Analysis
-
max time kernel
188s -
max time network
266s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-05-2023 22:39
Static task
static1
Behavioral task
behavioral1
Sample
0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe
Resource
win10v2004-20230220-en
General
-
Target
0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe
-
Size
1.2MB
-
MD5
9a9b9e247d01d71a60e96ed70bc15ace
-
SHA1
578d5d5e7762ec863541e31f447d4749a176e7ca
-
SHA256
0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057
-
SHA512
31793fdb780cf97d111ac2269a906f7858b7ebdb0f9bc96198bb2a2ac216a009b16b9308b49da4712886d5338890a8c2bf551653c76e6df9b6f72df8c5985355
-
SSDEEP
24576:myPIcVtD60zVfLNyZrFm9HaPrrefrjCz7Za+2L6DaBQHMeyzmJgY:1gcn6IVD0cLqf8P0aBQs1m6
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
z28908068.exez93657806.exez24266448.exes31133568.exe1.exet48705860.exepid process 468 z28908068.exe 1196 z93657806.exe 1512 z24266448.exe 568 s31133568.exe 1332 1.exe 1680 t48705860.exe -
Loads dropped DLL 13 IoCs
Processes:
0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exez28908068.exez93657806.exez24266448.exes31133568.exe1.exet48705860.exepid process 1532 0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe 468 z28908068.exe 468 z28908068.exe 1196 z93657806.exe 1196 z93657806.exe 1512 z24266448.exe 1512 z24266448.exe 1512 z24266448.exe 568 s31133568.exe 568 s31133568.exe 1332 1.exe 1512 z24266448.exe 1680 t48705860.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
z93657806.exez24266448.exe0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exez28908068.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z93657806.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z24266448.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z24266448.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z28908068.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z28908068.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z93657806.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s31133568.exedescription pid process Token: SeDebugPrivilege 568 s31133568.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exez28908068.exez93657806.exez24266448.exes31133568.exedescription pid process target process PID 1532 wrote to memory of 468 1532 0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe z28908068.exe PID 1532 wrote to memory of 468 1532 0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe z28908068.exe PID 1532 wrote to memory of 468 1532 0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe z28908068.exe PID 1532 wrote to memory of 468 1532 0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe z28908068.exe PID 1532 wrote to memory of 468 1532 0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe z28908068.exe PID 1532 wrote to memory of 468 1532 0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe z28908068.exe PID 1532 wrote to memory of 468 1532 0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe z28908068.exe PID 468 wrote to memory of 1196 468 z28908068.exe z93657806.exe PID 468 wrote to memory of 1196 468 z28908068.exe z93657806.exe PID 468 wrote to memory of 1196 468 z28908068.exe z93657806.exe PID 468 wrote to memory of 1196 