Analysis
-
max time kernel
144s -
max time network
101s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
13-04-2023 23:13
Static task
static1
General
-
Target
9dc1f4e12f5bfe23894cb0b8bcfd5f46d74692c5644be935c9014ef1de1f7581.exe
-
Size
964KB
-
MD5
77d53bf8ad3f1f1845446b72006510fe
-
SHA1
9b3b606dcd337ceb13a9069e75d6d0c64e3cd9d6
-
SHA256
9dc1f4e12f5bfe23894cb0b8bcfd5f46d74692c5644be935c9014ef1de1f7581
-
SHA512
300b247c2db19ae95a9ed27159052430d2d47a52e37004433b90cf5e265d7a49cb8157033a24d68efc7296db6b1e68e6d5b49230da33d83cb6b08560204f7917
-
SSDEEP
24576:lyX4x04VSAZcpcSYk+xmopvWPgNyU6zZDI:AIGCaixmo8PeUz
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
disa
185.161.248.90:4125
-
auth_value
93f8c4ca7000e3381dd4b6b86434de05
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it470669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it470669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it470669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it470669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it470669.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 2500 ziTz3891.exe 2984 ziuF0674.exe 3908 it470669.exe 1564 jr365837.exe 3368 1.exe 816 kp886170.exe 4252 lr985567.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it470669.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9dc1f4e12f5bfe23894cb0b8bcfd5f46d74692c5644be935c9014ef1de1f7581.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9dc1f4e12f5bfe23894cb0b8bcfd5f46d74692c5644be935c9014ef1de1f7581.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziTz3891.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziTz3891.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziuF0674.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziuF0674.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
pid pid_target Process procid_target 1936 4252 WerFault.exe 73 2224 4252 WerFault.exe 73 4128 4252 WerFault.exe 73 2072 4252 WerFault.exe 73 4044 4252 WerFault.exe 73 4016 4252 WerFault.exe 73 2520 4252 WerFault.exe 73 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3908 it470669.exe 3908 it470669.exe 3368 1.exe 816 kp886170.exe 816 kp886170.exe 3368 1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3908 it470669.exe Token: SeDebugPrivilege 1564 jr365837.exe Token: SeDebugPrivilege 3368 1.exe Token: SeDebugPrivilege 816 kp886170.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2452 wrote to memory of 2500 2452 9dc1f4e12f5bfe23894cb0b8bcfd5f46d74692c5644be935c9014ef1de1f7581.exe 66 PID 2452 wrote to memory of 2500 2452 9dc1f4e12f5bfe23894cb0b8bcfd5f46d74692c5644be935c9014ef1de1f7581.exe 66 PID 2452 wrote to memory of 2500 2452 9dc1f4e12f5bfe23894cb0b8bcfd5f46d74692c5644be935c9014ef1de1f7581.exe 66 PID 2500 wrote to memory of 2984 2500 ziTz3891.exe 67 PID 2500 wrote to memory of 2984 2500 ziTz3891.exe 67 PID 2500 wrote to memory of 2984 2500 ziTz3891.exe 67 PID 2984 wrote to memory of 3908 2984 ziuF0674.exe 68 PID 2984 wrote to memory of 3908 2984 ziuF0674.exe 68 PID 2984 wrote to memory of 1564 2984 ziuF0674.exe 69 PID 2984 wrote to memory of 1564 2984 ziuF0674.exe 69 PID 2984 wrote to memory of 1564 2984 ziuF0674.exe 69 PID 1564 wrote to memory of 3368 1564 jr365837.exe 70 PID 1564 wrote to memory of 3368 1564 jr365837.exe 70 PID 1564 wrote to memory of 3368 1564 jr365837.exe 70 PID 2500 wrote to memory of 816 2500 ziTz3891.exe 71 PID 2500 wrote to memory of 816 2500 ziTz3891.exe 71 PID 2500 wrote to memory of 816 2500 ziTz3891.exe 71 PID 2452 wrote to memory of 4252 2452 9dc1f4e12f5bfe23894cb0b8bcfd5f46d74692c5644be935c9014ef1de1f7581.exe 73 PID 2452 wrote to memory of 4252 2452 9dc1f4e12f5bfe23894cb0b8bcfd5f46d74692c5644be935c9014ef1de1f7581.exe 73 PID 2452 wrote to memory of 4252 2452 9dc1f4e12f5bfe23894cb0b8bcfd5f46d74692c5644be935c9014ef1de1f7581.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dc1f4e12f5bfe23894cb0b8bcfd5f46d74692c5644be935c9014ef1de1f7581.exe"C:\Users\Admin\AppData\Local\Temp\9dc1f4e12f5bfe23894cb0b8bcfd5f46d74692c5644be935c9014ef1de1f7581.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTz3891.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTz3891.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziuF0674.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziuF0674.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it470669.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it470669.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr365837.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr365837.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp886170.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp886170.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr985567.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr985567.exe2⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 6403⤵
