Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
05-04-2023 12:07
General
-
Target
6ef30c9d5d3e48a6f1c9e08b43d22b68.exe
-
Size
677KB
-
MD5
6ef30c9d5d3e48a6f1c9e08b43d22b68
-
SHA1
d6999ce60158f048df94fedcdb01e2b591848fda
-
SHA256
c14a47f25e4a3f032e061a6c9286833c39707fcd05cdcd9cf79903842d069aeb
-
SHA512
d41099602c9659248801e7ef4754292eec0aa382ee09753c3127b8261ff6be701a3016792ca968c73687ba722f571d1bfcdb43e7554e056e3d61a2a0ae5ba6a7
-
SSDEEP
12288:JMrEy90/TI19mPvxD03PMPu42X8gmNe8vwg8IXgePYM4rEpAxtH3:dy/19mPB+MGdUY8vwKgePjVA7X
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 22 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ef30c9d5d3e48a6f1c9e08b43d22b68.exe"C:\Users\Admin\AppData\Local\Temp\6ef30c9d5d3e48a6f1c9e08b43d22b68.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un146947.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un146947.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4864.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4864.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si796279.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si796279.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si796279.exeFilesize
175KB
MD5bb6d43fa4ebafe62b98ec4dea4ff49d9
SHA1d8188e664ac977f59d3ec26589e3cf67b1fab23b
SHA2561d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89
SHA512679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si796279.exeFilesize
175KB
MD5bb6d43fa4ebafe62b98ec4dea4ff49d9
SHA1d8188e664ac977f59d3ec26589e3cf67b1fab23b
SHA2561d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89
SHA512679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un146947.exeFilesize
535KB
MD51c4091bf739ffc8f45f4f8d2dea50f9e
SHA1563a222fc0abdb95d76fa58ef73c351eac4b142a
SHA256fcee28f445d00a3f2810383422131c191b365925bf121f31105ee4280caafda4
SHA51241d179671a255c10a2d28d95af6a57f9b2fecb29498a1843d615d42818068a5d5740701e4eab7c160046e120337bc074877d0158725296648452519e19446b40
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un146947.exeFilesize
535KB
MD51c4091bf739ffc8f45f4f8d2dea50f9e
SHA1563a222fc0abdb95d76fa58ef73c351eac4b142a
SHA256fcee28f445d00a3f2810383422131c191b365925bf121f31105ee4280caafda4
SHA51241d179671a255c10a2d28d95af6a57f9b2fecb29498a1843d615d42818068a5d5740701e4eab7c160046e120337bc074877d0158725296648452519e19446b40
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4864.exeFilesize
311KB
MD56ea096b2afc0743328e9d132523aa017
SHA1c8bd35e64d8082439deb43730ae8dc6180df7866
SHA2564b04ea79ed8341860e5e8b7fefdff4368ff78d02bb21d405c2f6654026c38458
SHA512d794061490d4668ab0bf3c30d2aa6647e778d76ef987d701c89e04a7b311f2c4a846ecf013cae133585d9d317ff49a88624eb8b5a328ffa920621a83a1c82f02
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4864.exeFilesize
311KB
MD56ea096b2afc0743328e9d132523aa017
SHA1c8bd35e64d8082439deb43730ae8dc6180df7866
SHA2564b04ea79ed8341860e5e8b7fefdff4368ff78d02bb21d405c2f6654026c38458
SHA512d794061490d4668ab0bf3c30d2aa6647e778d76ef987d701c89e04a7b311f2c4a846ecf013cae133585d9d317ff49a88624eb8b5a328ffa920621a83a1c82f02
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4864.exeFilesize
311KB
MD56ea096b2afc0743328e9d132523aa017
SHA1c8bd35e64d8082439deb43730ae8dc6180df7866
SHA2564b04ea79ed8341860e5e8b7fefdff4368ff78d02bb21d405c2f6654026c38458
SHA512d794061490d4668ab0bf3c30d2aa6647e778d76ef987d701c89e04a7b311f2c4a846ecf013cae133585d9d317ff49a88624eb8b5a328ffa920621a83a1c82f02
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exeFilesize
370KB
MD537bc4f4e47510d44307cfba07533b169
SHA1fcb43d0c63bef50af1a941b68fd8edf77d0e1f8e
SHA256a8f031b823d6c135cd9f179fee7c6954183f6a5e95e9c2bcc15a774ea2910e64
