redline | 869393692b8fbba04fc5b4cac17717c75c7ac6b7aba34ec96cb851d007190183

Analysis

max time kernel
54s
max time network
78s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
03/05/2023, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

869393692b8fbba04fc5b4cac17717c75c7ac6b7aba34ec96cb851d007190183.exe
Size

1.2MB
MD5

96973db4552fbaea3e1a45e9169e547b
SHA1

86868f205ce2a02f7e7cc60802018f56f6f31281
SHA256

869393692b8fbba04fc5b4cac17717c75c7ac6b7aba34ec96cb851d007190183
SHA512

565dcc12b18a7e2aff09554212052d6c00330d0660b81f3212207b1bf835d633ffd67cda40997130c83089d7c6e5cbd1e800d401393e64bedbbbbc288b9e837b
SSDEEP

24576:Wy0U55CHe73JZaFrhaTol04nhS3p/yzk/NpildP+j:l15C+VZS9aTh4hSByZdP+

Score

10^/10

redline luna evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

luna

217.196.96.56:4138

Attributes

auth_value
16dec8addb01db1c11c59667022ef7a2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	n7769911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	n7769911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	n7769911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	n7769911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	n7769911.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3192	z7761429.exe
4100	z2792649.exe
4320	z0661123.exe
1692	n7769911.exe
4260	o2862863.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	n7769911.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	n7769911.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2792649.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2792649.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0661123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0661123.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	869393692b8fbba04fc5b4cac17717c75c7ac6b7aba34ec96cb851d007190183.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	869393692b8fbba04fc5b4cac17717c75c7ac6b7aba34ec96cb851d007190183.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7761429.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7761429.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3988	4260	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	n7769911.exe
1692	n7769911.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	n7769911.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3192	4308	869393692b8fbba04fc5b4cac17717c75c7ac6b7aba34ec96cb851d007190183.exe	66
PID 4308 wrote to memory of 3192	4308	869393692b8fbba04fc5b4cac17717c75c7ac6b7aba34ec96cb851d007190183.exe	66
PID 4308 wrote to memory of 3192	4308	869393692b8fbba04fc5b4cac17717c75c7ac6b7aba34ec96cb851d007190183.exe	66
PID 3192 wrote to memory of 4100	3192	z7761429.exe	67
PID 3192 wrote to memory of 4100	3192	z7761429.exe	67
PID 3192 wrote to memory of 4100	3192	z7761429.exe	67
PID 4100 wrote to memory of 4320	4100	z2792649.exe	68
PID 4100 wrote to memory of 4320	4100	z2792649.exe	68
PID 4100 wrote to memory of 4320	4100	z2792649.exe	68
PID 4320 wrote to memory of 1692	4320	z0661123.exe	69
PID 4320 wrote to memory of 1692	4320	z0661123.exe	69
PID 4320 wrote to memory of 1692	4320	z0661123.exe	69
PID 4320 wrote to memory of 4260	4320	z0661123.exe	70
PID 4320 wrote to memory of 4260	4320	z0661123.exe	70
PID 4320 wrote to memory of 4260	4320	z0661123.exe	70

C:\Users\Admin\AppData\Local\Temp\869393692b8fbba04fc5b4cac17717c75c7ac6b7aba34ec96cb851d007190183.exe
"C:\Users\Admin\AppData\Local\Temp\869393692b8fbba04fc5b4cac17717c75c7ac6b7aba34ec96cb851d007190183.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7761429.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7761429.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2792649.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2792649.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0661123.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0661123.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7769911.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7769911.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o2862863.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o2862863.exe
        5⤵
        Executes dropped EXE
        
        PID:4260
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 956
        6⤵
        Program crash
        
        PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7761429.exe

Filesize
1.0MB

MD5
0f49b31775dee411afbc0f92f5027cd1

SHA1
fea10f7aba61b4045e4c0c4135443ded58e24d9f

SHA256
d8c3d56ce1a2b8f53768e4dd05f259813d223cfbc825d2cabd0176ce7d794cbb

SHA512
8cb149febfe9b3d9ffbad6c1a097e776431b64dbae2543ebd7dffa1b77abba655aecdd88c7191f2ce025562a0dc8f17f1358ae0abd42610f6ce4726a0ebb7ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7761429.exe

Filesize
1.0MB

MD5
0f49b31775dee411afbc0f92f5027cd1

SHA1
fea10f7aba61b4045e4c0c4135443ded58e24d9f

SHA256
d8c3d56ce1a2b8f53768e4dd05f259813d223cfbc825d2cabd0176ce7d794cbb

SHA512
8cb149febfe9b3d9ffbad6c1a097e776431b64dbae2543ebd7dffa1b77abba655aecdd88c7191f2ce025562a0dc8f17f1358ae0abd42610f6ce4726a0ebb7ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2792649.exe

Filesize
587KB

MD5
7d2e7bfe0e227944fb99b647ac19df68

SHA1
3317eb3024cffda77c659c0c022a55078892d846

SHA256
b9de7c840c6cf91a22a96857c51d9b278b7f4f6ec413874f244756a25b5d7d0e

SHA512
82f99d962020ed6a102d605fa0d152b343af97171b3e12fae63516d27bfa4ec7945830d6acf2dba1e7f9b73031a55d0c28c8f2a0bd530f619eb89809cb7b7d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2792649.exe

Filesize
587KB

MD5
7d2e7bfe0e227944fb99b647ac19df68

SHA1
3317eb3024cffda77c659c0c022a55078892d846

SHA256
b9de7c840c6cf91a22a96857c51d9b278b7f4f6ec413874f244756a25b5d7d0e

SHA512
82f99d962020ed6a102d605fa0d152b343af97171b3e12fae63516d27bfa4ec7945830d6acf2dba1e7f9b73031a55d0c28c8f2a0bd530f619eb89809cb7b7d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0661123.exe

Filesize
383KB

MD5
703b9ecdbf85ee5cd4435ca3d5ea58e8

SHA1
ba82fbc2ceac512dbfd059c3abc245731fa41172

SHA256
84e6d8fee8f28fe3a131efc97be32d2388e08d6e2149f52795d32501a28b2b3f

SHA512
32f8221353d6005b990bf03fe58bdffc8b7c3d95e79ccb329d59555cc45955f10b400831015080db866df771cde06ac3b36be3342939f9c389a17b6795ef879a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0661123.exe

Filesize
383KB

MD5
703b9ecdbf85ee5cd4435ca3d5ea58e8

SHA1
ba82fbc2ceac512dbfd059c3abc245731fa41172

SHA256
84e6d8fee8f28fe3a131efc97be32d2388e08d6e2149f52795d32501a28b2b3f

SHA512
32f8221353d6005b990bf03fe58bdffc8b7c3d95e79ccb329d59555cc45955f10b400831015080db866df771cde06ac3b36be3342939f9c389a17b6795ef879a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7769911.exe

Filesize
289KB

MD5
72e79e20672ae89af6bc681f65a86e69

SHA1
913bec59e1090a01bad9306bbd904fc13497c3a8

SHA256
0fdcaefd206e642e862681a08e74029310f5e5e6d8d72c294cf09bc752a46601

SHA512
09ac99532ccbbe5c6fbe8994721fc7d80a819694a358194d72b82a26d428c624c4c72262b90150401ad0d7c9c3db44cd8538fdd3a8e2481735a93afbd1a4b3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7769911.exe

Filesize
289KB

MD5
72e79e20672ae89af6bc681f65a86e69

SHA1
913bec59e1090a01bad9306bbd904fc13497c3a8

SHA256
0fdcaefd206e642e862681a08e74029310f5e5e6d8d72c294cf09bc752a46601

SHA512
09ac99532ccbbe5c6fbe8994721fc7d80a819694a358194d72b82a26d428c624c4c72262b90150401ad0d7c9c3db44cd8538fdd3a8e2481735a93afbd1a4b3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o2862863.exe

Filesize
168KB

MD5
2c3dd803eb3558c000465cb050e2d3ec

SHA1
cbaaeffa3e67580634f703736463b8ce9971f6bb

SHA256
763193f5357660869c7c7c5ea9e7209e8dfb1e6414298ef710fd5d3468d5441d

SHA512
b0e134c015f1d5ddc1086cb6431b9a1d3b44404d72ff3b1761acd50c64650b024f7944699281786e1219e16eae8cbd98f99e288207a94141b28ee2111780cc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o2862863.exe

Filesize
168KB

MD5
2c3dd803eb3558c000465cb050e2d3ec

SHA1
cbaaeffa3e67580634f703736463b8ce9971f6bb

SHA256
763193f5357660869c7c7c5ea9e7209e8dfb1e6414298ef710fd5d3468d5441d

SHA512
b0e134c015f1d5ddc1086cb6431b9a1d3b44404d72ff3b1761acd50c64650b024f7944699281786e1219e16eae8cbd98f99e288207a94141b28ee2111780cc26

Download Submit
memory/1692-160-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-174-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-153-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-154-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-156-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-158-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-151-0x00000000049C0000-0x0000000004EBE000-memory.dmp

Filesize
5.0MB

Download
memory/1692-162-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-164-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-166-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-168-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-170-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-172-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-152-0x0000000004EC0000-0x0000000004ED8000-memory.dmp

Filesize
96KB

Download
memory/1692-176-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-178-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-180-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1692-181-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/1692-182-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/1692-183-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/1692-184-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1692-186-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1692-150-0x0000000002160000-0x000000000217A000-memory.dmp

Filesize
104KB

Download
memory/1692-149-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download
memory/4260-190-0x00000000009C0000-0x00000000009F0000-memory.dmp

Filesize
192KB

Download