Analysis
-
max time kernel
158s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05/05/2023, 20:12
General
-
Target
e5d43050d1dac61024c13c3894fc4b701358001c6ac958d00855acfda6334514.exe
-
Size
1.1MB
-
MD5
6f6ee19e223eca6bb3cb7d7f905a28e0
-
SHA1
9e573e920fc45223c4ba16ade66a63be646dd9fe
-
SHA256
e5d43050d1dac61024c13c3894fc4b701358001c6ac958d00855acfda6334514
-
SHA512
0c3043a0644f39c79ffa1cad6c4a74762b94174d8e76cfe5483822881e865b84c9c9342110411e0fe2f1e301cda474e2518a687e26cd5e69bcf8ed64ec771379
-
SSDEEP
24576:xy7mop6Ku10XbnQ9t1ZqhUbZfJoZKJlkL+2qPjJ:kSo6j10rnQ9tehUJoEoL+Jj
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5d43050d1dac61024c13c3894fc4b701358001c6ac958d00855acfda6334514.exe"C:\Users\Admin\AppData\Local\Temp\e5d43050d1dac61024c13c3894fc4b701358001c6ac958d00855acfda6334514.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH789126.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH789126.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uF595918.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uF595918.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wx240121.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wx240121.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129375202.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129375202.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\296742778.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\296742778.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 10806⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\394267077.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\394267077.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\431346924.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\431346924.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1868 -ip 18681⤵
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
939KB
MD573194cbe49435acfa5add7a0a34efaeb
SHA14d49797f5d7aa7a206f564142e76983d22c65883
SHA256342ecafece034325e0b8b17c8ac2f50660dbd4399a283ac051597d4f5bd780ba
SHA512bbe2f7e06901f11e2ef2904fe229ea3d53d5b357f3e9d9bf7cedc97bd10138f156805aace7bae8715b2303a6799617a4b8efcbf680534f5ca89d7e3a39a601cb
-
Filesize
939KB
MD573194cbe49435acfa5add7a0a34efaeb
SHA14d49797f5d7aa7a206f564142e76983d22c65883
SHA256342ecafece034325e0b8b17c8ac2f50660dbd4399a283ac051597d4f5bd780ba
SHA512bbe2f7e06901f11e2ef2904fe229ea3d53d5b357f3e9d9bf7cedc97bd10138f156805aace7bae8715b2303a6799617a4b8efcbf680534f5ca89d7e3a39a601cb
-
Filesize
341KB
MD550d3c58ca26d3223cb14096df5565fea
SHA10d1cb2480ea48f7832c30f89683fd60ee20daac5
SHA256b5d4188be6e807828f628fe2eb1df1e6fe62789da4e98ef679cb0eb08cad89af
SHA512ff2751f79c8136a9823a37c8f10002fa83f48ffb84ff8f3bf702455989eff6099b32d378e795788bb65547bcdeaa2f03cb153deec937b02526a57d1d0aadbc0e
-
Filesize
341KB
MD550d3c58ca26d3223cb14096df5565fea
SHA10d1cb2480ea48f7832c30f89683fd60ee20daac5
SHA256b5d4188be6e807828f628fe2eb1df1e6fe62789da4e98ef679cb0eb08cad89af
SHA512ff2751f79c8136a9823a37c8f10002fa83f48ffb84ff8f3bf702455989eff6099b32d378e795788bb65547bcdeaa2f03cb153deec937b02526a57d1d0aadbc0e
-
Filesize
585KB
MD56dfc088b625a4c1731aa8ed1ff6437c9
SHA10cf55aa8e4f15e6f665106ffad003db85af8e33f
SHA2560f852a04a78b8d173c87731c8c73df1d8e149897435907213596d31f88eea1dc
SHA5126edbec354cc66414fc55a1e59bcbc6dae9679b3a228d586ba447381361c206c478695ea2063fe9c195829b8fc7b559a91d3ec33f032bab4618a14d78a6d4740b
-
Filesize
585KB
MD56dfc088b625a4c1731aa8ed1ff6437c9
SHA10cf55aa8e4f15e6f665106ffad003db85af8e33f
SHA2560f852a04a78b8d173c87731c8c73df1d8e149897435907213596d31f88eea1dc
SHA5126edbec354cc66414fc55a1e59bcbc6dae9679b3a228d586ba447381361c206c478695ea2063fe9c195829b8fc7b559a91d3ec33f032bab4618a14d78a6d4740b
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
414KB
MD5af57737cab459048a2e3c660bf6bbd58
SHA12fef2f01ab2a2ccd642f6731ed55ef228efab1de
SHA2566cff22dd186a944915a63bbf6da6fb6aa1e87fca63b08fed7a89e619c9e77493
SHA51218824ab88b1df33e17cfc217889f9deb7a91e24f177dcb5d79033a8c02994646b506b501666e2631dd8374ab6b24c34aa8d6cd53018d561eeb195b09d49acc08
-
Filesize
414KB
MD5af57737cab459048a2e3c660bf6bbd58
SHA12fef2f01ab2a2ccd642f6731ed55ef228efab1de
SHA2566cff22dd186a944915a63bbf6da6fb6aa1e87fca63b08fed7a89e619c9e77493
SHA51218824ab88b1df33e17cfc217889f9deb7a91e24f177dcb5d79033a8c02994646b506b501666e2631dd8374ab6b24c34aa8d6cd53018d561eeb195b09d49acc08
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
259KB
MD57445af9f28acf33cfcbc5b3b510bc677
SHA1dd98ad6a7c55ee2e119bc4de7daf9fcd7e536930
SHA2565ce4bd05ceba902e5b5b753a85b75989e19d97ed179906ed2dad4c2940162d5b
SHA512e72dcaa21efd58fed3d04df54d520975f8d320d4daa6ff854c1772eb5d19421a68c3e1eca9d765c5784122a9da33320404d02cbe2e370a29da6ae2c5cdca56c0
-
Filesize
259KB
MD57445af9f28acf33cfcbc5b3b510bc677
SHA1dd98ad6a7c55ee2e119bc4de7daf9fcd7e536930
SHA2565ce4bd05ceba902e5b5b753a85b75989e19d97ed179906ed2dad4c2940162d5b
SHA512e72dcaa21efd58fed3d04df54d520975f8d320d4daa6ff854c1772eb5d19421a68c3e1eca9d765c5784122a9da33320404d02cbe2e370a29da6ae2c5cdca56c0
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
340KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
180KB
-
Filesize
340KB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
76KB
-
Filesize
64KB
-
Filesize
76KB
-
Filesize
64KB
-
Filesize
76KB
-
Filesize
64KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB