Analysis
-
max time kernel
124s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-05-2023 20:17
Static task
static1
Behavioral task
behavioral1
Sample
06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe
Resource
win10v2004-20230220-en
General
-
Target
06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe
-
Size
1.2MB
-
MD5
0e0e4ff946e1bcb3125cd65e166bc873
-
SHA1
fd349ec9ca729b723f630e23ab043964e48b7ad3
-
SHA256
06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e
-
SHA512
90a42216c84e193c6d14cd9f4d0bf5f11e5b6b6967aaabb2b5aa7d865fdbc1d0d5411713b156c5f64d719c1f9a6b3260bcccf48acdb002c595cd6b0a64781698
-
SSDEEP
24576:pylNXVX5ZOunLVcXcIbTBC+HAmpR9ZHkrbURdPeZ3cqVRAA7IeMWOhLlx9o:clOuLVIcIHJAmP4QetJDIeMPhLD
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
z15008654.exez41370786.exez94653735.exes28504418.exe1.exet56606597.exepid process 1528 z15008654.exe 1932 z41370786.exe 704 z94653735.exe 592 s28504418.exe 1392 1.exe 396 t56606597.exe -
Loads dropped DLL 13 IoCs
Processes:
06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exez15008654.exez41370786.exez94653735.exes28504418.exe1.exet56606597.exepid process 1408 06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe 1528 z15008654.exe 1528 z15008654.exe 1932 z41370786.exe 1932 z41370786.exe 704 z94653735.exe 704 z94653735.exe 704 z94653735.exe 592 s28504418.exe 592 s28504418.exe 1392 1.exe 704 z94653735.exe 396 t56606597.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
z94653735.exe06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exez15008654.exez41370786.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z94653735.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z94653735.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z15008654.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z15008654.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z41370786.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z41370786.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s28504418.exedescription pid process Token: SeDebugPrivilege 592 s28504418.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exez15008654.exez41370786.exez94653735.exes28504418.exedescription pid process target process PID 1408 wrote to memory of 1528 1408 06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe z15008654.exe PID 1408 wrote to memory of 1528 1408 06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe z15008654.exe PID 1408 wrote to memory of 1528 1408 06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe z15008654.exe PID 1408 wrote to memory of 1528 1408 06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe z15008654.exe PID 1408 wrote to memory of 1528 1408 06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe z15008654.exe PID 1408 wrote to memory of 1528 1408 06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe z15008654.exe PID 1408 wrote to memory of 1528 1408 06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe z15008654.exe PID 1528 wrote to memory of 1932 1528 z15008654.exe z41370786.exe PID 1528 wrote to memory of 1932 1528 z15008654.exe z41370786.exe PID 1528 wrote to memory of 1932 1528 z15008654.exe z41370786.exe PID 1528 wrote to memory of 1932 1528 z15008654.exe z41370786.exe PID 1528 wrote to memory of 1932 1528 z15008654.exe z41370786.exe PID 1528 wrote to memory of 1932 1528 z15008654.exe z41370786.exe PID 1528 wrote to memory of 1932 1528 z15008654.exe z41370786.exe PID 1932 wrote to memory of 704 1932 z41370786.exe z94653735.exe PID 1932 wrote to memory of 704 1932 z41370786.exe z94653735.exe PID 1932 wrote to memory of 704 1932 z41370786.exe z94653735.exe PID 1932 wrote to memory of 704 1932 z41370786.exe z94653735.exe PID 1932 wrote to memory of 704 1932 z41370786.exe z94653735.exe PID 1932 wrote to memory of 704 1932 z41370786.exe z94653735.exe PID 1932 wrote to memory of 704 1932 z41370786.exe z94653735.exe PID 704 wrote to memory of 592 704 z94653735.exe s28504418.exe PID 704 wrote to memory of 592 704 z94653735.exe s28504418.exe PID 704 wrote to memory of 592 704 z94653735.exe s28504418.exe PID 704 wrote to memory of 592 704 z94653735.exe s28504418.exe PID 704 wrote to memory of 592 704 z94653735.exe s28504418.exe PID 704 wrote to memory of 592 704 z94653735.exe s28504418.exe PID 704 wrote to memory of 592 704 z94653735.exe s28504418.exe PID 592 wrote to memory of 1392 592 s28504418.exe 1.exe PID 592 wrote to memory of 1392 592 s28504418.exe 1.exe PID 592 wrote to memory of 1392 592 s28504418.exe 1.exe PID 592 wrote to memory of 1392 592 s28504418.exe 1.exe PID 592 wrote to memory of 1392 592 s28504418.exe 1.exe PID 592 wrote to memory of 1392 592 s28504418.exe 1.exe PID 592 wrote to memory of 1392 592 s28504418.exe 1.exe PID 704 wrote to memory of 396 704 z94653735.exe t56606597.exe PID 704 wrote to memory of 396 704 z94653735.exe t56606597.exe PID 704 wrote to memory of 396 704 z94653735.exe t56606597.exe PID 704 wrote to memory of 396 704 z94653735.exe t56606597.exe PID 704 wrote to memory of 396 704 z94653735.exe t56606597.exe PID 704 wrote to memory of 396 704 z94653735.exe t56606597.exe PID 704 wrote to memory of 396 704 z94653735.exe t56606597.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe"C:\Users\Admin\AppData\Local\Temp\06255d7759a09d841d70703cb782e0f2972d726fe1ba7fc4617513c6e108753e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z15008654.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z15008654.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z41370786.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z41370786.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z94653735.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z94653735.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s28504418.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s28504418.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t56606597.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t56606597.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5554c9f13b060b5293459db22bf162876
SHA1dc6537fb0515d563804a48b0990c666cc91d8a9e
SHA2561936564f50b48a794379117627dac8f4db323a78fe8a9128d95463fbc7288758
SHA51244b34c8977000eb3af75ec51b2c84443b462b933c1b766b1643c8db472e1177877b6a01b167422dcb2184276a50facb5c6f1a3d17b9ec9891c3ad2d94392caaf
-
Filesize
1.0MB
MD5554c9f13b060b5293459db22bf162876
SHA1dc6537fb0515d563804a48b0990c666cc91d8a9e
SHA2561936564f50b48a794379117627dac8f4db323a78fe8a9128d95463fbc7288758
SHA51244b34c8977000eb3af75ec51b2c84443b462b933c1b766b1643c8db472e1177877b6a01b167422dcb2184276a50facb5c6f1a3d17b9ec9891c3ad2d94392caaf
-
Filesize
761KB
MD5eb55278703a5b9f7d4994b683207575a
SHA14c336696783168626753c68fafa48cc1af83598f
SHA256126d6659b3a70809b5ee90ce9046dc6f5d490cc44d03d5af153fa7f87b363677
SHA51283b06af167d444489808ab05a93f803f22829b75ea87feb8350905ddcae6153a9fd4d477c7e63492e848464c102749f9eeafaa4c859f0b021681aed7b1d90821
-
Filesize
761KB
MD5eb55278703a5b9f7d4994b683207575a
SHA14c336696783168626753c68fafa48cc1af83598f
SHA256126d6659b3a70809b5ee90ce9046dc6f5d490cc44d03d5af153fa7f87b363677
SHA51283b06af167d444489808ab05a93f803f22829b75ea87feb8350905ddcae6153a9fd4d477c7e63492e848464c102749f9eeafaa4c859f0b021681aed7b1d90821
-
Filesize
578KB
MD5e561a41462955b0e152aed25026975d5
SHA14832535dc5a7d67a1f955f511580a1737ba79769
SHA2567abe7bbe775ff3bf8d8d853cf7d20f66882604ebd2f6f3e0d294a1b6f4896122
SHA512ee65b34e8b3ad3e271cac981f0a8b72bb6bc53dca40ac29f5b45a4da0fd0e850d03a4f05e269e7257a2c076f0cfc24bf394447e660e131278bd2394d0450e5bc
-
Filesize
578KB
MD5e561a41462955b0e152aed25026975d5
SHA14832535dc5a7d67a1f955f511580a1737ba79769
SHA2567abe7bbe775ff3bf8d8d853cf7d20f66882604ebd2f6f3e0d294a1b6f4896122
SHA512ee65b34e8b3ad3e271cac981f0a8b72bb6bc53dca40ac29f5b45a4da0fd0e850d03a4f05e269e7257a2c076f0cfc24bf394447e660e131278bd2394d0450e5bc
-
Filesize
502KB
MD51da26faab3d6bcc76efb9d47c1d19388
SHA1c048d05ee6b773509ea5bf13c4ff0143548c5cec
SHA256d7f52043d39347f7b52a2d959b1fb5e4381dbf4976de37474f319a3fa974f1e1
SHA5129726bfcf089b4c9f133bdfbbf8b3b524be776cde5061a21893cfdd0f2493392620a47188d2662d6c653e167b1b902953e1ddc428b141660cfa740d397dcfbf61
-
Filesize
502KB
MD51da26faab3d6bcc76efb9d47c1d19388
SHA1c048d05ee6b773509ea5bf13c4ff0143548c5cec
SHA256d7f52043d39347f7b52a2d959b1fb5e4381dbf4976de37474f319a3fa974f1e1
SHA5129726bfcf089b4c9f133bdfbbf8b3b524be776cde5061a21893cfdd0f2493392620a47188d2662d6c653e167b1b902953e1ddc428b141660cfa740d397dcfbf61
-
Filesize
502KB
MD51da26faab3d6bcc76efb9d47c1d19388
SHA1c048d05ee6b773509ea5bf13c4ff0143548c5cec
SHA256d7f52043d39347f7b52a2d959b1fb5e4381dbf4976de37474f319a3fa974f1e1
SHA5129726bfcf089b4c9f133bdfbbf8b3b524be776cde5061a21893cfdd0f2493392620a47188d2662d6c653e167b1b902953e1ddc428b141660cfa740d397dcfbf61
-
Filesize
169KB
MD559b302252de2489aa5935c1bcb528012
SHA1e5e7ef9c5a91be46ea851179b51c9c7c870a38a6
SHA2565063613147f3bfc6f1791f3670975f495baca90d06a80701ea698b759e04ab2b
SHA512658597501a073a4be1b9381ec8a65a5df2a515981c10e864f63f9f6b48886e3c128d8356862c9fb0fa9151c2b48c994ce41e177d8735138e489ca9d18235badd
-
Filesize
169KB
MD559b302252de2489aa5935c1bcb528012
SHA1e5e7ef9c5a91be46ea851179b51c9c7c870a38a6
SHA2565063613147f3bfc6f1791f3670975f495baca90d06a80701ea698b759e04ab2b
SHA512658597501a073a4be1b9381ec8a65a5df2a515981c10e864f63f9f6b48886e3c128d8356862c9fb0fa9151c2b48c994ce41e177d8735138e489ca9d18235badd
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
1.0MB
MD5554c9f13b060b5293459db22bf162876
SHA1dc6537fb0515d563804a48b0990c666cc91d8a9e
SHA2561936564f50b48a794379117627dac8f4db323a78fe8a9128d95463fbc7288758
SHA51244b34c8977000eb3af75ec51b2c84443b462b933c1b766b1643c8db472e1177877b6a01b167422dcb2184276a50facb5c6f1a3d17b9ec9891c3ad2d94392caaf
-
Filesize
1.0MB
MD5554c9f13b060b5293459db22bf162876
SHA1dc6537fb0515d563804a48b0990c666cc91d8a9e
SHA2561936564f50b48a794379117627dac8f4db323a78fe8a9128d95463fbc7288758
SHA51244b34c8977000eb3af75ec51b2c84443b462b933c1b766b1643c8db472e1177877b6a01b167422dcb2184276a50facb5c6f1a3d17b9ec9891c3ad2d94392caaf
-
Filesize
761KB
MD5eb55278703a5b9f7d4994b683207575a
SHA14c336696783168626753c68fafa48cc1af83598f
SHA256126d6659b3a70809b5ee90ce9046dc6f5d490cc44d03d5af153fa7f87b363677
SHA51283b06af167d444489808ab05a93f803f22829b75ea87feb8350905ddcae6153a9fd4d477c7e63492e848464c102749f9eeafaa4c859f0b021681aed7b1d90821
-
Filesize
761KB
MD5eb55278703a5b9f7d4994b683207575a
SHA14c336696783168626753c68fafa48cc1af83598f
SHA256126d6659b3a70809b5ee90ce9046dc6f5d490cc44d03d5af153fa7f87b363677
SHA51283b06af167d444489808ab05a93f803f22829b75ea87feb8350905ddcae6153a9fd4d477c7e63492e848464c102749f9eeafaa4c859f0b021681aed7b1d90821
-
Filesize
578KB
MD5e561a41462955b0e152aed25026975d5
SHA14832535dc5a7d67a1f955f511580a1737ba79769
SHA2567abe7bbe775ff3bf8d8d853cf7d20f66882604ebd2f6f3e0d294a1b6f4896122
SHA512ee65b34e8b3ad3e271cac981f0a8b72bb6bc53dca40ac29f5b45a4da0fd0e850d03a4f05e269e7257a2c076f0cfc24bf394447e660e131278bd2394d0450e5bc
-
Filesize
578KB
MD5e561a41462955b0e152aed25026975d5
SHA14832535dc5a7d67a1f955f511580a1737ba79769
SHA2567abe7bbe775ff3bf8d8d853cf7d20f66882604ebd2f6f3e0d294a1b6f4896122
SHA512ee65b34e8b3ad3e271cac981f0a8b72bb6bc53dca40ac29f5b45a4da0fd0e850d03a4f05e269e7257a2c076f0cfc24bf394447e660e131278bd2394d0450e5bc
-
Filesize
502KB
MD51da26faab3d6bcc76efb9d47c1d19388
SHA1c048d05ee6b773509ea5bf13c4ff0143548c5cec
SHA256d7f52043d39347f7b52a2d959b1fb5e4381dbf4976de37474f319a3fa974f1e1
SHA5129726bfcf089b4c9f133bdfbbf8b3b524be776cde5061a21893cfdd0f2493392620a47188d2662d6c653e167b1b902953e1ddc428b141660cfa740d397dcfbf61
-
Filesize
502KB
MD51da26faab3d6bcc76efb9d47c1d19388
SHA1c048d05ee6b773509ea5bf13c4ff0143548c5cec
SHA256d7f52043d39347f7b52a2d959b1fb5e4381dbf4976de37474f319a3fa974f1e1
SHA5129726bfcf089b4c9f133bdfbbf8b3b524be776cde5061a21893cfdd0f2493392620a47188d2662d6c653e167b1b902953e1ddc428b141660cfa740d397dcfbf61
-
Filesize
502KB
MD51da26faab3d6bcc76efb9d47c1d19388
SHA1c048d05ee6b773509ea5bf13c4ff0143548c5cec
SHA256d7f52043d39347f7b52a2d959b1fb5e4381dbf4976de37474f319a3fa974f1e1
SHA5129726bfcf089b4c9f133bdfbbf8b3b524be776cde5061a21893cfdd0f2493392620a47188d2662d6c653e167b1b902953e1ddc428b141660cfa740d397dcfbf61
-
Filesize
169KB
MD559b302252de2489aa5935c1bcb528012
SHA1e5e7ef9c5a91be46ea851179b51c9c7c870a38a6
SHA2565063613147f3bfc6f1791f3670975f495baca90d06a80701ea698b759e04ab2b
SHA512658597501a073a4be1b9381ec8a65a5df2a515981c10e864f63f9f6b48886e3c128d8356862c9fb0fa9151c2b48c994ce41e177d8735138e489ca9d18235badd
-
Filesize
169KB
MD559b302252de2489aa5935c1bcb528012
SHA1e5e7ef9c5a91be46ea851179b51c9c7c870a38a6
SHA2565063613147f3bfc6f1791f3670975f495baca90d06a80701ea698b759e04ab2b
SHA512658597501a073a4be1b9381ec8a65a5df2a515981c10e864f63f9f6b48886e3c128d8356862c9fb0fa9151c2b48c994ce41e177d8735138e489ca9d18235badd
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf