Analysis
-
max time kernel
142s -
max time network
108s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
13-04-2023 21:57
Static task
static1
General
-
Target
f9dbcfcc73c98844bedc4dd01e3f604b9075e9a0e7366ca9db0eb9a0b3dfdfb5.exe
-
Size
962KB
-
MD5
6be6617f918562b60f1d64c23bc10e8a
-
SHA1
4511087a981823bb5e56eedbcfdf00803be7b662
-
SHA256
f9dbcfcc73c98844bedc4dd01e3f604b9075e9a0e7366ca9db0eb9a0b3dfdfb5
-
SHA512
e06dda8e498b4d3cf456862d898279f23a5622a3f8ad03eaa7835a8d4276c0db1bc5ff7b3c29474f0a209143187835f76e7bd642103a2f7c3c4e8678a72c5f92
-
SSDEEP
24576:WyVGRTOFcmq7dNeECWKZjWD0HsbkmXwHoS:lFJUNenZjJIR
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
disa
185.161.248.90:4125
-
auth_value
93f8c4ca7000e3381dd4b6b86434de05
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it217569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it217569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it217569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it217569.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it217569.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 4116 ziNO2997.exe 3324 zitS3185.exe 2552 it217569.exe 1004 jr401404.exe 1176 1.exe 3940 kp665005.exe 4916 lr584961.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it217569.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziNO2997.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziNO2997.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zitS3185.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zitS3185.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f9dbcfcc73c98844bedc4dd01e3f604b9075e9a0e7366ca9db0eb9a0b3dfdfb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f9dbcfcc73c98844bedc4dd01e3f604b9075e9a0e7366ca9db0eb9a0b3dfdfb5.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
pid pid_target Process procid_target 4308 4916 WerFault.exe 73 2296 4916 WerFault.exe 73 2616 4916 WerFault.exe 73 2444 4916 WerFault.exe 73 2904 4916 WerFault.exe 73 2428 4916 WerFault.exe 73 4032 4916 WerFault.exe 73 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2552 it217569.exe 2552 it217569.exe 3940 kp665005.exe 1176 1.exe 3940 kp665005.exe 1176 1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2552 it217569.exe Token: SeDebugPrivilege 1004 jr401404.exe Token: SeDebugPrivilege 1176 1.exe Token: SeDebugPrivilege 3940 kp665005.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3200 wrote to memory of 4116 3200 f9dbcfcc73c98844bedc4dd01e3f604b9075e9a0e7366ca9db0eb9a0b3dfdfb5.exe 66 PID 3200 wrote to memory of 4116 3200 f9dbcfcc73c98844bedc4dd01e3f604b9075e9a0e7366ca9db0eb9a0b3dfdfb5.exe 66 PID 3200 wrote to memory of 4116 3200 f9dbcfcc73c98844bedc4dd01e3f604b9075e9a0e7366ca9db0eb9a0b3dfdfb5.exe 66 PID 4116 wrote to memory of 3324 4116 ziNO2997.exe 67 PID 4116 wrote to memory of 3324 4116 ziNO2997.exe 67 PID 4116 wrote to memory of 3324 4116 ziNO2997.exe 67 PID 3324 wrote to memory of 2552 3324 zitS3185.exe 68 PID 3324 wrote to memory of 2552 3324 zitS3185.exe 68 PID 3324 wrote to memory of 1004 3324 zitS3185.exe 69 PID 3324 wrote to memory of 1004 3324 zitS3185.exe 69 PID 3324 wrote to memory of 1004 3324 zitS3185.exe 69 PID 1004 wrote to memory of 1176 1004 jr401404.exe 70 PID 1004 wrote to memory of 1176 1004 jr401404.exe 70 PID 1004 wrote to memory of 1176 1004 jr401404.exe 70 PID 4116 wrote to memory of 3940 4116 ziNO2997.exe 71 PID 4116 wrote to memory of 3940 4116 ziNO2997.exe 71 PID 4116 wrote to memory of 3940 4116 ziNO2997.exe 71 PID 3200 wrote to memory of 4916 3200 f9dbcfcc73c98844bedc4dd01e3f604b9075e9a0e7366ca9db0eb9a0b3dfdfb5.exe 73 PID 3200 wrote to memory of 4916 3200 f9dbcfcc73c98844bedc4dd01e3f604b9075e9a0e7366ca9db0eb9a0b3dfdfb5.exe 73 PID 3200 wrote to memory of 4916 3200 f9dbcfcc73c98844bedc4dd01e3f604b9075e9a0e7366ca9db0eb9a0b3dfdfb5.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9dbcfcc73c98844bedc4dd01e3f604b9075e9a0e7366ca9db0eb9a0b3dfdfb5.exe"C:\Users\Admin\AppData\Local\Temp\f9dbcfcc73c98844bedc4dd01e3f604b9075e9a0e7366ca9db0eb9a0b3dfdfb5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2997.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNO2997.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zitS3185.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zitS3185.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it217569.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it217569.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr401404.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr401404.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp665005.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp665005.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr584961.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr584961.exe2⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 6163⤵
