Analysis
-
max time kernel
134s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05/05/2023, 20:32
General
-
Target
f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe
-
Size
588KB
-
MD5
b07769cdb2ed1a7ef4198c6a67e4a098
-
SHA1
afe54741458db73f2fbf8f86cc697c66b3342aba
-
SHA256
f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176
-
SHA512
94da07dc6bf851df2bb3faa7e97a358c61d2fdf668fc9fec20f2826debc29ad42d7029be0a5e747e5480661a2d672e13d680c759499acdb2e732c1b116d3ce91
-
SSDEEP
12288:GMrzy905ECPeCtcZQkBwi+FhVpqZlfhv4mAmjzjMvnS1ttJWig51:dyImGtUwiOyZlfh6azAAttciI1
Malware Config
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe"C:\Users\Admin\AppData\Local\Temp\f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8506395.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8506395.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0589159.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0589159.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5702663.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5702663.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 10804⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i6233116.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i6233116.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4724 -ip 47241⤵
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD55a9e8fb044aa3bc8de299b7487d0bae3
SHA19f5c00a6d46da44a4f22eed64922d135b7a01293
SHA25638d344724af35b8a125be996bb370f0c923d835da050e39b890efc933966362c
SHA512f2dc90e17eaed4161189b26860a64925ed3985ebd981ee72442492e4afc5a0acae1f2280f97971eb6eb5915fd598c6a688967ba67d7f542e4cdc45bd00dcc147
-
Filesize
204KB
MD55a9e8fb044aa3bc8de299b7487d0bae3
SHA19f5c00a6d46da44a4f22eed64922d135b7a01293
SHA25638d344724af35b8a125be996bb370f0c923d835da050e39b890efc933966362c
SHA512f2dc90e17eaed4161189b26860a64925ed3985ebd981ee72442492e4afc5a0acae1f2280f97971eb6eb5915fd598c6a688967ba67d7f542e4cdc45bd00dcc147
-
Filesize
416KB
MD504e21e2372026fac4e40361c835145da
SHA1e479a4f6ec39bfc022b0669995e114f57d873e8a
SHA256bb6178b482db8cc54defcbdcd1d92d5c8b4ca579b67a729e6a09999a07a3f678
SHA512996bf73d64bf7bebd42e7023bda4acb17047eb6561a6a945d4bc2d533c4e87fbac7103820fb73e18e102ba7f5d921829321d142f9d0969c38baed24ab00d6c08
-
Filesize
416KB
MD504e21e2372026fac4e40361c835145da
SHA1e479a4f6ec39bfc022b0669995e114f57d873e8a
SHA256bb6178b482db8cc54defcbdcd1d92d5c8b4ca579b67a729e6a09999a07a3f678
SHA512996bf73d64bf7bebd42e7023bda4acb17047eb6561a6a945d4bc2d533c4e87fbac7103820fb73e18e102ba7f5d921829321d142f9d0969c38baed24ab00d6c08
-
Filesize
136KB
MD51f9c251cec0adb0069d055d5b92838d8
SHA1275e8df0248424d4fb9c7821ec7faea1fabfd335
SHA2564229a082666be90a392bbe2225b58b2f66c6df83a338248c0f0394da3c616047
SHA51233ce32e0cd51dcf6ce7b5a38c0019da40a31303d61e2158d983a8a8b44391f77efb527b48a299c13cff960c6503d0d737ca693c1f56a48a705ce340fb808f120
-
Filesize
136KB
MD51f9c251cec0adb0069d055d5b92838d8
SHA1275e8df0248424d4fb9c7821ec7faea1fabfd335
SHA2564229a082666be90a392bbe2225b58b2f66c6df83a338248c0f0394da3c616047
SHA51233ce32e0cd51dcf6ce7b5a38c0019da40a31303d61e2158d983a8a8b44391f77efb527b48a299c13cff960c6503d0d737ca693c1f56a48a705ce340fb808f120
-
Filesize
361KB
MD52abfe19c2b2399aee75e74fde3f24b69
SHA1081f9857b6986cad726557d22910440f99bbdb20
SHA256dbc05b59855d958bcee452577bf4b541997ae0c634556c387279a5cf494cf6c9
SHA5126378ce73bafec8dc7d9e7512271e4cf4652ae89fac1ee96ae1218be6a5c7b54202a12453540ad858e9692fe22fe86fee42710a269718df8cc9e5a3176ebb44cc
-
Filesize
361KB
MD52abfe19c2b2399aee75e74fde3f24b69
SHA1081f9857b6986cad726557d22910440f99bbdb20
SHA256dbc05b59855d958bcee452577bf4b541997ae0c634556c387279a5cf494cf6c9
SHA5126378ce73bafec8dc7d9e7512271e4cf4652ae89fac1ee96ae1218be6a5c7b54202a12453540ad858e9692fe22fe86fee42710a269718df8cc9e5a3176ebb44cc
-
Filesize
204KB
MD55a9e8fb044aa3bc8de299b7487d0bae3
SHA19f5c00a6d46da44a4f22eed64922d135b7a01293
SHA25638d344724af35b8a125be996bb370f0c923d835da050e39b890efc933966362c
SHA512f2dc90e17eaed4161189b26860a64925ed3985ebd981ee72442492e4afc5a0acae1f2280f97971eb6eb5915fd598c6a688967ba67d7f542e4cdc45bd00dcc147
-
Filesize
204KB
MD55a9e8fb044aa3bc8de299b7487d0bae3
SHA19f5c00a6d46da44a4f22eed64922d135b7a01293
SHA25638d344724af35b8a125be996bb370f0c923d835da050e39b890efc933966362c
SHA512f2dc90e17eaed4161189b26860a64925ed3985ebd981ee72442492e4afc5a0acae1f2280f97971eb6eb5915fd598c6a688967ba67d7f542e4cdc45bd00dcc147
-
Filesize
204KB
MD55a9e8fb044aa3bc8de299b7487d0bae3
SHA19f5c00a6d46da44a4f22eed64922d135b7a01293
SHA25638d344724af35b8a125be996bb370f0c923d835da050e39b890efc933966362c
SHA512f2dc90e17eaed4161189b26860a64925ed3985ebd981ee72442492e4afc5a0acae1f2280f97971eb6eb5915fd598c6a688967ba67d7f542e4cdc45bd00dcc147
-
Filesize
204KB
MD55a9e8fb044aa3bc8de299b7487d0bae3
SHA19f5c00a6d46da44a4f22eed64922d135b7a01293
SHA25638d344724af35b8a125be996bb370f0c923d835da050e39b890efc933966362c
SHA512f2dc90e17eaed4161189b26860a64925ed3985ebd981ee72442492e4afc5a0acae1f2280f97971eb6eb5915fd598c6a688967ba67d7f542e4cdc45bd00dcc147
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
3.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.8MB
-
Filesize
240KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
320KB
-
Filesize
5.2MB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
160KB