SHA512000487d3a767b2949c79bbab10c6a1876eb3ae8919c6e76cd2e649558f68f5305d4144912f36d91d1bf93560aa1be83806d4b95fe04eebe21324ccd427e2f06d
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exeFilesize
370KB
MD537bc4f4e47510d44307cfba07533b169
SHA1fcb43d0c63bef50af1a941b68fd8edf77d0e1f8e
SHA256a8f031b823d6c135cd9f179fee7c6954183f6a5e95e9c2bcc15a774ea2910e64
SHA512000487d3a767b2949c79bbab10c6a1876eb3ae8919c6e76cd2e649558f68f5305d4144912f36d91d1bf93560aa1be83806d4b95fe04eebe21324ccd427e2f06d
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exeFilesize
370KB
MD537bc4f4e47510d44307cfba07533b169
SHA1fcb43d0c63bef50af1a941b68fd8edf77d0e1f8e
SHA256a8f031b823d6c135cd9f179fee7c6954183f6a5e95e9c2bcc15a774ea2910e64
SHA512000487d3a767b2949c79bbab10c6a1876eb3ae8919c6e76cd2e649558f68f5305d4144912f36d91d1bf93560aa1be83806d4b95fe04eebe21324ccd427e2f06d
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\si796279.exeFilesize
175KB
MD5bb6d43fa4ebafe62b98ec4dea4ff49d9
SHA1d8188e664ac977f59d3ec26589e3cf67b1fab23b
SHA2561d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89
SHA512679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\si796279.exeFilesize
175KB
MD5bb6d43fa4ebafe62b98ec4dea4ff49d9
SHA1d8188e664ac977f59d3ec26589e3cf67b1fab23b
SHA2561d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89
SHA512679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un146947.exeFilesize
535KB
MD51c4091bf739ffc8f45f4f8d2dea50f9e
SHA1563a222fc0abdb95d76fa58ef73c351eac4b142a
SHA256fcee28f445d00a3f2810383422131c191b365925bf121f31105ee4280caafda4
SHA51241d179671a255c10a2d28d95af6a57f9b2fecb29498a1843d615d42818068a5d5740701e4eab7c160046e120337bc074877d0158725296648452519e19446b40
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\un146947.exeFilesize
535KB
MD51c4091bf739ffc8f45f4f8d2dea50f9e
SHA1563a222fc0abdb95d76fa58ef73c351eac4b142a
SHA256fcee28f445d00a3f2810383422131c191b365925bf121f31105ee4280caafda4
SHA51241d179671a255c10a2d28d95af6a57f9b2fecb29498a1843d615d42818068a5d5740701e4eab7c160046e120337bc074877d0158725296648452519e19446b40
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4864.exeFilesize
311KB
MD56ea096b2afc0743328e9d132523aa017
SHA1c8bd35e64d8082439deb43730ae8dc6180df7866
SHA2564b04ea79ed8341860e5e8b7fefdff4368ff78d02bb21d405c2f6654026c38458
SHA512d794061490d4668ab0bf3c30d2aa6647e778d76ef987d701c89e04a7b311f2c4a846ecf013cae133585d9d317ff49a88624eb8b5a328ffa920621a83a1c82f02
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4864.exeFilesize
311KB
MD56ea096b2afc0743328e9d132523aa017
SHA1c8bd35e64d8082439deb43730ae8dc6180df7866
SHA2564b04ea79ed8341860e5e8b7fefdff4368ff78d02bb21d405c2f6654026c38458
SHA512d794061490d4668ab0bf3c30d2aa6647e778d76ef987d701c89e04a7b311f2c4a846ecf013cae133585d9d317ff49a88624eb8b5a328ffa920621a83a1c82f02
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4864.exeFilesize
311KB
MD56ea096b2afc0743328e9d132523aa017
SHA1c8bd35e64d8082439deb43730ae8dc6180df7866
SHA2564b04ea79ed8341860e5e8b7fefdff4368ff78d02bb21d405c2f6654026c38458
SHA512d794061490d4668ab0bf3c30d2aa6647e778d76ef987d701c89e04a7b311f2c4a846ecf013cae133585d9d317ff49a88624eb8b5a328ffa920621a83a1c82f02
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exeFilesize
370KB
MD537bc4f4e47510d44307cfba07533b169
SHA1fcb43d0c63bef50af1a941b68fd8edf77d0e1f8e
SHA256a8f031b823d6c135cd9f179fee7c6954183f6a5e95e9c2bcc15a774ea2910e64
SHA512000487d3a767b2949c79bbab10c6a1876eb3ae8919c6e76cd2e649558f68f5305d4144912f36d91d1bf93560aa1be83806d4b95fe04eebe21324ccd427e2f06d
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exeFilesize
370KB
MD537bc4f4e47510d44307cfba07533b169
SHA1fcb43d0c63bef50af1a941b68fd8edf77d0e1f8e
SHA256a8f031b823d6c135cd9f179fee7c6954183f6a5e95e9c2bcc15a774ea2910e64