- Program crash
PID:1936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 7163⤵
- Program crash
PID:2224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 8443⤵
- Program crash
PID:4128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 8523⤵
- Program crash
PID:2072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 8923⤵
- Program crash
PID:4044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 8643⤵
- Program crash
PID:4016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 10803⤵
- Program crash
PID:2520
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
310KB
MD58c35c4b3cf812178c01e1d942c761d76
SHA11eda2cf7c899b2260685e209f98cf5fb9ce4f471
SHA256eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf
SHA51230a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5
-
Filesize
310KB
MD58c35c4b3cf812178c01e1d942c761d76
SHA11eda2cf7c899b2260685e209f98cf5fb9ce4f471
SHA256eb6ed8f5ff38c6fb92f4834093ddcaa29c2563faa3b88d2df6fc3e1957641ccf
SHA51230a967b2a51cd3107c25ef2675f556c193275cf39153df3c1864dd4eff354d37f1f74487af3956f7ae4226d91c0294878462049c9acf0114dab2cb664d3228d5
-
Filesize
680KB
MD58457439e3b507c9eb19dac1dad9e9da3
SHA1d5713e1b314c9906ab9e54e3d26b4743eac8ba16
SHA2561311daccdaec73e8d257a73c81a605257d2284051bfa1fbcac3c3a597cd1f395
SHA51252e09d6124bb637134b44a6f85ece8b45195884fbb3329c03f06e71ad755bed4d58a04f9be02550720b40ff1f61a7d0bc4a09953b1342093d903d752e8bfb267
-
Filesize
680KB
MD58457439e3b507c9eb19dac1dad9e9da3
SHA1d5713e1b314c9906ab9e54e3d26b4743eac8ba16
SHA2561311daccdaec73e8d257a73c81a605257d2284051bfa1fbcac3c3a597cd1f395
SHA51252e09d6124bb637134b44a6f85ece8b45195884fbb3329c03f06e71ad755bed4d58a04f9be02550720b40ff1f61a7d0bc4a09953b1342093d903d752e8bfb267
-
Filesize
168KB
MD50a02399b07c78e021a9f841f5d034a03
SHA11f738187e8c46ff51c607a7f568ed05a9e5b4bfd
SHA2562b711ec091ac567ebf883df38b2a43461d6ac0cf0de9f895e816a3f0f5df3fe9
SHA512f4e752188071bff363ed538e611391ad6fdcaee1950d97a24699f938e148ac05ce28db8e0e87f6709d05ef7387bd611acd7d3d5037b3ed0786d0e6b529db0d20
-
Filesize
168KB
MD50a02399b07c78e021a9f841f5d034a03
SHA11f738187e8c46ff51c607a7f568ed05a9e5b4bfd
SHA2562b711ec091ac567ebf883df38b2a43461d6ac0cf0de9f895e816a3f0f5df3fe9
SHA512f4e752188071bff363ed538e611391ad6fdcaee1950d97a24699f938e148ac05ce28db8e0e87f6709d05ef7387bd611acd7d3d5037b3ed0786d0e6b529db0d20
-
Filesize
526KB
MD58d9961345043a894fee043f20454f757
SHA1dd1284d57075c589f8671f24c28f0647319cc3d9
SHA25632e4deb6d58ea6b63912c981040378f52f6fe095fdd24429511094fbef643748
SHA512d1f5195c02a00413458b9f5cba08cda1bc4989abb88338dd334437a49f2d65216b32669cfea3b08c173451691f334eb4acd76ea18465602b2939d69ed2d794f9
-
Filesize
526KB
MD58d9961345043a894fee043f20454f757
SHA1dd1284d57075c589f8671f24c28f0647319cc3d9
SHA25632e4deb6d58ea6b63912c981040378f52f6fe095fdd24429511094fbef643748
SHA512d1f5195c02a00413458b9f5cba08cda1bc4989abb88338dd334437a49f2d65216b32669cfea3b08c173451691f334eb4acd76ea18465602b2939d69ed2d794f9
-
Filesize
11KB
MD521a74780fad5de45dbc0f4df2d0a2030
SHA169d551428ab4ca135c96609e759da744674bda32
SHA256ce68e6e4e1033ade7cd156fc8c4060c0bc53be2a770a69d184857914e6ab78d7
SHA512d296c916709f425be07972acb44fec529d54e9be8790c1be156326656665488f98235d6bece1227e9748aef1c6c5acdf4243b0e439d13b07c8d6b8e2b48c3906
-
Filesize
11KB
MD521a74780fad5de45dbc0f4df2d0a2030
SHA169d551428ab4ca135c96609e759da744674bda32
SHA256ce68e6e4e1033ade7cd156fc8c4060c0bc53be2a770a69d184857914e6ab78d7
SHA512d296c916709f425be07972acb44fec529d54e9be8790c1be156326656665488f98235d6bece1227e9748aef1c6c5acdf4243b0e439d13b07c8d6b8e2b48c3906
-
Filesize
502KB
MD5a39701bb03c729d143f833afa03b681b
SHA1e61cdd37122b5e0fe0357071ddb3f2b1a7ce1429
SHA2569f151d2af478e35348cc5ab9e01679613506af4dbaa4cf94d08c71357944f499
SHA5122650ef9d2945c100bf585f4b552d094c83ec03426530cb9ecf90dcc1d8f6d30cdb046831a05ed4d2829bbad9160421d99c2b8b341d25acf7c33ce8c23c197e26
-
Filesize
502KB
MD5a39701bb03c729d143f833afa03b681b
SHA1e61cdd37122b5e0fe0357071ddb3f2b1a7ce1429
SHA2569f151d2af478e35348cc5ab9e01679613506af4dbaa4cf94d08c71357944f499
SHA5122650ef9d2945c100bf585f4b552d094c83ec03426530cb9ecf90dcc1d8f6d30cdb046831a05ed4d2829bbad9160421d99c2b8b341d25acf7c33ce8c23c197e26
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1