b564eac8ed32e149d1b6fa4fab7de2899b4542d4096c4c555d4ed59ff42f23383d979d28511d0a99275b0ae7842a8d8cfd360bedf1813e5b549ce190c62f96

    Download Submit
  • memory/812-156-0x0000000004D30000-0x00000000052D4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/812-157-0x00000000005D0000-0x000000000061B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/812-158-0x0000000004D20000-0x0000000004D30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/812-159-0x0000000004D20000-0x0000000004D30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/812-160-0x0000000004D20000-0x0000000004D30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/812-161-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-162-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-166-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-164-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-168-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-170-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-172-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-176-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-178-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-180-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-174-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-184-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-182-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-186-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-190-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-192-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-188-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-200-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-198-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-204-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-206-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-202-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-208-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-196-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-194-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-212-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-210-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-216-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-218-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-220-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-222-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-214-0x0000000004C50000-0x0000000004C8E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/812-1067-0x00000000052E0000-0x00000000058F8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/812-1068-0x0000000005900000-0x0000000005A0A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/812-1070-0x0000000005A20000-0x0000000005A32000-memory.dmp
    Filesize

    72KB

    Download
  • memory/812-1071-0x0000000005A40000-0x0000000005A7C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/812-1072-0x0000000004D20000-0x0000000004D30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/812-1074-0x0000000004D20000-0x0000000004D30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/812-1075-0x0000000004D20000-0x0000000004D30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/812-1076-0x0000000004D20000-0x0000000004D30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/812-1078-0x0000000004D20000-0x0000000004D30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1700-149-0x0000000000480000-0x000000000048A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3208-138-0x0000000002200000-0x000000000228B000-memory.dmp
    Filesize

    556KB

    Download
  • memory/3208-150-0x0000000000400000-0x0000000000550000-memory.dmp
    Filesize

    1.3MB

    Download