SHA512000487d3a767b2949c79bbab10c6a1876eb3ae8919c6e76cd2e649558f68f5305d4144912f36d91d1bf93560aa1be83806d4b95fe04eebe21324ccd427e2f06d
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3258.exeFilesize
370KB
MD537bc4f4e47510d44307cfba07533b169
SHA1fcb43d0c63bef50af1a941b68fd8edf77d0e1f8e
SHA256a8f031b823d6c135cd9f179fee7c6954183f6a5e95e9c2bcc15a774ea2910e64
SHA512000487d3a767b2949c79bbab10c6a1876eb3ae8919c6e76cd2e649558f68f5305d4144912f36d91d1bf93560aa1be83806d4b95fe04eebe21324ccd427e2f06d
-
memory/328-146-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-152-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-1034-0x0000000005070000-0x00000000050B0000-memory.dmpFilesize
256KB
-
memory/328-558-0x0000000005070000-0x00000000050B0000-memory.dmpFilesize
256KB
-
memory/328-556-0x0000000005070000-0x00000000050B0000-memory.dmpFilesize
256KB
-
memory/328-554-0x0000000000240000-0x000000000028B000-memory.dmpFilesize
300KB
-
memory/328-158-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-156-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-154-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-150-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-148-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-144-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-142-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-140-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-138-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-136-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-134-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-132-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-123-0x0000000002440000-0x0000000002486000-memory.dmpFilesize
280KB
-
memory/328-124-0x0000000002480000-0x00000000024C4000-memory.dmpFilesize
272KB
-
memory/328-125-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-126-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-128-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/328-130-0x0000000002480000-0x00000000024BF000-memory.dmpFilesize
252KB
-
memory/524-1043-0x0000000000F00000-0x0000000000F32000-memory.dmpFilesize
200KB
-
memory/524-1044-0x00000000007E0000-0x0000000000820000-memory.dmpFilesize
256KB
-
memory/976-108-0x0000000000250000-0x000000000027D000-memory.dmpFilesize
180KB
-
memory/976-91-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-107-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-97-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-112-0x0000000000400000-0x0000000000802000-memory.dmpFilesize
4.0MB
-
memory/976-83-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-111-0x0000000000400000-0x0000000000802000-memory.dmpFilesize
4.0MB
-
memory/976-110-0x0000000004F00000-0x0000000004F40000-memory.dmpFilesize
256KB
-
memory/976-103-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-109-0x0000000004F00000-0x0000000004F40000-memory.dmpFilesize
256KB
-
memory/976-89-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-93-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-95-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-105-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-99-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-101-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-81-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-80-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-79-0x0000000002240000-0x0000000002258000-memory.dmpFilesize
96KB
-
memory/976-78-0x0000000000850000-0x000000000086A000-memory.dmpFilesize
104KB
-
memory/976-87-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/976-85-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB