Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05/05/2023, 20:23
General
-
Target
ee4e1544ecd60db08be50cb3d400ba1a79391dfe70b49b7082334b52983786b5.exe
-
Size
1.1MB
-
MD5
439e66c47ee1fc2e5fe28c8c06d46fab
-
SHA1
381152f4cdf622ba8de9142aa9a4735cc0863a21
-
SHA256
ee4e1544ecd60db08be50cb3d400ba1a79391dfe70b49b7082334b52983786b5
-
SHA512
93d62d4a3c6303669ffbaa76158bbb73d6b0d958977d929ee6581f8523b34bc3e52fe679bcaf0c89f1173a73e365e8f149bd14fca00953e7e85ca982bec73ee2
-
SSDEEP
24576:MyQMsIY1vs33YEgrUMPj5OpaYzhxrXhCslPGi3vK5Bvh:7QzZslgrbspaMxrRR3vKj
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee4e1544ecd60db08be50cb3d400ba1a79391dfe70b49b7082334b52983786b5.exe"C:\Users\Admin\AppData\Local\Temp\ee4e1544ecd60db08be50cb3d400ba1a79391dfe70b49b7082334b52983786b5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jp694541.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jp694541.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hg626204.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hg626204.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zH350800.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zH350800.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\122718550.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\122718550.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282926300.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282926300.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\380700785.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\380700785.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\444050236.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\444050236.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
939KB
MD58f4b4bda69692d285a84c8208e7865c3
SHA1b8fdc7d9b1093b561c80690269d23e44a947170e
SHA25650685a3a52295d9f5bb7ca162963fb7c09e71280fbeeeb5b2b585584ca27b34c
SHA512cef3ad4954d59ea4df448f5f97690749cc485cf29eae70f463123372ee9c2011d68c61fd93b29defcd9fb65353ce441328077d1d3c61ce41021fcc8775ca8529
-
Filesize
939KB
MD58f4b4bda69692d285a84c8208e7865c3
SHA1b8fdc7d9b1093b561c80690269d23e44a947170e
SHA25650685a3a52295d9f5bb7ca162963fb7c09e71280fbeeeb5b2b585584ca27b34c
SHA512cef3ad4954d59ea4df448f5f97690749cc485cf29eae70f463123372ee9c2011d68c61fd93b29defcd9fb65353ce441328077d1d3c61ce41021fcc8775ca8529
-
Filesize
341KB
MD547ba46dc83084b0ce15fa10cee2f3efd
SHA1d14895f5d0c4fb8546fb526be8f231759c4f9a80
SHA256411169afcf1a3c7ee94658cf7a4f0cd7394cb419316bdcd7f93c2d90004b1d48
SHA5125474cc6f9910341358de8052722a2bb5ca508a4ccc154ee780cbfec545f45b36d799b77abbfc5c7df74422c1177149ee29ce0612935ce3a890707fd4504ef1ed
-
Filesize
341KB
MD547ba46dc83084b0ce15fa10cee2f3efd
SHA1d14895f5d0c4fb8546fb526be8f231759c4f9a80
SHA256411169afcf1a3c7ee94658cf7a4f0cd7394cb419316bdcd7f93c2d90004b1d48
SHA5125474cc6f9910341358de8052722a2bb5ca508a4ccc154ee780cbfec545f45b36d799b77abbfc5c7df74422c1177149ee29ce0612935ce3a890707fd4504ef1ed
-
Filesize
586KB
MD5bbac3299abdaf8fbc75f64c1786e99cd
SHA13e1244e7cb3302cae2fc7a03fd69f19e935527d7
SHA256c577cd9aa15ec53351d7b8f79f01ce0fd80b332920394098a72769eb3807bf43
SHA51248b086e11affb9817f281ff9d20253da72f759275cba954f607a2a8ab98ca6970a30810deb4ef293f15b4e78c8c4df4a67116d20eb7324835ce0504d438e3aae
-
Filesize
586KB
MD5bbac3299abdaf8fbc75f64c1786e99cd
SHA13e1244e7cb3302cae2fc7a03fd69f19e935527d7
SHA256c577cd9aa15ec53351d7b8f79f01ce0fd80b332920394098a72769eb3807bf43
SHA51248b086e11affb9817f281ff9d20253da72f759275cba954f607a2a8ab98ca6970a30810deb4ef293f15b4e78c8c4df4a67116d20eb7324835ce0504d438e3aae
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
414KB
MD527e1923ad9b94a144fedca270dc06aa8
SHA11de17d3ed0d7aed7aa78a51492b3c697878224be
SHA256233a8752823b78cc6820b9c3777af10a396829f5e9d52d165f816a3ba8a775b7
SHA5127f9201f748709dd4fdb557c1c5b6fea5a5f3f1ed091c27c1301d43588116972e65ac79a6de2f6e30a9ec53ca5930de50fd0743546150a24e120b07342166d4bf
-
Filesize
414KB
MD527e1923ad9b94a144fedca270dc06aa8
SHA11de17d3ed0d7aed7aa78a51492b3c697878224be
SHA256233a8752823b78cc6820b9c3777af10a396829f5e9d52d165f816a3ba8a775b7
SHA5127f9201f748709dd4fdb557c1c5b6fea5a5f3f1ed091c27c1301d43588116972e65ac79a6de2f6e30a9ec53ca5930de50fd0743546150a24e120b07342166d4bf
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
259KB
MD539689e78850659e0fdca5150fbe38944
SHA1998a1e7efba9849591bedc4d3293cefa01cb1a65
SHA256df2d6f039588107ad39adc67553742d3887f1d602b413fd8e66424810c9ec91a
SHA5125786bbade8d55bf681201f588d31f6de0209b26081de316780ccab0c4e81d6d71e0fb407814856d9e29788cccf356a91f0bfd2dc274d3c40c5ff0d68bb778769
-
Filesize
259KB
MD539689e78850659e0fdca5150fbe38944
SHA1998a1e7efba9849591bedc4d3293cefa01cb1a65
SHA256df2d6f039588107ad39adc67553742d3887f1d602b413fd8e66424810c9ec91a
SHA5125786bbade8d55bf681201f588d31f6de0209b26081de316780ccab0c4e81d6d71e0fb407814856d9e29788cccf356a91f0bfd2dc274d3c40c5ff0d68bb778769
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
76KB
-
Filesize
5.6MB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
64KB
-
Filesize
340KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
340KB
-
Filesize
180KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
212KB
-
Filesize
64KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
280KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
212KB