Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
04/05/2023, 06:30
Static task
static1
Behavioral task
behavioral1
Sample
d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351.exe
Resource
win10-20230220-en
General
-
Target
d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351.exe
-
Size
479KB
-
MD5
68b8701d0f8234eedbf1fd1cb304dd4f
-
SHA1
4558766e01d0cf0fec3e10af40ff2d6f44f9ee74
-
SHA256
d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351
-
SHA512
c1d0c7e1ecd00733048bbf4ac2beb5c72689b54fa66df2e2bc80607829a444deddc5be0b4fb8be25e90e7e6efa6207984d5e16ef799c73aab2a7975396d09ced
-
SSDEEP
6144:Kny+bnr+Yp0yN90QEgkisF+dBK757VOBULIgRvbgBqIrVEZH599/crV28QE+eu9p:dMrAy909ii6ce9PqnZPERjxa
Malware Config
Extracted
redline
daris
217.196.96.56:4138
-
auth_value
3491f24ae0250969cd45ce4b3fe77549
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" l5303987.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" l5303987.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" l5303987.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" l5303987.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" l5303987.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 4436 y9461615.exe 4252 k9566414.exe 4716 l5303987.exe 1016 m4393452.exe 4300 oneetx.exe 4640 oneetx.exe 3856 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 4940 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features l5303987.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" l5303987.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y9461615.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y9461615.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3240 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4252 k9566414.exe 4252 k9566414.exe 4716 l5303987.exe 4716 l5303987.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4252 k9566414.exe Token: SeDebugPrivilege 4716 l5303987.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1016 m4393452.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4052 wrote to memory of 4436 4052 d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351.exe 67 PID 4052 wrote to memory of 4436 4052 d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351.exe 67 PID 4052 wrote to memory of 4436 4052 d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351.exe 67 PID 4436 wrote to memory of 4252 4436 y9461615.exe 68 PID 4436 wrote to memory of 4252 4436 y9461615.exe 68 PID 4436 wrote to memory of 4252 4436 y9461615.exe 68 PID 4436 wrote to memory of 4716 4436 y9461615.exe 70 PID 4436 wrote to memory of 4716 4436 y9461615.exe 70 PID 4436 wrote to memory of 4716 4436 y9461615.exe 70 PID 4052 wrote to memory of 1016 4052 d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351.exe 71 PID 4052 wrote to memory of 1016 4052 d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351.exe 71 PID 4052 wrote to memory of 1016 4052 d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351.exe 71 PID 1016 wrote to memory of 4300 1016 m4393452.exe 72 PID 1016 wrote to memory of 4300 1016 m4393452.exe 72 PID 1016 wrote to memory of 4300 1016 m4393452.exe 72 PID 4300 wrote to memory of 3240 4300 oneetx.exe 73 PID 4300 wrote to memory of 3240 4300 oneetx.exe 73 PID 4300 wrote to memory of 3240 4300 oneetx.exe 73 PID 4300 wrote to memory of 4404 4300 oneetx.exe 75 PID 4300 wrote to memory of 4404 4300 oneetx.exe 75 PID 4300 wrote to memory of 4404 4300 oneetx.exe 75 PID 4404 wrote to memory of 4408 4404 cmd.exe 77 PID 4404 wrote to memory of 4408 4404 cmd.exe 77 PID 4404 wrote to memory of 4408 4404 cmd.exe 77 PID 4404 wrote to memory of 4364 4404 cmd.exe 78 PID 4404 wrote to memory of 4364 4404 cmd.exe 78 PID 4404 wrote to memory of 4364 4404 cmd.exe 78 PID 4404 wrote to memory of 4312 4404 cmd.exe 79 PID 4404 wrote to memory of 4312 4404 cmd.exe 79 PID 4404 wrote to memory of 4312 4404 cmd.exe 79 PID 4404 wrote to memory of 3700 4404 cmd.exe 80 PID 4404 wrote to memory of 3700 4404 cmd.exe 80 PID 4404 wrote to memory of 3700 4404 cmd.exe 80 PID 4404 wrote to memory of 3692 4404 cmd.exe 81 PID 4404 wrote to memory of 3692 4404 cmd.exe 81 PID 4404 wrote to memory of 3692 4404 cmd.exe 81 PID 4404 wrote to memory of 4756 4404 cmd.exe 82 PID 4404 wrote to memory of 4756 4404 cmd.exe 82 PID 4404 wrote to memory of 4756 4404 cmd.exe 82 PID 4300 wrote to memory of 4940 4300 oneetx.exe 84 PID 4300 wrote to memory of 4940 4300 oneetx.exe 84 PID 4300 wrote to memory of 4940 4300 oneetx.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351.exe"C:\Users\Admin\AppData\Local\Temp\d80a447c4f3445bf7ff374a513b0d013c155af40c90dde74e07124efdb760351.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9461615.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9461615.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9566414.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9566414.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5303987.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5303987.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4393452.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4393452.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:3240
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4408
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:4364
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:4312
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3700
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:3692
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:4756
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4940
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:4640
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:3856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD524048eb13dd00d4991cfc3e80d4ab0c4
SHA17db156d89d183abc428fbdd86dfb4f81b3b00f74
SHA256358242b97ae19e223e51453f0c36199d5b053399feab42f5bb6145bdfae86617
SHA512a4a97a91a9bee4b1d8e35428cf1439a3fdd3cf645a39c5ca3971365d74fb518da603e71e8e3c9429459739307dde94384d97166d4fea5b6fa9bf9cf7d507cf30
-
Filesize
206KB
MD524048eb13dd00d4991cfc3e80d4ab0c4
SHA17db156d89d183abc428fbdd86dfb4f81b3b00f74
SHA256358242b97ae19e223e51453f0c36199d5b053399feab42f5bb6145bdfae86617
SHA512a4a97a91a9bee4b1d8e35428cf1439a3fdd3cf645a39c5ca3971365d74fb518da603e71e8e3c9429459739307dde94384d97166d4fea5b6fa9bf9cf7d507cf30
-
Filesize
308KB
MD52239388aa1d24ffd34375cb975c7922b
SHA164bfc1ddfc14d6e40ec2fd7ba9ff50fe77523437
SHA256c2ab8925b547b3e24d043f15bef7fcee2c0964f2c687fea5269508f5deadb685
SHA512498e1b838bfd3e49189177e9bcd26dc6a44b09b160a4c46989ec3f7bf47e9d4f35ffa190f2ab9d3775e79f1a869c8dcc7a02ab4f7c683dc1cc8b62cb4bfd73bb
-
Filesize
308KB
MD52239388aa1d24ffd34375cb975c7922b
SHA164bfc1ddfc14d6e40ec2fd7ba9ff50fe77523437
SHA256c2ab8925b547b3e24d043f15bef7fcee2c0964f2c687fea5269508f5deadb685
SHA512498e1b838bfd3e49189177e9bcd26dc6a44b09b160a4c46989ec3f7bf47e9d4f35ffa190f2ab9d3775e79f1a869c8dcc7a02ab4f7c683dc1cc8b62cb4bfd73bb
-
Filesize
168KB
MD59184e9a7c538a8c3b45ce0a0d53f8be6
SHA15ffed6eaca6f16d17b998d40855c0133d3179ab7
SHA25617bb22ba448f04caf0e40e9df89af91247e89363046c2d204ce45c3e040d51c8
SHA5125def5f3f113c2216763164c2619073b15d8f64620747d9b1fb86af519945b33b43259c9fabc67840f32e8bd7f28deffd7f906708d4f4039f908471bdb42419b8
-
Filesize
168KB
MD59184e9a7c538a8c3b45ce0a0d53f8be6
SHA15ffed6eaca6f16d17b998d40855c0133d3179ab7
SHA25617bb22ba448f04caf0e40e9df89af91247e89363046c2d204ce45c3e040d51c8
SHA5125def5f3f113c2216763164c2619073b15d8f64620747d9b1fb86af519945b33b43259c9fabc67840f32e8bd7f28deffd7f906708d4f4039f908471bdb42419b8
-
Filesize
179KB
MD57b74e17d806cc2aa15887a6e2155930f
SHA1713263bbb8d1fd90fd6ee07434bcea8e3966338e
SHA256dcbaa6c48ccd123008490ed78c08fa211bb76eb57cf3089bafa2845038e6a5ab
SHA51286fd23204ee0ec33994d7de93fbcb36ab66dc03772e53d4f228e5611083e0c3dc0d49f173541436b0caec62c21dd1d297d89a9fa4bcce93a37406922d5569e21
-
Filesize
179KB
MD57b74e17d806cc2aa15887a6e2155930f
SHA1713263bbb8d1fd90fd6ee07434bcea8e3966338e
SHA256dcbaa6c48ccd123008490ed78c08fa211bb76eb57cf3089bafa2845038e6a5ab
SHA51286fd23204ee0ec33994d7de93fbcb36ab66dc03772e53d4f228e5611083e0c3dc0d49f173541436b0caec62c21dd1d297d89a9fa4bcce93a37406922d5569e21
-
Filesize
206KB
MD524048eb13dd00d4991cfc3e80d4ab0c4
SHA17db156d89d183abc428fbdd86dfb4f81b3b00f74
SHA256358242b97ae19e223e51453f0c36199d5b053399feab42f5bb6145bdfae86617
SHA512a4a97a91a9bee4b1d8e35428cf1439a3fdd3cf645a39c5ca3971365d74fb518da603e71e8e3c9429459739307dde94384d97166d4fea5b6fa9bf9cf7d507cf30
-
Filesize
206KB
MD524048eb13dd00d4991cfc3e80d4ab0c4
SHA17db156d89d183abc428fbdd86dfb4f81b3b00f74
SHA256358242b97ae19e223e51453f0c36199d5b053399feab42f5bb6145bdfae86617
SHA512a4a97a91a9bee4b1d8e35428cf1439a3fdd3cf645a39c5ca3971365d74fb518da603e71e8e3c9429459739307dde94384d97166d4fea5b6fa9bf9cf7d507cf30
-
Filesize
206KB
MD524048eb13dd00d4991cfc3e80d4ab0c4
SHA17db156d89d183abc428fbdd86dfb4f81b3b00f74
SHA256358242b97ae19e223e51453f0c36199d5b053399feab42f5bb6145bdfae86617
SHA512a4a97a91a9bee4b1d8e35428cf1439a3fdd3cf645a39c5ca3971365d74fb518da603e71e8e3c9429459739307dde94384d97166d4fea5b6fa9bf9cf7d507cf30
-
Filesize
206KB
MD524048eb13dd00d4991cfc3e80d4ab0c4
SHA17db156d89d183abc428fbdd86dfb4f81b3b00f74
SHA256358242b97ae19e223e51453f0c36199d5b053399feab42f5bb6145bdfae86617
SHA512a4a97a91a9bee4b1d8e35428cf1439a3fdd3cf645a39c5ca3971365d74fb518da603e71e8e3c9429459739307dde94384d97166d4fea5b6fa9bf9cf7d507cf30
-
Filesize
206KB
MD524048eb13dd00d4991cfc3e80d4ab0c4
SHA17db156d89d183abc428fbdd86dfb4f81b3b00f74
SHA256358242b97ae19e223e51453f0c36199d5b053399feab42f5bb6145bdfae86617
SHA512a4a97a91a9bee4b1d8e35428cf1439a3fdd3cf645a39c5ca3971365d74fb518da603e71e8e3c9429459739307dde94384d97166d4fea5b6fa9bf9cf7d507cf30
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53