468 z28908068.exe z93657806.exe PID 468 wrote to memory of 1196 468 z28908068.exe z93657806.exe PID 468 wrote to memory of 1196 468 z28908068.exe z93657806.exe PID 468 wrote to memory of 1196 468 z28908068.exe z93657806.exe PID 1196 wrote to memory of 1512 1196 z93657806.exe z24266448.exe PID 1196 wrote to memory of 1512 1196 z93657806.exe z24266448.exe PID 1196 wrote to memory of 1512 1196 z93657806.exe z24266448.exe PID 1196 wrote to memory of 1512 1196 z93657806.exe z24266448.exe PID 1196 wrote to memory of 1512 1196 z93657806.exe z24266448.exe PID 1196 wrote to memory of 1512 1196 z93657806.exe z24266448.exe PID 1196 wrote to memory of 1512 1196 z93657806.exe z24266448.exe PID 1512 wrote to memory of 568 1512 z24266448.exe s31133568.exe PID 1512 wrote to memory of 568 1512 z24266448.exe s31133568.exe PID 1512 wrote to memory of 568 1512 z24266448.exe s31133568.exe PID 1512 wrote to memory of 568 1512 z24266448.exe s31133568.exe PID 1512 wrote to memory of 568 1512 z24266448.exe s31133568.exe PID 1512 wrote to memory of 568 1512 z24266448.exe s31133568.exe PID 1512 wrote to memory of 568 1512 z24266448.exe s31133568.exe PID 568 wrote to memory of 1332 568 s31133568.exe 1.exe PID 568 wrote to memory of 1332 568 s31133568.exe 1.exe PID 568 wrote to memory of 1332 568 s31133568.exe 1.exe PID 568 wrote to memory of 1332 568 s31133568.exe 1.exe PID 568 wrote to memory of 1332 568 s31133568.exe 1.exe PID 568 wrote to memory of 1332 568 s31133568.exe 1.exe PID 568 wrote to memory of 1332 568 s31133568.exe 1.exe PID 1512 wrote to memory of 1680 1512 z24266448.exe t48705860.exe PID 1512 wrote to memory of 1680 1512 z24266448.exe t48705860.exe PID 1512 wrote to memory of 1680 1512 z24266448.exe t48705860.exe PID 1512 wrote to memory of 1680 1512 z24266448.exe t48705860.exe PID 1512 wrote to memory of 1680 1512 z24266448.exe t48705860.exe PID 1512 wrote to memory of 1680 1512 z24266448.exe t48705860.exe PID 1512 wrote to memory of 1680 1512 z24266448.exe t48705860.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe"C:\Users\Admin\AppData\Local\Temp\0456df11117b1907ee6111beb17c00388fac0c1ce9277753ef6a39eedc634057.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z28908068.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z28908068.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z93657806.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z93657806.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z24266448.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z24266448.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s31133568.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s31133568.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t48705860.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t48705860.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD515f7d5591e0d062f43ec619f49581c99
SHA1dc84e141df5a95733e44eef54643575370d75fdd
SHA256b6bab878c92aa8b2a048ed3e13b316652e1fdf07c54f6a17314da74858796395
SHA5127a20c44cdfea5b25ced7287abc051273bd6568f18b9f95cbe81390d1c0b07315554ab10e638e3e2b6322eaff847927bda17d006ac7c8af8da3192e9ee46677e5
-
Filesize
1.0MB
MD515f7d5591e0d062f43ec619f49581c99
SHA1dc84e141df5a95733e44eef54643575370d75fdd
SHA256b6bab878c92aa8b2a048ed3e13b316652e1fdf07c54f6a17314da74858796395
SHA5127a20c44cdfea5b25ced7287abc051273bd6568f18b9f95cbe81390d1c0b07315554ab10e638e3e2b6322eaff847927bda17d006ac7c8af8da3192e9ee46677e5
-
Filesize
759KB
MD534b4ab8eccafac3770ace6e6e4572967
SHA1639932170370fa4269d7559c53b7bbb8e2ac1b45
SHA2568d985d16cbfb8a60f14631e9eb3f5831f7f4d4aa8eae4f7a8724718353ec652e
SHA51285b801bb072219f5ee2f7114a5e7b5fe079897f629f6f56907b0403d79396a85111716f91a1748901707b6c7f69fa7b5d173918a0834545206471d4699bcd104
-
Filesize
759KB
MD534b4ab8eccafac3770ace6e6e4572967
SHA1639932170370fa4269d7559c53b7bbb8e2ac1b45
SHA2568d985d16cbfb8a60f14631e9eb3f5831f7f4d4aa8eae4f7a8724718353ec652e
SHA51285b801bb072219f5ee2f7114a5e7b5fe079897f629f6f56907b0403d79396a85111716f91a1748901707b6c7f69fa7b5d173918a0834545206471d4699bcd104
-
Filesize
577KB
MD5bbdf0919822cba0e66ca1dbddf92cc19
SHA1f9be2a960c85e7d291c46b133dbbafd93ff31f1a
SHA256b91253aa11c0fee4707a84a5cb51edc29afcc1ac9369fd033e81fa622951697a
SHA512e69ec1ec5a35722dfa4db1597edb07d368a3e30b6f2e160d6f2a03923f7195197ab844fbf31eaf5272020ed3f2f3272e84852ac6bf2e38f765b1752f17390972
-
Filesize
577KB
MD5bbdf0919822cba0e66ca1dbddf92cc19
SHA1f9be2a960c85e7d291c46b133dbbafd93ff31f1a
SHA256b91253aa11c0fee4707a84a5cb51edc29afcc1ac9369fd033e81fa622951697a
SHA512e69ec1ec5a35722dfa4db1597edb07d368a3e30b6f2e160d6f2a03923f7195197ab844fbf31eaf5272020ed3f2f3272e84852ac6bf2e38f765b1752f17390972
-
Filesize
574KB
MD5c4abb7f12c8217514e4526261e79fc08
SHA106c950db5fc8af1655c53155d5b67f8758c1dc6d
SHA256430b05a1a9070d93f6fdf6c3d574bf00adc37004d50d4f5d91b3e2f57362e971
SHA512e2960be56d679af6a7c055d595d5f334a753769186cb7d5e3609ce19783a496f5faf3e1b8a56d8e34fae18380ecddf7f88f5a8895c51b9ca3ed1b3592956d3a2
-
Filesize
574KB
MD5c4abb7f12c8217514e4526261e79fc08
SHA106c950db5fc8af1655c53155d5b67f8758c1dc6d
SHA256430b05a1a9070d93f6fdf6c3d574bf00adc37004d50d4f5d91b3e2f57362e971
SHA512e2960be56d679af6a7c055d595d5f334a753769186cb7d5e3609ce19783a496f5faf3e1b8a56d8e34fae18380ecddf7f88f5a8895c51b9ca3ed1b3592956d3a2
-
Filesize
574KB
MD5c4abb7f12c8217514e4526261e79fc08
SHA106c950db5fc8af1655c53155d5b67f8758c1dc6d
SHA256430b05a1a9070d93f6fdf6c3d574bf00adc37004d50d4f5d91b3e2f57362e971
SHA512e2960be56d679af6a7c055d595d5f334a753769186cb7d5e3609ce19783a496f5faf3e1b8a56d8e34fae18380ecddf7f88f5a8895c51b9ca3ed1b3592956d3a2
-
Filesize
169KB
MD57e7b271995565e271b90b96edf5097e1
SHA13e961d375991068544c3aa783c5b96f136da2189
SHA256294f8771f13fef565f82a39f2c01b753f842fe0f7b3d5072442204ba45028997
SHA5128144aa9e2096666653e968fa0ec53d572d889af7229b360205b75ee4ea74a5c52a60bcdebc24cdb496f69a46d042e167298bfe91f7629196e842b002c0d82bbc
-
Filesize
169KB
MD57e7b271995565e271b90b96edf5097e1
SHA13e961d375991068544c3aa783c5b96f136da2189
SHA256294f8771f13fef565f82a39f2c01b753f842fe0f7b3d5072442204ba45028997
SHA5128144aa9e2096666653e968fa0ec53d572d889af7229b360205b75ee4ea74a5c52a60bcdebc24cdb496f69a46d042e167298bfe91f7629196e842b002c0d82bbc
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
1.0MB
MD515f7d5591e0d062f43ec619f49581c99
SHA1dc84e141df5a95733e44eef54643575370d75fdd
SHA256b6bab878c92aa8b2a048ed3e13b316652e1fdf07c54f6a17314da74858796395
SHA5127a20c44cdfea5b25ced7287abc051273bd6568f18b9f95cbe81390d1c0b07315554ab10e638e3e2b6322eaff847927bda17d006ac7c8af8da3192e9ee46677e5
-
Filesize
1.0MB
MD515f7d5591e0d062f43ec619f49581c99
SHA1dc84e141df5a95733e44eef54643575370d75fdd
SHA256b6bab878c92aa8b2a048ed3e13b316652e1fdf07c54f6a17314da74858796395
SHA5127a20c44cdfea5b25ced7287abc051273bd6568f18b9f95cbe81390d1c0b07315554ab10e638e3e2b6322eaff847927bda17d006ac7c8af8da3192e9ee46677e5
-
Filesize
759KB
MD534b4ab8eccafac3770ace6e6e4572967
SHA1639932170370fa4269d7559c53b7bbb8e2ac1b45
SHA2568d985d16cbfb8a60f14631e9eb3f5831f7f4d4aa8eae4f7a8724718353ec652e
SHA51285b801bb072219f5ee2f7114a5e7b5fe079897f629f6f56907b0403d79396a85111716f91a1748901707b6c7f69fa7b5d173918a0834545206471d4699bcd104
-
Filesize
759KB
MD534b4ab8eccafac3770ace6e6e4572967
SHA1639932170370fa4269d7559c53b7bbb8e2ac1b45
SHA2568d985d16cbfb8a60f14631e9eb3f5831f7f4d4aa8eae4f7a8724718353ec652e
SHA51285b801bb072219f5ee2f7114a5e7b5fe079897f629f6f56907b0403d79396a85111716f91a1748901707b6c7f69fa7b5d173918a0834545206471d4699bcd104
-
Filesize
577KB
MD5bbdf0919822cba0e66ca1dbddf92cc19
SHA1f9be2a960c85e7d291c46b133dbbafd93ff31f1a
SHA256b91253aa11c0fee4707a84a5cb51edc29afcc1ac9369fd033e81fa622951697a
SHA512e69ec1ec5a35722dfa4db1597edb07d368a3e30b6f2e160d6f2a03923f7195197ab844fbf31eaf5272020ed3f2f3272e84852ac6bf2e38f765b1752f17390972
-
Filesize
577KB
MD5bbdf0919822cba0e66ca1dbddf92cc19
SHA1f9be2a960c85e7d291c46b133dbbafd93ff31f1a
SHA256b91253aa11c0fee4707a84a5cb51edc29afcc1ac9369fd033e81fa622951697a
SHA512e69ec1ec5a35722dfa4db1597edb07d368a3e30b6f2e160d6f2a03923f7195197ab844fbf31eaf5272020ed3f2f3272e84852ac6bf2e38f765b1752f17390972
-
Filesize
574KB
MD5c4abb7f12c8217514e4526261e79fc08
SHA106c950db5fc8af1655c53155d5b67f8758c1dc6d
SHA256430b05a1a9070d93f6fdf6c3d574bf00adc37004d50d4f5d91b3e2f57362e971
SHA512e2960be56d679af6a7c055d595d5f334a753769186cb7d5e3609ce19783a496f5faf3e1b8a56d8e34fae18380ecddf7f88f5a8895c51b9ca3ed1b3592956d3a2
-
Filesize
574KB
MD5c4abb7f12c8217514e4526261e79fc08
SHA106c950db5fc8af1655c53155d5b67f8758c1dc6d
SHA256430b05a1a9070d93f6fdf6c3d574bf00adc37004d50d4f5d91b3e2f57362e971
SHA512e2960be56d679af6a7c055d595d5f334a753769186cb7d5e3609ce19783a496f5faf3e1b8a56d8e34fae18380ecddf7f88f5a8895c51b9ca3ed1b3592956d3a2
-
Filesize
574KB
MD5c4abb7f12c8217514e4526261e79fc08
SHA106c950db5fc8af1655c53155d5b67f8758c1dc6d
SHA256430b05a1a9070d93f6fdf6c3d574bf00adc37004d50d4f5d91b3e2f57362e971
SHA512e2960be56d679af6a7c055d595d5f334a753769186cb7d5e3609ce19783a496f5faf3e1b8a56d8e34fae18380ecddf7f88f5a8895c51b9ca3ed1b3592956d3a2
-
Filesize
169KB
MD57e7b271995565e271b90b96edf5097e1
SHA13e961d375991068544c3aa783c5b96f136da2189
SHA256294f8771f13fef565f82a39f2c01b753f842fe0f7b3d5072442204ba45028997
SHA5128144aa9e2096666653e968fa0ec53d572d889af7229b360205b75ee4ea74a5c52a60bcdebc24cdb496f69a46d042e167298bfe91f7629196e842b002c0d82bbc
-
Filesize
169KB
MD57e7b271995565e271b90b96edf5097e1
SHA13e961d375991068544c3aa783c5b96f136da2189
SHA256294f8771f13fef565f82a39f2c01b753f842fe0f7b3d5072442204ba45028997
SHA5128144aa9e2096666653e968fa0ec53d572d889af7229b360205b75ee4ea74a5c52a60bcdebc24cdb496f69a46d042e167298bfe91f7629196e842b002c0d82bbc
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf