redline | ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599

Analysis

max time kernel
146s
max time network
103s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
03/05/2023, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe
Size

565KB
MD5

a34b6a66f18e783517f71360599f9076
SHA1

fcca4a790ed34780ec97996529adbe214b02b743
SHA256

ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599
SHA512

6c18bd0f1a13405f10d221f911eabc7543f3572163ff69175b49121a95b533c9614e168bfb57d112c4ddb9ab400f4150080adaaa473077eb1ed50ee386cb0455
SSDEEP

12288:dMr3y903KT2GvJxdCsrYgsJbHzuwcCPhhmw8y:WytfJLCskFJrzuwcCJx

Score

10^/10

redline darm discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

darm

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	l9997390.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	l9997390.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	l9997390.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	l9997390.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	l9997390.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2560	y9674216.exe
3076	k9971295.exe
4516	l9997390.exe
1332	m9871845.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	l9997390.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	l9997390.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9674216.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9674216.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3012	1332	WerFault.exe	70
3764	1332	WerFault.exe	70
3108	1332	WerFault.exe	70
4816	1332	WerFault.exe	70
4820	1332	WerFault.exe	70
2772	1332	WerFault.exe	70
4788	1332	WerFault.exe	70
440	1332	WerFault.exe	70
3920	1332	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3076	k9971295.exe
3076	k9971295.exe
4516	l9997390.exe
4516	l9997390.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	k9971295.exe
Token: SeDebugPrivilege	4516	l9997390.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1332	m9871845.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2560	2472	ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe	66
PID 2472 wrote to memory of 2560	2472	ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe	66
PID 2472 wrote to memory of 2560	2472	ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe	66
PID 2560 wrote to memory of 3076	2560	y9674216.exe	67
PID 2560 wrote to memory of 3076	2560	y9674216.exe	67
PID 2560 wrote to memory of 3076	2560	y9674216.exe	67
PID 2560 wrote to memory of 4516	2560	y9674216.exe	69
PID 2560 wrote to memory of 4516	2560	y9674216.exe	69
PID 2560 wrote to memory of 4516	2560	y9674216.exe	69
PID 2472 wrote to memory of 1332	2472	ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe	70
PID 2472 wrote to memory of 1332	2472	ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe	70
PID 2472 wrote to memory of 1332	2472	ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe	70

C:\Users\Admin\AppData\Local\Temp\ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe
"C:\Users\Admin\AppData\Local\Temp\ecd6e28300049668d77c4518286ee62df560cd94068b81595987cdebd49b0599.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9674216.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9674216.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9971295.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9971295.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9997390.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9997390.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9871845.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9871845.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:1332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 616
    3⤵
    - Program crash
    PID:3012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 696
    3⤵
    - Program crash
    PID:3764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 824
    3⤵
    - Program crash
    PID:3108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 812
    3⤵
    - Program crash
    PID:4816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 876
    3⤵
    - Program crash
    PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 772
    3⤵
    - Program crash
    PID:2772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1128
    3⤵
    - Program crash
    PID:4788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1152
    3⤵
    - Program crash
    PID:440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1200
    3⤵
    - Program crash
    PID:3920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9871845.exe

Filesize
268KB

MD5
1eb477ae167133202dcfa69839bf6999

SHA1
0d35099fff4c09c16b2eb81106de41f3feb0ddca

SHA256
5bb85bd7d2e0407e5bd55e77d642d64c4206bc1cf817e658d07819c70d7bdff3

SHA512
1ecae15f5cf11072ab08462d9ede3e366f3c38ff93f2228f0a8c29bdfb11caa82c9b10d84981c4897057affa132e0035102811131adfdb806d9373ef631599f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9871845.exe

Filesize
268KB

MD5
1eb477ae167133202dcfa69839bf6999

SHA1
0d35099fff4c09c16b2eb81106de41f3feb0ddca

SHA256
5bb85bd7d2e0407e5bd55e77d642d64c4206bc1cf817e658d07819c70d7bdff3

SHA512
1ecae15f5cf11072ab08462d9ede3e366f3c38ff93f2228f0a8c29bdfb11caa82c9b10d84981c4897057affa132e0035102811131adfdb806d9373ef631599f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9674216.exe

Filesize
307KB

MD5
9b7764d62e7f34c8c7fb1bb16cf9c12a

SHA1
7bef924e62e245e8f712021dc78e3fd0470fc743

SHA256
6a2e2b90e86685b88c8b65884c839f9644a6f9096243aa6618e7bd4d597fe2fa

SHA512
06ee50087b9fd9b64ddca1df1dab03c86ccb6afb5e45ee664b5b87d1155bcb5688f509875324bf19aa25a1f70ebd7f8c6d75f2cfe362769461e2a86ee65ad408

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9674216.exe

Filesize
307KB

MD5
9b7764d62e7f34c8c7fb1bb16cf9c12a

SHA1
7bef924e62e245e8f712021dc78e3fd0470fc743

SHA256
6a2e2b90e86685b88c8b65884c839f9644a6f9096243aa6618e7bd4d597fe2fa

SHA512
06ee50087b9fd9b64ddca1df1dab03c86ccb6afb5e45ee664b5b87d1155bcb5688f509875324bf19aa25a1f70ebd7f8c6d75f2cfe362769461e2a86ee65ad408

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9971295.exe

Filesize
168KB

MD5
96db08473720a6b18aaaefb3b8a77d0c

SHA1
d18b58d7752f630b06062a93a53712d32c808f0f

SHA256
0b3141ff910bc569ef77dfcfb61ac1ed0919942be16d3a0b3c2362225cb72e82

SHA512
8f3e7377e412a61e5d0ea1ec50a37ccda59965da09f6f8559cd79d5071fec337787a4966a1e262cc69e9ddf35d298459a30891880d236402b8b983df512516b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9971295.exe

Filesize
168KB

MD5
96db08473720a6b18aaaefb3b8a77d0c

SHA1
d18b58d7752f630b06062a93a53712d32c808f0f

SHA256
0b3141ff910bc569ef77dfcfb61ac1ed0919942be16d3a0b3c2362225cb72e82

SHA512
8f3e7377e412a61e5d0ea1ec50a37ccda59965da09f6f8559cd79d5071fec337787a4966a1e262cc69e9ddf35d298459a30891880d236402b8b983df512516b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9997390.exe

Filesize
178KB

MD5
d43fca1a24133de7623febcf2848ea49

SHA1
c068a1af4e2eaba04f768b3e2c86f4344a78d88a

SHA256
0b709cb498138055eecaea9a7662eb83f224636ea0b906bd5d1fe3e220d688d6

SHA512
15921bdffce41dce5e7dd9c1cbcf6cd4ad6463b8edd71098cd4b150674ebe1a4510295ba6d7e1ba44deef831e118a97d02bb193d9d835c3af3523985d01f247a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9997390.exe

Filesize
178KB

MD5
d43fca1a24133de7623febcf2848ea49

SHA1
c068a1af4e2eaba04f768b3e2c86f4344a78d88a

SHA256
0b709cb498138055eecaea9a7662eb83f224636ea0b906bd5d1fe3e220d688d6

SHA512
15921bdffce41dce5e7dd9c1cbcf6cd4ad6463b8edd71098cd4b150674ebe1a4510295ba6d7e1ba44deef831e118a97d02bb193d9d835c3af3523985d01f247a

Download Submit
memory/1332-193-0x00000000007E0000-0x0000000000815000-memory.dmp

Filesize
212KB

Download
memory/1332-194-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download
memory/3076-143-0x0000000004F00000-0x0000000004F76000-memory.dmp

Filesize
472KB

Download
memory/3076-148-0x0000000005B50000-0x0000000005BA0000-memory.dmp

Filesize
320KB

Download
memory/3076-141-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/3076-144-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/3076-145-0x0000000006210000-0x000000000670E000-memory.dmp

Filesize
5.0MB

Download
memory/3076-146-0x00000000050C0000-0x0000000005126000-memory.dmp

Filesize
408KB

Download
memory/3076-147-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/3076-142-0x0000000004C30000-0x0000000004C7B000-memory.dmp

Filesize
300KB

Download
memory/3076-149-0x0000000006710000-0x00000000068D2000-memory.dmp

Filesize
1.8MB

Download
memory/3076-150-0x0000000008490000-0x00000000089BC000-memory.dmp

Filesize
5.2MB

Download
memory/3076-140-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

Filesize
248KB

Download
memory/3076-139-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/3076-138-0x0000000004CF0000-0x0000000004DFA000-memory.dmp

Filesize
1.0MB

Download
memory/3076-137-0x00000000051F0000-0x00000000057F6000-memory.dmp

Filesize
6.0MB

Download
memory/3076-136-0x00000000024D0000-0x00000000024D6000-memory.dmp

Filesize
24KB

Download
memory/3076-135-0x0000000000270000-0x00000000002A0000-memory.dmp

Filesize
192KB

Download
memory/4516-155-0x0000000002270000-0x000000000228A000-memory.dmp

Filesize
104KB

Download
memory/4516-162-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-164-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-166-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-168-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-170-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-172-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-174-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-176-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-178-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-180-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-182-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-184-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-185-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/4516-186-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/4516-187-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/4516-160-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-158-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-157-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4516-156-0x0000000002380000-0x0000000002398000-memory.dmp

Filesize
96KB

Download