Analysis
-
max time kernel
159s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-05-2023 21:26
Static task
static1
Behavioral task
behavioral1
Sample
3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe
Resource
win10v2004-20230220-en
General
-
Target
3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe
-
Size
1.2MB
-
MD5
6b29a4b6df5eb60bf54bce134a090aa0
-
SHA1
ee8f0d9cc1cdf5971c42831ad2206f33b16d783a
-
SHA256
3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8
-
SHA512
8303dfc2b776e6dc4db516bb6a5eee4cac44a404209ac9bf4b388a16ef6f1aaa64ed46fd5b44594fa3179ba64412f49074e7b2dc605172bb900d3e2688696835
-
SSDEEP
24576:JyYfnTO7SvWBewl1xLGnGyPEBIdux90/ZvB3djNGTgRsW:8uO7jBjPxCnNdub0/ZJNpGTg
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 928 z48370327.exe 600 z42371639.exe 580 z22747891.exe 2032 s84668130.exe 1736 1.exe 2044 t35480007.exe -
Loads dropped DLL 13 IoCs
pid Process 1228 3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe 928 z48370327.exe 928 z48370327.exe 600 z42371639.exe 600 z42371639.exe 580 z22747891.exe 580 z22747891.exe 580 z22747891.exe 2032 s84668130.exe 2032 s84668130.exe 1736 1.exe 580 z22747891.exe 2044 t35480007.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z48370327.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z48370327.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z42371639.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z42371639.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z22747891.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z22747891.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2032 s84668130.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1228 wrote to memory of 928 1228 3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe 27 PID 1228 wrote to memory of 928 1228 3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe 27 PID 1228 wrote to memory of 928 1228 3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe 27 PID 1228 wrote to memory of 928 1228 3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe 27 PID 1228 wrote to memory of 928 1228 3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe 27 PID 1228 wrote to memory of 928 1228 3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe 27 PID 1228 wrote to memory of 928 1228 3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe 27 PID 928 wrote to memory of 600 928 z48370327.exe 28 PID 928 wrote to memory of 600 928 z48370327.exe 28 PID 928 wrote to memory of 600 928 z48370327.exe 28 PID 928 wrote to memory of 600 928 z48370327.exe 28 PID 928 wrote to memory of 600 928 z48370327.exe 28 PID 928 wrote to memory of 600 928 z48370327.exe 28 PID 928 wrote to memory of 600 928 z48370327.exe 28 PID 600 wrote to memory of 580 600 z42371639.exe 29 PID 600 wrote to memory of 580 600 z42371639.exe 29 PID 600 wrote to memory of 580 600 z42371639.exe 29 PID 600 wrote to memory of 580 600 z42371639.exe 29 PID 600 wrote to memory of 580 600 z42371639.exe 29 PID 600 wrote to memory of 580 600 z42371639.exe 29 PID 600 wrote to memory of 580 600 z42371639.exe 29 PID 580 wrote to memory of 2032 580 z22747891.exe 30 PID 580 wrote to memory of 2032 580 z22747891.exe 30 PID 580 wrote to memory of 2032 580 z22747891.exe 30 PID 580 wrote to memory of 2032 580 z22747891.exe 30 PID 580 wrote to memory of 2032 580 z22747891.exe 30 PID 580 wrote to memory of 2032 580 z22747891.exe 30 PID 580 wrote to memory of 2032 580 z22747891.exe 30 PID 2032 wrote to memory of 1736 2032 s84668130.exe 31 PID 2032 wrote to memory of 1736 2032 s84668130.exe 31 PID 2032 wrote to memory of 1736 2032 s84668130.exe 31 PID 2032 wrote to memory of 1736 2032 s84668130.exe 31 PID 2032 wrote to memory of 1736 2032 s84668130.exe 31 PID 2032 wrote to memory of 1736 2032 s84668130.exe 31 PID 2032 wrote to memory of 1736 2032 s84668130.exe 31 PID 580 wrote to memory of 2044 580 z22747891.exe 32 PID 580 wrote to memory of 2044 580 z22747891.exe 32 PID 580 wrote to memory of 2044 580 z22747891.exe 32 PID 580 wrote to memory of 2044 580 z22747891.exe 32 PID 580 wrote to memory of 2044 580 z22747891.exe 32 PID 580 wrote to memory of 2044 580 z22747891.exe 32 PID 580 wrote to memory of 2044 580 z22747891.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe"C:\Users\Admin\AppData\Local\Temp\3bf87e0987881066992121cd968a82450f938b5c5f9dbaed06efddc80c49f0e8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z48370327.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z48370327.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z42371639.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z42371639.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z22747891.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z22747891.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s84668130.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s84668130.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t35480007.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t35480007.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5c9442ab551c0dd66235bc4b1cf7066e3
SHA1bdeaec220a192d9856b87e93dfea5da9fa48a4f3
SHA256493d5f92e8fe1c773423e943486f79842a9f56e05e2a74d18780e0cef0313015
SHA5123c89bdbd88fcfe7868bd98f1398875ee266537344f4cd9e9ac2a7d38be7bf02c30d8aa159435aed514c8f165085395a98122efacc28d6e840f726b587491e934
-
Filesize
1.0MB
MD5c9442ab551c0dd66235bc4b1cf7066e3
SHA1bdeaec220a192d9856b87e93dfea5da9fa48a4f3
SHA256493d5f92e8fe1c773423e943486f79842a9f56e05e2a74d18780e0cef0313015
SHA5123c89bdbd88fcfe7868bd98f1398875ee266537344f4cd9e9ac2a7d38be7bf02c30d8aa159435aed514c8f165085395a98122efacc28d6e840f726b587491e934
-
Filesize
761KB
MD5d12c123b931c648fb43367b6d63c8b9f
SHA1981927d0d12a5945977e50f37210cbe5160cbc58
SHA256e4d02d44edf861f57328e7f6fd5a6d9f9d8e9b4b3735816c7ead72c70ef30a8a
SHA5124a50b2a758a6a56a245655228018d610d05567aabadaa9f3a6c5f71b558d68658452b659424d6e721bb78c6053868a0de4135e1895f8d47ef1853a9369a54e56
