Analysis
-
max time kernel
176s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05/05/2023, 19:46
General
-
Target
d154b465ff49e669d7c342fc96e7171ace0e8e60474396c2a95d9b7c0e2796cd.exe
-
Size
600KB
-
MD5
a131d912aa23dbca0550b79c14fc4c02
-
SHA1
13ac473d01488beb961a08dee11234f6d32789f1
-
SHA256
d154b465ff49e669d7c342fc96e7171ace0e8e60474396c2a95d9b7c0e2796cd
-
SHA512
a3559eee7b1d4872432efbd99c04f604262ed18c66bb770435d49f89acde82156dc40886839e219d72753552825d265cac5a5d176893184de76d0d7702b8518e
-
SSDEEP
12288:xMrDy90bKKbISpcfLNYWu1LzhzZ3G3i7eD:CyebISpcjMLzh8SSD
Malware Config
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d154b465ff49e669d7c342fc96e7171ace0e8e60474396c2a95d9b7c0e2796cd.exe"C:\Users\Admin\AppData\Local\Temp\d154b465ff49e669d7c342fc96e7171ace0e8e60474396c2a95d9b7c0e2796cd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1629376.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1629376.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4227334.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4227334.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7376414.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7376414.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4774027.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4774027.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4774027.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4774027.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E7⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340KB
MD57f1e80efbe744ca8a1170d3f539cff8a
SHA102f4e19b77b15676d1b5861290d4af819234e1be
SHA256935cfaf2ab3850b6942cddbb9691a373b4ca5e3945ab394125d92e8f94214df4
SHA512d334d59d058c4d51f69794db21e38bede7b0b0c487ab8487d65b94af50e9396c2612f99cdbd80ec9f3f7c766b9800d3ab44ff52346283f760237922f641481db
-
Filesize
340KB
MD57f1e80efbe744ca8a1170d3f539cff8a
SHA102f4e19b77b15676d1b5861290d4af819234e1be
SHA256935cfaf2ab3850b6942cddbb9691a373b4ca5e3945ab394125d92e8f94214df4
SHA512d334d59d058c4d51f69794db21e38bede7b0b0c487ab8487d65b94af50e9396c2612f99cdbd80ec9f3f7c766b9800d3ab44ff52346283f760237922f641481db
-
Filesize
340KB
MD57f1e80efbe744ca8a1170d3f539cff8a
SHA102f4e19b77b15676d1b5861290d4af819234e1be
SHA256935cfaf2ab3850b6942cddbb9691a373b4ca5e3945ab394125d92e8f94214df4
SHA512d334d59d058c4d51f69794db21e38bede7b0b0c487ab8487d65b94af50e9396c2612f99cdbd80ec9f3f7c766b9800d3ab44ff52346283f760237922f641481db
-
Filesize
308KB
MD52e177563ad1fab3ad302011ba579fb76
SHA12da9689b38f76cb6b74fb6c78c050791a87b91be
SHA25696e3dd619840224491bf7c325e644d461b8b31e554a557ba0c715ca37f67531b
SHA51284659b3a341946fd3320c85317cad8504a9e5f98a035354242ded7dc481ad53fb2083d633530f169ce30cb28ecf86af094ca3c2c996f51e870e6b2c3c094ff76
-
Filesize
308KB
MD52e177563ad1fab3ad302011ba579fb76
SHA12da9689b38f76cb6b74fb6c78c050791a87b91be
SHA25696e3dd619840224491bf7c325e644d461b8b31e554a557ba0c715ca37f67531b
SHA51284659b3a341946fd3320c85317cad8504a9e5f98a035354242ded7dc481ad53fb2083d633530f169ce30cb28ecf86af094ca3c2c996f51e870e6b2c3c094ff76
-
Filesize
136KB
MD50bd5a397fc4468b45a670a80b8fc86ab
SHA1ff5f25a71a9ecd612006cf9f4d110cfc3424a096
SHA2569c3577e6ba5daae34229bcefff18e53ff6f89233b335efb75c1a2f64ff0f819b
SHA512cd3f11a89d2c1c9f6a77932b747c84d8ef0cbd78777de0ce8e7557f99c3c701001a62aa546f1c88d11600e54b13146bb643831ad82f6cf5d7d5655e2bf725645
-
Filesize
136KB
MD50bd5a397fc4468b45a670a80b8fc86ab
SHA1ff5f25a71a9ecd612006cf9f4d110cfc3424a096
SHA2569c3577e6ba5daae34229bcefff18e53ff6f89233b335efb75c1a2f64ff0f819b
SHA512cd3f11a89d2c1c9f6a77932b747c84d8ef0cbd78777de0ce8e7557f99c3c701001a62aa546f1c88d11600e54b13146bb643831ad82f6cf5d7d5655e2bf725645
-
Filesize
175KB
MD5a185d5b3de57dbf8e6fe0e3b96b424c9
SHA14ccc2c30689de58084656436001c2e62e83238de
SHA256658035f7c0d43fdef7d6b7944a088015bec4e78540c534785db69b58974248f3
SHA512a608ec7d8d7720c884957feaa1214801786d616173a0e23bd379e4f6103d33acc6150d2f6dd4a756036bf76c082855e2b5438683b8a9a27b180c5bcfed562fcd
-
Filesize
175KB
MD5a185d5b3de57dbf8e6fe0e3b96b424c9
SHA14ccc2c30689de58084656436001c2e62e83238de
SHA256658035f7c0d43fdef7d6b7944a088015bec4e78540c534785db69b58974248f3
SHA512a608ec7d8d7720c884957feaa1214801786d616173a0e23bd379e4f6103d33acc6150d2f6dd4a756036bf76c082855e2b5438683b8a9a27b180c5bcfed562fcd
-
Filesize
340KB
MD57f1e80efbe744ca8a1170d3f539cff8a
SHA102f4e19b77b15676d1b5861290d4af819234e1be
SHA256935cfaf2ab3850b6942cddbb9691a373b4ca5e3945ab394125d92e8f94214df4
SHA512d334d59d058c4d51f69794db21e38bede7b0b0c487ab8487d65b94af50e9396c2612f99cdbd80ec9f3f7c766b9800d3ab44ff52346283f760237922f641481db
-
Filesize
340KB
MD57f1e80efbe744ca8a1170d3f539cff8a
SHA102f4e19b77b15676d1b5861290d4af819234e1be
SHA256935cfaf2ab3850b6942cddbb9691a373b4ca5e3945ab394125d92e8f94214df4
SHA512d334d59d058c4d51f69794db21e38bede7b0b0c487ab8487d65b94af50e9396c2612f99cdbd80ec9f3f7c766b9800d3ab44ff52346283f760237922f641481db
-
Filesize
340KB
MD57f1e80efbe744ca8a1170d3f539cff8a
SHA102f4e19b77b15676d1b5861290d4af819234e1be
SHA256935cfaf2ab3850b6942cddbb9691a373b4ca5e3945ab394125d92e8f94214df4
SHA512d334d59d058c4d51f69794db21e38bede7b0b0c487ab8487d65b94af50e9396c2612f99cdbd80ec9f3f7c766b9800d3ab44ff52346283f760237922f641481db
-
Filesize
340KB
MD57f1e80efbe744ca8a1170d3f539cff8a
SHA102f4e19b77b15676d1b5861290d4af819234e1be
SHA256935cfaf2ab3850b6942cddbb9691a373b4ca5e3945ab394125d92e8f94214df4
SHA512d334d59d058c4d51f69794db21e38bede7b0b0c487ab8487d65b94af50e9396c2612f99cdbd80ec9f3f7c766b9800d3ab44ff52346283f760237922f641481db
-
Filesize
340KB
MD57f1e80efbe744ca8a1170d3f539cff8a
SHA102f4e19b77b15676d1b5861290d4af819234e1be
SHA256935cfaf2ab3850b6942cddbb9691a373b4ca5e3945ab394125d92e8f94214df4
SHA512d334d59d058c4d51f69794db21e38bede7b0b0c487ab8487d65b94af50e9396c2612f99cdbd80ec9f3f7c766b9800d3ab44ff52346283f760237922f641481db
-
Filesize
340KB
MD57f1e80efbe744ca8a1170d3f539cff8a
SHA102f4e19b77b15676d1b5861290d4af819234e1be
SHA256935cfaf2ab3850b6942cddbb9691a373b4ca5e3945ab394125d92e8f94214df4
SHA512d334d59d058c4d51f69794db21e38bede7b0b0c487ab8487d65b94af50e9396c2612f99cdbd80ec9f3f7c766b9800d3ab44ff52346283f760237922f641481db
-
Filesize
212KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
5.6MB
-
Filesize
6.1MB
-
Filesize
160KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
1.8MB