Analysis
-
max time kernel
143s -
max time network
100s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
13/04/2023, 05:26
Static task
static1
General
-
Target
5701bc847437c10d42256ecc2bf7f5b0c3d8ea9d0a65b064042eaa16b3f6e04d.exe
-
Size
1.1MB
-
MD5
c9081207ff0aa1305f2b0b14417ad077
-
SHA1
65e268010069462bdf3ec89769b2c516b630fa80
-
SHA256
5701bc847437c10d42256ecc2bf7f5b0c3d8ea9d0a65b064042eaa16b3f6e04d
-
SHA512
1edde4a9c9eb7768e8d92062d074506948ecaa68df4e6b43b3dfbe990e177c38285172fd2180dbc0964ce0998dec04817c57fd89b3d202e02b81b06f447337fc
-
SSDEEP
24576:9yOqpP0XSCNkx0RqwNNkKqHasys1CEdcFVaU:YfiYfaNkzHasLM3a
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
diro
185.161.248.90:4125
-
auth_value
ae95bda0dd2e95169886a3a68138568b
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr527715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr527715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr527715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr527715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr527715.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 1592 un798430.exe 1968 un968487.exe 964 pr527715.exe 4696 qu479198.exe 204 1.exe 2924 rk565159.exe 4024 si201316.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr527715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr527715.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5701bc847437c10d42256ecc2bf7f5b0c3d8ea9d0a65b064042eaa16b3f6e04d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5701bc847437c10d42256ecc2bf7f5b0c3d8ea9d0a65b064042eaa16b3f6e04d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un798430.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un798430.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un968487.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un968487.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
pid pid_target Process procid_target 1744 4024 WerFault.exe 73 2152 4024 WerFault.exe 73 2356 4024 WerFault.exe 73 2076 4024 WerFault.exe 73 4256 4024 WerFault.exe 73 1440 4024 WerFault.exe 73 4556 4024 WerFault.exe 73 4640 4024 WerFault.exe 73 3084 4024 WerFault.exe 73 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 964 pr527715.exe 964 pr527715.exe 204 1.exe 2924 rk565159.exe 2924 rk565159.exe 204 1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 964 pr527715.exe Token: SeDebugPrivilege 4696 qu479198.exe Token: SeDebugPrivilege 204 1.exe Token: SeDebugPrivilege 2924 rk565159.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4024 si201316.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1444 wrote to memory of 1592 1444 5701bc847437c10d42256ecc2bf7f5b0c3d8ea9d0a65b064042eaa16b3f6e04d.exe 66 PID 1444 wrote to memory of 1592 1444 5701bc847437c10d42256ecc2bf7f5b0c3d8ea9d0a65b064042eaa16b3f6e04d.exe 66 PID 1444 wrote to memory of 1592 1444 5701bc847437c10d42256ecc2bf7f5b0c3d8ea9d0a65b064042eaa16b3f6e04d.exe 66 PID 1592 wrote to memory of 1968 1592 un798430.exe 67 PID 1592 wrote to memory of 1968 1592 un798430.exe 67 PID 1592 wrote to memory of 1968 1592 un798430.exe 67 PID 1968 wrote to memory of 964 1968 un968487.exe 68 PID 1968 wrote to memory of 964 1968 un968487.exe 68 PID 1968 wrote to memory of 964 1968 un968487.exe 68 PID 1968 wrote to memory of 4696 1968 un968487.exe 69 PID 1968 wrote to memory of 4696 1968 un968487.exe 69 PID 1968 wrote to memory of 4696 1968 un968487.exe 69 PID 4696 wrote to memory of 204 4696 qu479198.exe 70 PID 4696 wrote to memory of 204 4696 qu479198.exe 70 PID 4696 wrote to memory of 204 4696 qu479198.exe 70 PID 1592 wrote to memory of 2924 1592 un798430.exe 71 PID 1592 wrote to memory of 2924 1592 un798430.exe 71 PID 1592 wrote to memory of 2924 1592 un798430.exe 71 PID 1444 wrote to memory of 4024 1444 5701bc847437c10d42256ecc2bf7f5b0c3d8ea9d0a65b064042eaa16b3f6e04d.exe 73 PID 1444 wrote to memory of 4024 1444 5701bc847437c10d42256ecc2bf7f5b0c3d8ea9d0a65b064042eaa16b3f6e04d.exe 73 PID 1444 wrote to memory of 4024 1444 5701bc847437c10d42256ecc2bf7f5b0c3d8ea9d0a65b064042eaa16b3f6e04d.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\5701bc847437c10d42256ecc2bf7f5b0c3d8ea9d0a65b064042eaa16b3f6e04d.exe"C:\Users\Admin\AppData\Local\Temp\5701bc847437c10d42256ecc2bf7f5b0c3d8ea9d0a65b064042eaa16b3f6e04d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798430.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un798430.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un968487.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un968487.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr527715.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr527715.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu479198.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu479198.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:204
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk565159.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk565159.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si201316.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si201316.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 6163⤵
- Program crash
PID:1744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 6963⤵
- Program crash
PID:2152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 8363⤵
- Program crash
PID:2356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 8163⤵
- Program crash
PID:2076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 8803⤵
- Program crash
PID:4256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 8483⤵
- Program crash
PID:1440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 11163⤵
- Program crash
PID:4556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 11803⤵
- Program crash
PID:4640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 11843⤵
- Program crash
PID:3084
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD5cde2ed0e852d1eb327fcb7f7adbb05ac
SHA129eeda9fb79d8f6749956bd28c539638992a0f1a
SHA256b6311e977fca1786958a1311dd1e90cee50e062999f88fc12110740c4eb5c4f6
SHA51215bd892f087ce893c7c14946dc69c50c57e29ecb7f88795d479b4e1e7ecbf8633090da937e46ae1d6a84727468c426f67b70d983fdecf962b54cc681ab0ae303
-
Filesize
253KB
MD5cde2ed0e852d1eb327fcb7f7adbb05ac
SHA129eeda9fb79d8f6749956bd28c539638992a0f1a
SHA256b6311e977fca1786958a1311dd1e90cee50e062999f88fc12110740c4eb5c4f6
SHA51215bd892f087ce893c7c14946dc69c50c57e29ecb7f88795d479b4e1e7ecbf8633090da937e46ae1d6a84727468c426f67b70d983fdecf962b54cc681ab0ae303
-
Filesize
807KB
MD54ff45d3b2257278f613b158b809982e2
SHA1221494241254b805ad9599f36ab277f8e410cdcc
SHA256867a423d8e101d9cd03a672fe7f725d473b6de53c5dfdc0740c753fb96874b7b
SHA512664becd0c638ff5443240de7353d7f782a8267985c43eb243162e3167927c9b9312d73dc05d70925b7b038b2edd7ee19f9ba195db079659fc60af1ac18f161dc
-
Filesize
807KB
MD54ff45d3b2257278f613b158b809982e2
SHA1221494241254b805ad9599f36ab277f8e410cdcc
SHA256867a423d8e101d9cd03a672fe7f725d473b6de53c5dfdc0740c753fb96874b7b
SHA512664becd0c638ff5443240de7353d7f782a8267985c43eb243162e3167927c9b9312d73dc05d70925b7b038b2edd7ee19f9ba195db079659fc60af1ac18f161dc
-
Filesize
168KB
MD5aa8bb998c46f60bacf91f98f8d4d7b5c
SHA161c7e314d916035128849f85a29b34ac1fb482e0
SHA2567e0252d52b7ff9e4466411941eb98cc220824be0f2eefdfe38e6b494f1176131
SHA5123e1e8400351fbeedbb0f07370260dea23782c24924482d33c54f9db9659c858c2ee89f69b9a8256b091efec0ea33b09e408e0d218769ca3e2cbd013dd935dde7
-
Filesize
168KB
MD5aa8bb998c46f60bacf91f98f8d4d7b5c
SHA161c7e314d916035128849f85a29b34ac1fb482e0
SHA2567e0252d52b7ff9e4466411941eb98cc220824be0f2eefdfe38e6b494f1176131
SHA5123e1e8400351fbeedbb0f07370260dea23782c24924482d33c54f9db9659c858c2ee89f69b9a8256b091efec0ea33b09e408e0d218769ca3e2cbd013dd935dde7
-
Filesize
653KB
MD568c43708f4f42833c877e0a3377d702d
SHA141412626722b77e6201702750e54c3b84719acff
SHA25693b1a535d7cdfdea40b9be645ff2ecaede8154c71751b8843ceb57937a9e494c
SHA5128adbaf9fb3737801c7f3e29586b22a9918445595e5a211b91789166a17662fea020b3ff716a4106c3c5dd0e05a56f21950dd84347b03bd5e39c600988fc1f114
-
Filesize
653KB
MD568c43708f4f42833c877e0a3377d702d
SHA141412626722b77e6201702750e54c3b84719acff
SHA25693b1a535d7cdfdea40b9be645ff2ecaede8154c71751b8843ceb57937a9e494c
SHA5128adbaf9fb3737801c7f3e29586b22a9918445595e5a211b91789166a17662fea020b3ff716a4106c3c5dd0e05a56f21950dd84347b03bd5e39c600988fc1f114
-
Filesize
262KB
MD59552ce7f6b3e3078202fa52d6e416e46
SHA1756e6c289e0df6c898537005204c6d143b75743c
SHA256169c045bd0a869cb736386cfc81a98cd3b32574f626fb5e60ac8a57733bf6321
SHA512e29dc5616a54841e06c174ba9142aa182ee7627f9bc35a509a0d16b51f749d1aba034ac76ad6f580e5b916c7d7730cb104261e127fe406434c0b434349e39641
-
Filesize
262KB
MD59552ce7f6b3e3078202fa52d6e416e46
SHA1756e6c289e0df6c898537005204c6d143b75743c
SHA256169c045bd0a869cb736386cfc81a98cd3b32574f626fb5e60ac8a57733bf6321
SHA512e29dc5616a54841e06c174ba9142aa182ee7627f9bc35a509a0d16b51f749d1aba034ac76ad6f580e5b916c7d7730cb104261e127fe406434c0b434349e39641
-
Filesize
445KB
MD5f52953be40917d86996cc7bb1a0f7d39
SHA1dcc28e511c465f7d27630b847994ec29809b7502
SHA2561151a999174947aff6cc5a46da5ed0f5079b1f9545655641d20e338da6db9ee4
SHA512a9d9b43ae5b6cc2a0b090378d388008a06af7bbbe8f97787d9c348c19a514307e8db332064493f06ff1f92b37ed18a0d2b89dccb3de1e2e03ae0d4cf6f0ed6ce
-
Filesize
445KB
MD5f52953be40917d86996cc7bb1a0f7d39
SHA1dcc28e511c465f7d27630b847994ec29809b7502
SHA2561151a999174947aff6cc5a46da5ed0f5079b1f9545655641d20e338da6db9ee4
SHA512a9d9b43ae5b6cc2a0b090378d388008a06af7bbbe8f97787d9c348c19a514307e8db332064493f06ff1f92b37ed18a0d2b89dccb3de1e2e03ae0d4cf6f0ed6ce
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1