-
Filesize
761KB
MD5d12c123b931c648fb43367b6d63c8b9f
SHA1981927d0d12a5945977e50f37210cbe5160cbc58
SHA256e4d02d44edf861f57328e7f6fd5a6d9f9d8e9b4b3735816c7ead72c70ef30a8a
SHA5124a50b2a758a6a56a245655228018d610d05567aabadaa9f3a6c5f71b558d68658452b659424d6e721bb78c6053868a0de4135e1895f8d47ef1853a9369a54e56
-
Filesize
578KB
MD5fb80e04ce7dab8f3c7cf063149632897
SHA14408229581b4db1209a41ef1877cd0368f528a07
SHA256c1287c5dae399b60412498fa353c8dd5888fd7b569f92c8703659988af343b63
SHA512cb66e6c433e7c6230f7bea00c27c6efd982f5be443f311dc534051b2d953f14f5a607f3bd9285622ea26c942144dd0f10fbb9e490fb34fb0033eb69a7db1f21b
-
Filesize
578KB
MD5fb80e04ce7dab8f3c7cf063149632897
SHA14408229581b4db1209a41ef1877cd0368f528a07
SHA256c1287c5dae399b60412498fa353c8dd5888fd7b569f92c8703659988af343b63
SHA512cb66e6c433e7c6230f7bea00c27c6efd982f5be443f311dc534051b2d953f14f5a607f3bd9285622ea26c942144dd0f10fbb9e490fb34fb0033eb69a7db1f21b
-
Filesize
575KB
MD511a2ddab1314e8d5d85bffafb5fbf41c
SHA171ca80be6e93ff31651a07b69d623853a4946e81
SHA2562a5b668350127cd7ad099bae69523c95f7892e5f5e5304f9546af9b1dfea453d
SHA512c32d1d161738af5082cc71fdcce96e0b53466bcaffa4170ded86d17238fe35986529066b776edf03918be6de0f251daaa6e0dacf38d7cd09819aa07b868be7c0
-
Filesize
575KB
MD511a2ddab1314e8d5d85bffafb5fbf41c
SHA171ca80be6e93ff31651a07b69d623853a4946e81
SHA2562a5b668350127cd7ad099bae69523c95f7892e5f5e5304f9546af9b1dfea453d
SHA512c32d1d161738af5082cc71fdcce96e0b53466bcaffa4170ded86d17238fe35986529066b776edf03918be6de0f251daaa6e0dacf38d7cd09819aa07b868be7c0
-
Filesize
575KB
MD511a2ddab1314e8d5d85bffafb5fbf41c
SHA171ca80be6e93ff31651a07b69d623853a4946e81
SHA2562a5b668350127cd7ad099bae69523c95f7892e5f5e5304f9546af9b1dfea453d
SHA512c32d1d161738af5082cc71fdcce96e0b53466bcaffa4170ded86d17238fe35986529066b776edf03918be6de0f251daaa6e0dacf38d7cd09819aa07b868be7c0
-
Filesize
169KB
MD54dfe369eaef509aa4a61b456dcbab2bf
SHA158a7127a0fab18a3273e0754a0e0477284db303b
SHA256ed99fe657f84b7b3594d4e70531e53c4a3c7d762ec86f820614e000132686d49
SHA51270738511185875dc1821f644bb54f776d63d83810832fc4a1974b4e2c537ef62932cc602ff377117101eac3f10d457166c4e85628f08c1748fdecc4848c4f1ac
-
Filesize
169KB
MD54dfe369eaef509aa4a61b456dcbab2bf
SHA158a7127a0fab18a3273e0754a0e0477284db303b
SHA256ed99fe657f84b7b3594d4e70531e53c4a3c7d762ec86f820614e000132686d49
SHA51270738511185875dc1821f644bb54f776d63d83810832fc4a1974b4e2c537ef62932cc602ff377117101eac3f10d457166c4e85628f08c1748fdecc4848c4f1ac
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
1.0MB
MD5c9442ab551c0dd66235bc4b1cf7066e3
SHA1bdeaec220a192d9856b87e93dfea5da9fa48a4f3
SHA256493d5f92e8fe1c773423e943486f79842a9f56e05e2a74d18780e0cef0313015
SHA5123c89bdbd88fcfe7868bd98f1398875ee266537344f4cd9e9ac2a7d38be7bf02c30d8aa159435aed514c8f165085395a98122efacc28d6e840f726b587491e934
-
Filesize
1.0MB
MD5c9442ab551c0dd66235bc4b1cf7066e3
SHA1bdeaec220a192d9856b87e93dfea5da9fa48a4f3
SHA256493d5f92e8fe1c773423e943486f79842a9f56e05e2a74d18780e0cef0313015
SHA5123c89bdbd88fcfe7868bd98f1398875ee266537344f4cd9e9ac2a7d38be7bf02c30d8aa159435aed514c8f165085395a98122efacc28d6e840f726b587491e934
-
Filesize
761KB
MD5d12c123b931c648fb43367b6d63c8b9f
SHA1981927d0d12a5945977e50f37210cbe5160cbc58
SHA256e4d02d44edf861f57328e7f6fd5a6d9f9d8e9b4b3735816c7ead72c70ef30a8a
SHA5124a50b2a758a6a56a245655228018d610d05567aabadaa9f3a6c5f71b558d68658452b659424d6e721bb78c6053868a0de4135e1895f8d47ef1853a9369a54e56
-
Filesize
761KB
MD5d12c123b931c648fb43367b6d63c8b9f
SHA1981927d0d12a5945977e50f37210cbe5160cbc58
SHA256e4d02d44edf861f57328e7f6fd5a6d9f9d8e9b4b3735816c7ead72c70ef30a8a
SHA5124a50b2a758a6a56a245655228018d610d05567aabadaa9f3a6c5f71b558d68658452b659424d6e721bb78c6053868a0de4135e1895f8d47ef1853a9369a54e56
-
Filesize
578KB
MD5fb80e04ce7dab8f3c7cf063149632897
SHA14408229581b4db1209a41ef1877cd0368f528a07
SHA256c1287c5dae399b60412498fa353c8dd5888fd7b569f92c8703659988af343b63
SHA512cb66e6c433e7c6230f7bea00c27c6efd982f5be443f311dc534051b2d953f14f5a607f3bd9285622ea26c942144dd0f10fbb9e490fb34fb0033eb69a7db1f21b
-
Filesize
578KB
MD5fb80e04ce7dab8f3c7cf063149632897
SHA14408229581b4db1209a41ef1877cd0368f528a07
SHA256c1287c5dae399b60412498fa353c8dd5888fd7b569f92c8703659988af343b63
SHA512cb66e6c433e7c6230f7bea00c27c6efd982f5be443f311dc534051b2d953f14f5a607f3bd9285622ea26c942144dd0f10fbb9e490fb34fb0033eb69a7db1f21b
-
Filesize
575KB
MD511a2ddab1314e8d5d85bffafb5fbf41c
SHA171ca80be6e93ff31651a07b69d623853a4946e81
SHA2562a5b668350127cd7ad099bae69523c95f7892e5f5e5304f9546af9b1dfea453d
SHA512c32d1d161738af5082cc71fdcce96e0b53466bcaffa4170ded86d17238fe35986529066b776edf03918be6de0f251daaa6e0dacf38d7cd09819aa07b868be7c0
-
Filesize
575KB
MD511a2ddab1314e8d5d85bffafb5fbf41c
SHA171ca80be6e93ff31651a07b69d623853a4946e81
SHA2562a5b668350127cd7ad099bae69523c95f7892e5f5e5304f9546af9b1dfea453d
SHA512c32d1d161738af5082cc71fdcce96e0b53466bcaffa4170ded86d17238fe35986529066b776edf03918be6de0f251daaa6e0dacf38d7cd09819aa07b868be7c0
-
Filesize
575KB
MD511a2ddab1314e8d5d85bffafb5fbf41c
SHA171ca80be6e93ff31651a07b69d623853a4946e81
SHA2562a5b668350127cd7ad099bae69523c95f7892e5f5e5304f9546af9b1dfea453d
SHA512c32d1d161738af5082cc71fdcce96e0b53466bcaffa4170ded86d17238fe35986529066b776edf03918be6de0f251daaa6e0dacf38d7cd09819aa07b868be7c0
-
Filesize
169KB
MD54dfe369eaef509aa4a61b456dcbab2bf
SHA158a7127a0fab18a3273e0754a0e0477284db303b
SHA256ed99fe657f84b7b3594d4e70531e53c4a3c7d762ec86f820614e000132686d49
SHA51270738511185875dc1821f644bb54f776d63d83810832fc4a1974b4e2c537ef62932cc602ff377117101eac3f10d457166c4e85628f08c1748fdecc4848c4f1ac
-
Filesize
169KB
MD54dfe369eaef509aa4a61b456dcbab2bf
SHA158a7127a0fab18a3273e0754a0e0477284db303b
SHA256ed99fe657f84b7b3594d4e70531e53c4a3c7d762ec86f820614e000132686d49
SHA51270738511185875dc1821f644bb54f776d63d83810832fc4a1974b4e2c537ef62932cc602ff377117101eac3f10d457166c4e85628f08c1748fdecc4848c4f1ac
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf