Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 18:58
Static task
static1
Behavioral task
behavioral1
Sample
e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe
Resource
win10v2004-20230220-en
General
-
Target
e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe
-
Size
694KB
-
MD5
350833d78e9db8d00bdfa6761a37b3fc
-
SHA1
6028a30702af762ba2eac5a09e082b6b4769dbdd
-
SHA256
e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192
-
SHA512
fb17351992022e8f50ab15185591c78d4d3b3942adb776a6f087aaff55dcea1322895fba7d7456db94cc15215c85f71cd68ebcd9520cd83d91b0000de7ca0667
-
SSDEEP
12288:ly90z+lRbd1CkIzfNnTiRqlniqVdUN0cR/bP5zBjPJBWWrh:lyqwWkMfNWRqlRdUeYbRBTh
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4380-987-0x0000000009CA0000-0x000000000A2B8000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 18709478.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 18709478.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 18709478.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 18709478.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 18709478.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 18709478.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 1260 un181759.exe 4168 18709478.exe 4380 rk263891.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 18709478.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 18709478.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un181759.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un181759.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1376 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4012 4168 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4168 18709478.exe 4168 18709478.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4168 18709478.exe Token: SeDebugPrivilege 4380 rk263891.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3004 wrote to memory of 1260 3004 e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe 89 PID 3004 wrote to memory of 1260 3004 e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe 89 PID 3004 wrote to memory of 1260 3004 e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe 89 PID 1260 wrote to memory of 4168 1260 un181759.exe 90 PID 1260 wrote to memory of 4168 1260 un181759.exe 90 PID 1260 wrote to memory of 4168 1260 un181759.exe 90 PID 1260 wrote to memory of 4380 1260 un181759.exe 96 PID 1260 wrote to memory of 4380 1260 un181759.exe 96 PID 1260 wrote to memory of 4380 1260 un181759.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe"C:\Users\Admin\AppData\Local\Temp\e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un181759.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un181759.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18709478.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18709478.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 10804⤵
- Program crash
PID:4012
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk263891.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk263891.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4168 -ip 41681⤵PID:4872
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1376
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD5e22d9cca9707e68c58e0249fc5ca1730
SHA168749f886565be36c6d5964b35707b6f1626d21d
SHA256f9d67f943a4731803176e24167ddeb18a27be9b6fefb58eadf59c04e7d2cfc75
SHA512803e5cba7cc0c3b8f4e4403b4b37b00ef88ccd26d5f69006cb1ce76d1a44442678c6f59a4de9b768108609d13f7d98094d7d08bd36dc787764647940d1104736
-
Filesize
540KB
MD5e22d9cca9707e68c58e0249fc5ca1730
SHA168749f886565be36c6d5964b35707b6f1626d21d
SHA256f9d67f943a4731803176e24167ddeb18a27be9b6fefb58eadf59c04e7d2cfc75
SHA512803e5cba7cc0c3b8f4e4403b4b37b00ef88ccd26d5f69006cb1ce76d1a44442678c6f59a4de9b768108609d13f7d98094d7d08bd36dc787764647940d1104736
-
Filesize
258KB
MD5511ebe091c92581b0be0d6166af6be51
SHA1f8a143ec994fb42e5fce49bdc92a8258f25b20d0
SHA256dbdeda317f1238a7ce1086898076f93ecc418159b70f5f1e9fc5697fe51f73af
SHA512119e9d99173b2547d1b12e6ab8391c25ca9c7572fa3e80fcbdf74d47c26f755dd69cafa29486343d591598c18e7d859eb2ceebd1b2ac6e2c1a4cac52667e3a90
-
Filesize
258KB
MD5511ebe091c92581b0be0d6166af6be51
SHA1f8a143ec994fb42e5fce49bdc92a8258f25b20d0
SHA256dbdeda317f1238a7ce1086898076f93ecc418159b70f5f1e9fc5697fe51f73af
SHA512119e9d99173b2547d1b12e6ab8391c25ca9c7572fa3e80fcbdf74d47c26f755dd69cafa29486343d591598c18e7d859eb2ceebd1b2ac6e2c1a4cac52667e3a90
-
Filesize
341KB
MD58ecd2d96f80a98d6e7bb2cca69f72604
SHA1cba3cfc3f264e9bc9a35129118366f7a2525ad2f
SHA25688c35f3970b0a8be24d6f8698d01bf60444051ea65fd6f0296eb4b47667cdc19
SHA5127952c58391530da86679732a79984e926c1e79ceab3ce54f0caf60eff92af489a86c71ff51f66e859bf8f96898944e845b286a6a2c7a8b47f719ce5ddfd00b0d
-
Filesize
341KB
MD58ecd2d96f80a98d6e7bb2cca69f72604
SHA1cba3cfc3f264e9bc9a35129118366f7a2525ad2f
SHA25688c35f3970b0a8be24d6f8698d01bf60444051ea65fd6f0296eb4b47667cdc19
SHA5127952c58391530da86679732a79984e926c1e79ceab3ce54f0caf60eff92af489a86c71ff51f66e859bf8f96898944e845b286a6a2c7a8b47f719ce5ddfd00b0d