- Program crash
PID:4308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 6963⤵
- Program crash
PID:2296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 7963⤵
- Program crash
PID:2616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 8763⤵
- Program crash
PID:2444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 7763⤵
- Program crash
PID:2904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 8843⤵
- Program crash
PID:2428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 10523⤵
- Program crash
PID:4032
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD59242e8e8a5d6a083662e9a3114763779
SHA1c942ce1860dab1d359b38d74fd93f6a6b40cd12d
SHA2562fe02c613d0a5317c961aa489106fa0219bcb6426c30d6ed8aa85ff711d9fb7e
SHA51264d08407736c95373efb8a642e788947fb9af4483b2ffa8843291ff31f42fa60f44bf5927efdf95c953ec29c382b308944039143d2e73c919dcb6f666b589f3e
-
Filesize
309KB
MD59242e8e8a5d6a083662e9a3114763779
SHA1c942ce1860dab1d359b38d74fd93f6a6b40cd12d
SHA2562fe02c613d0a5317c961aa489106fa0219bcb6426c30d6ed8aa85ff711d9fb7e
SHA51264d08407736c95373efb8a642e788947fb9af4483b2ffa8843291ff31f42fa60f44bf5927efdf95c953ec29c382b308944039143d2e73c919dcb6f666b589f3e
-
Filesize
679KB
MD52c95b82fa9286acc43e3beed4125b50b
SHA1c09a1e32627f19ad25fa84c96d3f7db9771957f8
SHA2567e2e50c27c176ca242506254bc04e121ef698dc2abf7e0f8737d87e345ffefc9
SHA512be463c587b675acafe39a064001491e7d533bcbab5d1635e98cf9d657b1ace8251075bb69802f9854682272b05382ed255c2f1801830af07dfd5a1911ec91ba6
-
Filesize
679KB
MD52c95b82fa9286acc43e3beed4125b50b
SHA1c09a1e32627f19ad25fa84c96d3f7db9771957f8
SHA2567e2e50c27c176ca242506254bc04e121ef698dc2abf7e0f8737d87e345ffefc9
SHA512be463c587b675acafe39a064001491e7d533bcbab5d1635e98cf9d657b1ace8251075bb69802f9854682272b05382ed255c2f1801830af07dfd5a1911ec91ba6
-
Filesize
168KB
MD54a03e760edd8423cb504850113150f67
SHA1fbe36a13b6624a7f2975b0c9430de9b4884261d3
SHA256bda4e0cb25d682f1c7d328def85fb96acc3227dcce23e0d77678ac59e5dc9a16
SHA5121aeea0e8e68ed26f046c69b472df10ae1832dd45468ee0630046ef5ce81a24c6570a0598117d3ac96c9c283418cd2b975b4807274a96006bebcb3c8a53dcfa89
-
Filesize
168KB
MD54a03e760edd8423cb504850113150f67
SHA1fbe36a13b6624a7f2975b0c9430de9b4884261d3
SHA256bda4e0cb25d682f1c7d328def85fb96acc3227dcce23e0d77678ac59e5dc9a16
SHA5121aeea0e8e68ed26f046c69b472df10ae1832dd45468ee0630046ef5ce81a24c6570a0598117d3ac96c9c283418cd2b975b4807274a96006bebcb3c8a53dcfa89
-
Filesize
525KB
MD559e99154d9d28ea79a93fd11f51ed5a2
SHA1e911dc70ad0607d8d1db29e58ee2498d00b3e813
SHA2567a4b53c810c331597c1caf53f782eddd316228666db0676fd4a1b4cd208fdfe8
SHA512f92d2744797aeab94a278469ba73c2562b7d834c72310f0d40147b94f4906a57375aeee4d2bda8eae20a40eca146230a1eb8e12e79ca1e79a70c65560523461a
-
Filesize
525KB
MD559e99154d9d28ea79a93fd11f51ed5a2
SHA1e911dc70ad0607d8d1db29e58ee2498d00b3e813
SHA2567a4b53c810c331597c1caf53f782eddd316228666db0676fd4a1b4cd208fdfe8
SHA512f92d2744797aeab94a278469ba73c2562b7d834c72310f0d40147b94f4906a57375aeee4d2bda8eae20a40eca146230a1eb8e12e79ca1e79a70c65560523461a
-
Filesize
11KB
MD555824acf42fb4154a328b5480f94240b
SHA1f01fb86dc0de0c4242a6b97c550785ef65d5cddb
SHA256696a8dc95be85b1f1cd62a6381bdfc1e1b1d39a165aeb63ed42131e6ff8243fc
SHA51299c7fa217b10f9cec883752cfe7f482e91e135af5bfcbd4754044054d8516e4e746b1d9874092224aa82f3be7fcf4f2258ae9b82e607d7199e4af1c51b81e787
-
Filesize
11KB
MD555824acf42fb4154a328b5480f94240b
SHA1f01fb86dc0de0c4242a6b97c550785ef65d5cddb
SHA256696a8dc95be85b1f1cd62a6381bdfc1e1b1d39a165aeb63ed42131e6ff8243fc
SHA51299c7fa217b10f9cec883752cfe7f482e91e135af5bfcbd4754044054d8516e4e746b1d9874092224aa82f3be7fcf4f2258ae9b82e607d7199e4af1c51b81e787
-
Filesize
501KB
MD5995c8d9f519c7c117e545cdd723bb4f0
SHA1a612fb6d1064bd866484913b52ff5da406e82b40
SHA256b55f3b06452f06a252b8cfeb963edc6be1ad2de68406796253adcd1cd909ff8d
SHA51238921c92bf5a137f384f04fd8dca514b6f4ff97d531d648be122a00fc92605fed09092e12519719188addf87705e5c4a92fd42603cd6444d72b04fef1a696b92
-
Filesize
501KB
MD5995c8d9f519c7c117e545cdd723bb4f0
SHA1a612fb6d1064bd866484913b52ff5da406e82b40
SHA256b55f3b06452f06a252b8cfeb963edc6be1ad2de68406796253adcd1cd909ff8d
SHA51238921c92bf5a137f384f04fd8dca514b6f4ff97d531d648be122a00fc92605fed09092e12519719188addf87705e5c4a92fd42603cd6444d72b04fef1a696b92
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1