Analysis
-
max time kernel
183s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05-05-2023 19:41
General
-
Target
cebbfd95d0b5662b4b748607f7c6343b1d8d816bcdb14446945cb89477f0151b.exe
-
Size
589KB
-
MD5
76a5e0b34f24d21e1137091e26826383
-
SHA1
f385617206c6cbca3e167fbf4ecd53745b248a2f
-
SHA256
cebbfd95d0b5662b4b748607f7c6343b1d8d816bcdb14446945cb89477f0151b
-
SHA512
6a84ab893e8830b52272722086fa11d47cf29c5f01b4858e7e368f2ce63e4d6e9067a7159cdf8796cf4157f19f6547a4ad77e7c5904b014cc8f2981cc205a7cc
-
SSDEEP
12288:EMryYy90d7rfuIF3bqrGg1hSNhQv7/kgxQiBdG7QF:HyouIF3bEJSNh8Dkgx3GkF
Malware Config
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cebbfd95d0b5662b4b748607f7c6343b1d8d816bcdb14446945cb89477f0151b.exe"C:\Users\Admin\AppData\Local\Temp\cebbfd95d0b5662b4b748607f7c6343b1d8d816bcdb14446945cb89477f0151b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7762734.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7762734.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8581137.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8581137.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3298922.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3298922.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 10284⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i9675613.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i9675613.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 224 -ip 2241⤵
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD576b3609bc2a84e22be145b88369afcd4
SHA1ff99f54d7bcc78fad8b869d5b4b050129d8c3dce
SHA256af85f0277d61ccde81175dc200a3eaf359b0c3779ef5fe86efb1d60b131044fe
SHA5127ae49064e15f702e8f48bd646e2c7a89a8eb53c1fc2c315a12f2b0fafbc84ccc757a94b17c12f206ca300eb1c62077cbf6b3950966577113e49cee630b20773c
-
Filesize
204KB
MD576b3609bc2a84e22be145b88369afcd4
SHA1ff99f54d7bcc78fad8b869d5b4b050129d8c3dce
SHA256af85f0277d61ccde81175dc200a3eaf359b0c3779ef5fe86efb1d60b131044fe
SHA5127ae49064e15f702e8f48bd646e2c7a89a8eb53c1fc2c315a12f2b0fafbc84ccc757a94b17c12f206ca300eb1c62077cbf6b3950966577113e49cee630b20773c
-
Filesize
417KB
MD5a646c942f31d612c12f8f960d1815eb3
SHA1c99d5f3322795f1eac918d928516b17ba661ec34
SHA25604957d50881dd6e6491f8eabcb20a91988c96bcbfbd9fe25fb4ae667a31faeea
SHA5121ecd164cf37364e548532ddaaddebbca83801c2deca3b9761041f0578a3f079254f254e3b1be29cf1f3e3f12cfd7a3a34b220bee413a08eef724720d0b77594b
-
Filesize
417KB
MD5a646c942f31d612c12f8f960d1815eb3
SHA1c99d5f3322795f1eac918d928516b17ba661ec34
SHA25604957d50881dd6e6491f8eabcb20a91988c96bcbfbd9fe25fb4ae667a31faeea
SHA5121ecd164cf37364e548532ddaaddebbca83801c2deca3b9761041f0578a3f079254f254e3b1be29cf1f3e3f12cfd7a3a34b220bee413a08eef724720d0b77594b
-
Filesize
136KB
MD53de7a76163967032000b56d0d7cfcbd9
SHA1303abc7cadac15e99dafcd368958e7fee406ebe0
SHA256f0dadbabd4bc1027738c15cf0709347b3ddf7dfe546eaf63188835e5fec72e53
SHA5129b07250fe5ef4224a93fd590a404835fb7ef3f9fb7a2a2986384f9860748aad3cee5ca38b9073f8328db7216f8eb27fc3c578f71833a652dfafcbf783f07c504
-
Filesize
136KB
MD53de7a76163967032000b56d0d7cfcbd9
SHA1303abc7cadac15e99dafcd368958e7fee406ebe0
SHA256f0dadbabd4bc1027738c15cf0709347b3ddf7dfe546eaf63188835e5fec72e53
SHA5129b07250fe5ef4224a93fd590a404835fb7ef3f9fb7a2a2986384f9860748aad3cee5ca38b9073f8328db7216f8eb27fc3c578f71833a652dfafcbf783f07c504
-
Filesize
361KB
MD54a0c719c9cccb4e113b538932d6b0660
SHA1834125f0e3739e571dbb432fc4d144161fb03357
SHA25682f2cb8702347c7697a3ccf360ce2f9cb3037ce4421003838a32f29c9361f697
SHA512b9790e01ccfc005ff2523fe0de171e4b43b9cdf6e3dcbbebb079ee3a4a9970eee77331a8bd9407098375112dde30ab40c5f9f43a6e7ae1f9afdb9001beebcf50
-
Filesize
361KB
MD54a0c719c9cccb4e113b538932d6b0660
SHA1834125f0e3739e571dbb432fc4d144161fb03357
SHA25682f2cb8702347c7697a3ccf360ce2f9cb3037ce4421003838a32f29c9361f697
SHA512b9790e01ccfc005ff2523fe0de171e4b43b9cdf6e3dcbbebb079ee3a4a9970eee77331a8bd9407098375112dde30ab40c5f9f43a6e7ae1f9afdb9001beebcf50
-
Filesize
204KB
MD576b3609bc2a84e22be145b88369afcd4
SHA1ff99f54d7bcc78fad8b869d5b4b050129d8c3dce
SHA256af85f0277d61ccde81175dc200a3eaf359b0c3779ef5fe86efb1d60b131044fe
SHA5127ae49064e15f702e8f48bd646e2c7a89a8eb53c1fc2c315a12f2b0fafbc84ccc757a94b17c12f206ca300eb1c62077cbf6b3950966577113e49cee630b20773c
-
Filesize
204KB
MD576b3609bc2a84e22be145b88369afcd4
SHA1ff99f54d7bcc78fad8b869d5b4b050129d8c3dce
SHA256af85f0277d61ccde81175dc200a3eaf359b0c3779ef5fe86efb1d60b131044fe
SHA5127ae49064e15f702e8f48bd646e2c7a89a8eb53c1fc2c315a12f2b0fafbc84ccc757a94b17c12f206ca300eb1c62077cbf6b3950966577113e49cee630b20773c
-
Filesize
204KB
MD576b3609bc2a84e22be145b88369afcd4
SHA1ff99f54d7bcc78fad8b869d5b4b050129d8c3dce
SHA256af85f0277d61ccde81175dc200a3eaf359b0c3779ef5fe86efb1d60b131044fe
SHA5127ae49064e15f702e8f48bd646e2c7a89a8eb53c1fc2c315a12f2b0fafbc84ccc757a94b17c12f206ca300eb1c62077cbf6b3950966577113e49cee630b20773c
-
Filesize
204KB
MD576b3609bc2a84e22be145b88369afcd4
SHA1ff99f54d7bcc78fad8b869d5b4b050129d8c3dce
SHA256af85f0277d61ccde81175dc200a3eaf359b0c3779ef5fe86efb1d60b131044fe
SHA5127ae49064e15f702e8f48bd646e2c7a89a8eb53c1fc2c315a12f2b0fafbc84ccc757a94b17c12f206ca300eb1c62077cbf6b3950966577113e49cee630b20773c
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
3.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.0MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
1.8MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
5.2MB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
160KB