Analysis
-
max time kernel
80s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05/05/2023, 18:35
General
-
Target
84eaf81476b556d9968bea7ee811142aa4e9a731b26055571eb5b2fcc8c22528.exe
-
Size
567KB
-
MD5
caa24946e46c1081c0fe16f83787f9bc
-
SHA1
9a905dd4b2c1adb5b3e8e7c772a3e372dee580ce
-
SHA256
84eaf81476b556d9968bea7ee811142aa4e9a731b26055571eb5b2fcc8c22528
-
SHA512
ad291415ac63969ab261d04d312d6a4801dec49ab7bddd416aedd0f8bf8f7fc10d07ea0eb105c9aa828fab5c247be5619c720f8a7a86680cf472eccbe89c2f69
-
SSDEEP
12288:ZMrqy90NBltD/Bmn/HvgY0pIUQu5HdEJYLcMy/jvl:nyG/rBUvvbvUQkEoS7vl
Malware Config
Extracted
redline
darm
217.196.96.56:4138
-
auth_value
d88ac8ccc04ab9979b04b46313db1648
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 25 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\84eaf81476b556d9968bea7ee811142aa4e9a731b26055571eb5b2fcc8c22528.exe"C:\Users\Admin\AppData\Local\Temp\84eaf81476b556d9968bea7ee811142aa4e9a731b26055571eb5b2fcc8c22528.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2352967.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2352967.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3408913.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3408913.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4682659.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4682659.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9355492.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9355492.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 7003⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 7443⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 8603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 9523⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 9883⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 9603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 12643⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 12923⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 13603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 13883⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 6924⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 8684⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 9324⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 9804⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 10764⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 9244⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 9244⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 9724⤵
- Program crash
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 8764⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 7684⤵
- Program crash
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 13044⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 12764⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1324⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 6924⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 13483⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 968 -ip 9681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 968 -ip 9681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 968 -ip 9681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 968 -ip 9681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 968 -ip 9681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 968 -ip 9681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 968 -ip 9681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 968 -ip 9681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 968 -ip 9681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 968 -ip 9681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 968 -ip 9681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1044 -ip 10441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1044 -ip 10441⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD581779ab246d3928416b9058a498f3ed7
SHA11accd4ee0f83c438f2f3a3617ceb987362f950ec
SHA2561b02383c5a2f69e4ae7bb6e58d3b239bf64f6ae4431869e1ff4b1c41d6a7cd96
SHA5123b48100dc3a0bb172aee9bd500490caa889b4697a7ced7e162059aaea3c0782e09892397c9586ea8ba57a8c04c7d8cdb73145874f77a473dceb1f1cd6b9540ac
-
Filesize
271KB
MD581779ab246d3928416b9058a498f3ed7
SHA11accd4ee0f83c438f2f3a3617ceb987362f950ec
SHA2561b02383c5a2f69e4ae7bb6e58d3b239bf64f6ae4431869e1ff4b1c41d6a7cd96
SHA5123b48100dc3a0bb172aee9bd500490caa889b4697a7ced7e162059aaea3c0782e09892397c9586ea8ba57a8c04c7d8cdb73145874f77a473dceb1f1cd6b9540ac
-
Filesize
307KB
MD59c5dfc30a5bee2d08408ce5a877b188f
SHA1addc263d11eafb773badf65439996a3e209134b5
SHA256cf6e1bd597f35d5aef86cc913c1728a5e2c29f8555c16a882e78a57037fe656d
SHA512b2c5edc7c2750a0691e73ad4ee29ac38ea3dba44f1ac95387a81807b3222123f58bb5b8a36454d45b8a36afe3eeb0356866d196e0bb1fdd53a6afc4a8de65fc7
-
Filesize
307KB
MD59c5dfc30a5bee2d08408ce5a877b188f
SHA1addc263d11eafb773badf65439996a3e209134b5
SHA256cf6e1bd597f35d5aef86cc913c1728a5e2c29f8555c16a882e78a57037fe656d
SHA512b2c5edc7c2750a0691e73ad4ee29ac38ea3dba44f1ac95387a81807b3222123f58bb5b8a36454d45b8a36afe3eeb0356866d196e0bb1fdd53a6afc4a8de65fc7
-
Filesize
168KB
MD59c4f06d6587126a5fcad06153c9549d2
SHA13ecc868d213a41cdf44d4a5e4250d9bf0a927207
SHA256c7c3e0d1362999dcd37073cfe762ba2798de5e69f95e617ffdfd50609ad1447f
SHA5126cbca46912e7bfa25d19ec236d185188619f2c76cc5f7babebb86b0948c30fc6722a736e265e02de250dbfa6404c5a5c7d0e42ed721dd694506700498f77f528
-
Filesize
168KB
MD59c4f06d6587126a5fcad06153c9549d2
SHA13ecc868d213a41cdf44d4a5e4250d9bf0a927207
SHA256c7c3e0d1362999dcd37073cfe762ba2798de5e69f95e617ffdfd50609ad1447f
SHA5126cbca46912e7bfa25d19ec236d185188619f2c76cc5f7babebb86b0948c30fc6722a736e265e02de250dbfa6404c5a5c7d0e42ed721dd694506700498f77f528
-
Filesize
177KB
MD51e979260a87ef5139028cbf5529f71c4
SHA1cc7028974c9c709c8e20b9568e3602a58eca1125
SHA256c586f1eb20eda195e27deb055c3602f04b441461cf33f1e87df0fdfa26feb1b2
SHA512eaace329002afdf1908f5f881577ae53038e4b300f474d1a205d76d0c2259b5e6ea56a0c7c66a2bf7972156708aab38d284c71b2cb89daa58735d3fb961e3a1f
-
Filesize
177KB
MD51e979260a87ef5139028cbf5529f71c4
SHA1cc7028974c9c709c8e20b9568e3602a58eca1125
SHA256c586f1eb20eda195e27deb055c3602f04b441461cf33f1e87df0fdfa26feb1b2
SHA512eaace329002afdf1908f5f881577ae53038e4b300f474d1a205d76d0c2259b5e6ea56a0c7c66a2bf7972156708aab38d284c71b2cb89daa58735d3fb961e3a1f
-
Filesize
271KB
MD581779ab246d3928416b9058a498f3ed7
SHA11accd4ee0f83c438f2f3a3617ceb987362f950ec
SHA2561b02383c5a2f69e4ae7bb6e58d3b239bf64f6ae4431869e1ff4b1c41d6a7cd96
SHA5123b48100dc3a0bb172aee9bd500490caa889b4697a7ced7e162059aaea3c0782e09892397c9586ea8ba57a8c04c7d8cdb73145874f77a473dceb1f1cd6b9540ac
-
Filesize
271KB
MD581779ab246d3928416b9058a498f3ed7
SHA11accd4ee0f83c438f2f3a3617ceb987362f950ec
SHA2561b02383c5a2f69e4ae7bb6e58d3b239bf64f6ae4431869e1ff4b1c41d6a7cd96
SHA5123b48100dc3a0bb172aee9bd500490caa889b4697a7ced7e162059aaea3c0782e09892397c9586ea8ba57a8c04c7d8cdb73145874f77a473dceb1f1cd6b9540ac
-
Filesize
271KB
MD581779ab246d3928416b9058a498f3ed7
SHA11accd4ee0f83c438f2f3a3617ceb987362f950ec
SHA2561b02383c5a2f69e4ae7bb6e58d3b239bf64f6ae4431869e1ff4b1c41d6a7cd96
SHA5123b48100dc3a0bb172aee9bd500490caa889b4697a7ced7e162059aaea3c0782e09892397c9586ea8ba57a8c04c7d8cdb73145874f77a473dceb1f1cd6b9540ac
-
Filesize
212KB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
584KB
-
Filesize
6.1MB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
472KB
-
Filesize
192KB