Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
03-05-2023 22:12
Static task
static1
Behavioral task
behavioral1
Sample
d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d.exe
Resource
win10-20230220-en
General
-
Target
d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d.exe
-
Size
1.4MB
-
MD5
cd720db9e9f6bd1d661936b2b5187143
-
SHA1
7f698015698b61e2a31c4b27569903fd501c040c
-
SHA256
d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d
-
SHA512
2f4534271acc77a6639dc858b0f3d3e41df102e98175298d27a42ff6275329f3261e0af58d5806ef6a65073bc638e22b6f90783b59447c70345dd38de211e79e
-
SSDEEP
24576:TyhXR5iqzOHeAi+miNjsT5SUuIKrPQ5hsic3Gc/dpm8BT:m1riqzui+psT5SUuIKrKhtc38
Malware Config
Extracted
redline
mask
217.196.96.56:4138
-
auth_value
31aef25be0febb8e491794ef7f502c50
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a6963326.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a6963326.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a6963326.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a6963326.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a6963326.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 4512 v0836460.exe 4908 v5912512.exe 68 v9015438.exe 2292 v0104675.exe 4476 a6963326.exe 1308 b5477546.exe 4156 c3949629.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a6963326.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a6963326.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0836460.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5912512.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5912512.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9015438.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v9015438.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v0104675.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0836460.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0104675.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 1372 4156 WerFault.exe 73 4408 4156 WerFault.exe 73 4388 4156 WerFault.exe 73 3264 4156 WerFault.exe 73 5044 4156 WerFault.exe 73 4748 4156 WerFault.exe 73 3184 4156 WerFault.exe 73 3392 4156 WerFault.exe 73 3948 4156 WerFault.exe 73 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4476 a6963326.exe 4476 a6963326.exe 1308 b5477546.exe 1308 b5477546.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4476 a6963326.exe Token: SeDebugPrivilege 1308 b5477546.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4156 c3949629.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 372 wrote to memory of 4512 372 d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d.exe 66 PID 372 wrote to memory of 4512 372 d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d.exe 66 PID 372 wrote to memory of 4512 372 d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d.exe 66 PID 4512 wrote to memory of 4908 4512 v0836460.exe 67 PID 4512 wrote to memory of 4908 4512 v0836460.exe 67 PID 4512 wrote to memory of 4908 4512 v0836460.exe 67 PID 4908 wrote to memory of 68 4908 v5912512.exe 68 PID 4908 wrote to memory of 68 4908 v5912512.exe 68 PID 4908 wrote to memory of 68 4908 v5912512.exe 68 PID 68 wrote to memory of 2292 68 v9015438.exe 69 PID 68 wrote to memory of 2292 68 v9015438.exe 69 PID 68 wrote to memory of 2292 68 v9015438.exe 69 PID 2292 wrote to memory of 4476 2292 v0104675.exe 70 PID 2292 wrote to memory of 4476 2292 v0104675.exe 70 PID 2292 wrote to memory of 4476 2292 v0104675.exe 70 PID 2292 wrote to memory of 1308 2292 v0104675.exe 71 PID 2292 wrote to memory of 1308 2292 v0104675.exe 71 PID 2292 wrote to memory of 1308 2292 v0104675.exe 71 PID 68 wrote to memory of 4156 68 v9015438.exe 73 PID 68 wrote to memory of 4156 68 v9015438.exe 73 PID 68 wrote to memory of 4156 68 v9015438.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d.exe"C:\Users\Admin\AppData\Local\Temp\d828463362d069ce62f8ef4fe35dd13319103fd2c24766788d1091e15301505d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0836460.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0836460.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5912512.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5912512.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9015438.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9015438.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:68 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0104675.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0104675.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6963326.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6963326.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5477546.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5477546.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3949629.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3949629.exe5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 6206⤵
- Program crash
PID:1372
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 7006⤵
- Program crash
PID:4408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 8406⤵
- Program crash
PID:4388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 8486⤵
- Program crash
PID:3264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 9086⤵
- Program crash
PID:5044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 8366⤵
- Program crash
PID:4748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 11206⤵
- Program crash
PID:3184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 11926⤵
- Program crash
PID:3392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 12406⤵
- Program crash
PID:3948
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5ecfb94bcc1d1b3a27148d2b2493822ca
SHA1200ae5328dc3f457af859430ea2493d41c9263d6
SHA256776414d8868271f72ab52924eef3621fe22e627806fc90bf8ae127650214ffd0
SHA5123a15af3c9cb5b83f29fb74d2c86fcbe42b742947801520759d0f80197ddf629d3f71902c3321b6e5efd564ca362a4ce14651d35fad5712643e3994a52e4fd353
-
Filesize
1.3MB
MD5ecfb94bcc1d1b3a27148d2b2493822ca
SHA1200ae5328dc3f457af859430ea2493d41c9263d6
SHA256776414d8868271f72ab52924eef3621fe22e627806fc90bf8ae127650214ffd0
SHA5123a15af3c9cb5b83f29fb74d2c86fcbe42b742947801520759d0f80197ddf629d3f71902c3321b6e5efd564ca362a4ce14651d35fad5712643e3994a52e4fd353
-
Filesize
845KB
MD5149418b7d4713fa444bf069ecbd79a3a
SHA145bfb36fcc994a01adfc54c0f5b5d1dc73962095
SHA256b3f8e074c083405bd78305998011cd4d006fd24acd18e4a4ee363a21d5098e47
SHA51260ee4b7176316e760b7cc738fd58371f5e4c784609d88ea26a05d7da2273744d1ac9c706f36987e59516f6c10e7fe0cd2a0217a4aec42b120ee827caac8d9e31
-
Filesize
845KB
MD5149418b7d4713fa444bf069ecbd79a3a
SHA145bfb36fcc994a01adfc54c0f5b5d1dc73962095
SHA256b3f8e074c083405bd78305998011cd4d006fd24acd18e4a4ee363a21d5098e47
SHA51260ee4b7176316e760b7cc738fd58371f5e4c784609d88ea26a05d7da2273744d1ac9c706f36987e59516f6c10e7fe0cd2a0217a4aec42b120ee827caac8d9e31
-
Filesize
641KB
MD5a9d58d131b123515f970503b5dd67ba4
SHA1377a34adeb8df9c23009b4db68e4a7b11c7bf625
SHA2564c249596b47d21173de34146f989b8163514068e01c6fc85579bdd2b9fee14f2
SHA512676071eff21ec9c5aa97a68eb99b222d24c96a22de478b77aa267b8767dbeae5304118c924895c292b497c635b43e9a4ec9d91801990c90461994d3f8558a3be
-
Filesize
641KB
MD5a9d58d131b123515f970503b5dd67ba4
SHA1377a34adeb8df9c23009b4db68e4a7b11c7bf625
SHA2564c249596b47d21173de34146f989b8163514068e01c6fc85579bdd2b9fee14f2
SHA512676071eff21ec9c5aa97a68eb99b222d24c96a22de478b77aa267b8767dbeae5304118c924895c292b497c635b43e9a4ec9d91801990c90461994d3f8558a3be
-
Filesize
268KB
MD51c5f6d6cecf56c665270b12957176f04
SHA18f9a134be57bc254d4a916261762a482af902632
SHA2560ee59b47167c6255a62aeaba9c1c3a5b9d0a2dc6134125dc3bd91996c10eb4e9
SHA512b94098d935ecf9736122fb1eaa77be4b865dc462c6cf6fbd4a0d4cc2d885c83e61a36c6f1c127b06efc800e40629afd8386735514ff21ce62ca74b56000a7090
-
Filesize
268KB
MD51c5f6d6cecf56c665270b12957176f04
SHA18f9a134be57bc254d4a916261762a482af902632
SHA2560ee59b47167c6255a62aeaba9c1c3a5b9d0a2dc6134125dc3bd91996c10eb4e9
SHA512b94098d935ecf9736122fb1eaa77be4b865dc462c6cf6fbd4a0d4cc2d885c83e61a36c6f1c127b06efc800e40629afd8386735514ff21ce62ca74b56000a7090
-
Filesize
383KB
MD5a9858da4d8d68f9148cb2fdf88c968b0
SHA1dd95e412a2d1ae826aa4376f3179a4c284a6e96a
SHA25686bd0d4490ff6bd10ff0639f1d9d4d98a1a910d5dcb7d75db31d4d9c0f9efefb
SHA5121409e1ca0e0bb3388846d4b17fece4c43ff78f0cd970d25583f7d9f4992d95f85824df3dffdbd865a6fc2ca413e33865a9ad4523429acb9d05f94beb64b5baea
-
Filesize
383KB
MD5a9858da4d8d68f9148cb2fdf88c968b0
SHA1dd95e412a2d1ae826aa4376f3179a4c284a6e96a
SHA25686bd0d4490ff6bd10ff0639f1d9d4d98a1a910d5dcb7d75db31d4d9c0f9efefb
SHA5121409e1ca0e0bb3388846d4b17fece4c43ff78f0cd970d25583f7d9f4992d95f85824df3dffdbd865a6fc2ca413e33865a9ad4523429acb9d05f94beb64b5baea
-
Filesize
289KB
MD54cd759f1f1666573ef5a6756d5268424
SHA1a979ffdccaf067ac3f43865c9900608a1aefaeb0
SHA2567f677e587f427a224054bed62ce3313e9c48cfa7a17bb630b4a685a64ae08f49
SHA51230a87da5cd8a481ae724e69011bffbca7843d8f1d5b302e7338228da5cc38ed72886a766eb1239dd74d096f153d2582c3e97c2c7ad47ffb2a71eaa9bd665f97f
-
Filesize
289KB
MD54cd759f1f1666573ef5a6756d5268424
SHA1a979ffdccaf067ac3f43865c9900608a1aefaeb0
SHA2567f677e587f427a224054bed62ce3313e9c48cfa7a17bb630b4a685a64ae08f49
SHA51230a87da5cd8a481ae724e69011bffbca7843d8f1d5b302e7338228da5cc38ed72886a766eb1239dd74d096f153d2582c3e97c2c7ad47ffb2a71eaa9bd665f97f
-
Filesize
168KB
MD57a74df915b5430800ba197dafd4212e1
SHA168836a1e973bcee635351e9a5f697b27639efcb6
SHA2562a65571a76a6acb055bbcae4911cf3c5bcaad3186930c92e4b9941ccacac4618
SHA5123ead8c640f51aed743423c71747f060c1033e31c349b78cdc6ecfd196837e69c932a074881ec422c4ed8e4454dc686c199c580c6c1159ed0660e43f5a5fd2b1e
-
Filesize
168KB
MD57a74df915b5430800ba197dafd4212e1
SHA168836a1e973bcee635351e9a5f697b27639efcb6
SHA2562a65571a76a6acb055bbcae4911cf3c5bcaad3186930c92e4b9941ccacac4618
SHA5123ead8c640f51aed743423c71747f060c1033e31c349b78cdc6ecfd196837e69c932a074881ec422c4ed8e4454dc686c199c580c6c1159ed0660e43f5a5fd2b1e