Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06-05-2023 20:28
General
-
Target
0df5796241c303435a27a7b5172d2efe839cde2fa7ba25e77c87ae3f4ca20922.exe
-
Size
1.2MB
-
MD5
f3126713488423ceff0bd8c50f1d2dbd
-
SHA1
dc3d474e5b3bdf82f01c04871a51f9920eea7cc6
-
SHA256
0df5796241c303435a27a7b5172d2efe839cde2fa7ba25e77c87ae3f4ca20922
-
SHA512
73421349a26eea4c08410058ef24767c3d009e22be3fe8089ccf7bdfb08b7c752aba8195a60f578b696fe55a4b31268251ff39575b5e559d1f4b2a42a3406e53
-
SSDEEP
24576:AywSrL+uBxolriQHLrACDl8csvITUJ//5sx05wrubwaKTW:HhJxPQP9svIO//5UnruUa
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0df5796241c303435a27a7b5172d2efe839cde2fa7ba25e77c87ae3f4ca20922.exe"C:\Users\Admin\AppData\Local\Temp\0df5796241c303435a27a7b5172d2efe839cde2fa7ba25e77c87ae3f4ca20922.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI085068.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI085068.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou670901.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou670901.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EC329868.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EC329868.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\192388235.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\192388235.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\242476359.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\242476359.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 10806⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331528964.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331528964.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\407257531.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\407257531.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2480 -ip 24801⤵
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD52697c4311c4a046364803ed52d79dcdd
SHA19253b5bd1e7baac775b706eb079196c5dfa17358
SHA256ff2192cda13cb492ac4a69a3b459ddba9da07a2103fd4aa1695a03181f95906e
SHA512c416e5b94fe4d5e9560e7e076dd7d0d1e53f056e89534177326b05e7687c5f53881f0ad3d6a97184301393848c880cc77cf40fa3dc74077262d0b84d2a31a1bf
-
Filesize
1.0MB
MD52697c4311c4a046364803ed52d79dcdd
SHA19253b5bd1e7baac775b706eb079196c5dfa17358
SHA256ff2192cda13cb492ac4a69a3b459ddba9da07a2103fd4aa1695a03181f95906e
SHA512c416e5b94fe4d5e9560e7e076dd7d0d1e53f056e89534177326b05e7687c5f53881f0ad3d6a97184301393848c880cc77cf40fa3dc74077262d0b84d2a31a1bf
-
Filesize
460KB
MD5ddba2b150c0a3e4322eefbb01943cbc4
SHA1c328f56c83463f898922e26d8f0c410e4dde2c2f
SHA256137ebbb0094d2ce0864ba43c5b4b60bec8f82c311378a1feab39df7e261bace9
SHA512a77352562ae21f8f6adb167a44c8d1c56c2bf26e67f479c071b105249862f728f8c985586765fa9469ba70100dfe9d09c88591e6c7d4eddaa7f7cf097cfe1503
-
Filesize
460KB
MD5ddba2b150c0a3e4322eefbb01943cbc4
SHA1c328f56c83463f898922e26d8f0c410e4dde2c2f
SHA256137ebbb0094d2ce0864ba43c5b4b60bec8f82c311378a1feab39df7e261bace9
SHA512a77352562ae21f8f6adb167a44c8d1c56c2bf26e67f479c071b105249862f728f8c985586765fa9469ba70100dfe9d09c88591e6c7d4eddaa7f7cf097cfe1503
-
Filesize
637KB
MD5908e13c8b0030395c2201a4e3cef51d5
SHA1ea767c7db590b191c5817a47580e6e8697b67edf
SHA256b975d99355e553194ec6c8956c88124a07edefb106463e8c437ea870108be6a6
SHA5120dcbbff316ee8b71c21c03fe699796093e5b4884ca32244f9419fc4d1a5a034556bc6f8fe71e22593fa88e6b7abe493580ebf117e9762a50b8d6d2145e346221
-
Filesize
637KB
MD5908e13c8b0030395c2201a4e3cef51d5
SHA1ea767c7db590b191c5817a47580e6e8697b67edf
SHA256b975d99355e553194ec6c8956c88124a07edefb106463e8c437ea870108be6a6
SHA5120dcbbff316ee8b71c21c03fe699796093e5b4884ca32244f9419fc4d1a5a034556bc6f8fe71e22593fa88e6b7abe493580ebf117e9762a50b8d6d2145e346221
-
Filesize
204KB
MD59e3f116c33cedc0733764c31348e8296
SHA1b2e73b9b122b3c15cb3e29c4c033eb6f84ddea15
SHA2569329436e9b50e748cbe42e0cc8d625d9084024a5f611836d0827b88bec66a16e
SHA51244429c07e259a78110936972606089567d4e5cf566ce9b9ccb2aae7f02cc736bd034d4e027221157ecfbccdc28eb95eff6eb77897184496002696cf66a050aa8
-
Filesize
204KB
MD59e3f116c33cedc0733764c31348e8296
SHA1b2e73b9b122b3c15cb3e29c4c033eb6f84ddea15
SHA2569329436e9b50e748cbe42e0cc8d625d9084024a5f611836d0827b88bec66a16e
SHA51244429c07e259a78110936972606089567d4e5cf566ce9b9ccb2aae7f02cc736bd034d4e027221157ecfbccdc28eb95eff6eb77897184496002696cf66a050aa8
-
Filesize
466KB
MD5a12fe1b40c4cb82cfaadbb6f42ab8abf
SHA19f106eafbbd0ae3b9911ef556169deda698df244
SHA256d004036c75d115491846f8b230216993af70d8ddde5294a73fc3c8cfef79d63a
SHA5128f44c60e76e67a4c80b15c1a4af5814e56b33fe074f8d04af6a04289555fb7eb1ea64e039cceba56396b13c8fbbc768460aec570fd94b63ec63e69e3ee3e0da4
-
Filesize
466KB
MD5a12fe1b40c4cb82cfaadbb6f42ab8abf
SHA19f106eafbbd0ae3b9911ef556169deda698df244
SHA256d004036c75d115491846f8b230216993af70d8ddde5294a73fc3c8cfef79d63a
SHA5128f44c60e76e67a4c80b15c1a4af5814e56b33fe074f8d04af6a04289555fb7eb1ea64e039cceba56396b13c8fbbc768460aec570fd94b63ec63e69e3ee3e0da4
-
Filesize
176KB
MD5d2ae2245b3350c7796d85ba435a85214
SHA1a821d4b8c5544d790b1593fe0eb17394cbc5969a
SHA25611f41a94901e4184f4912d92d7333846717e1f41d52b3a3ae458ef0c3b880ccb
SHA5125cb1b5a17aeefe1f4b67fa6d879fd0a1e5b3be60fb868a3feb9cd54fa23ff62994211f1eef77282932c8ea6626065c0b7db18d51a3f42476f5e5b8057066f7fc
-
Filesize
176KB
MD5d2ae2245b3350c7796d85ba435a85214
SHA1a821d4b8c5544d790b1593fe0eb17394cbc5969a
SHA25611f41a94901e4184f4912d92d7333846717e1f41d52b3a3ae458ef0c3b880ccb
SHA5125cb1b5a17aeefe1f4b67fa6d879fd0a1e5b3be60fb868a3feb9cd54fa23ff62994211f1eef77282932c8ea6626065c0b7db18d51a3f42476f5e5b8057066f7fc
-
Filesize
378KB
MD54adae486a01c0b993bb5a6a5111e4f82
SHA1c16a61a8dc90039a88f32cab5344648e7390bfb1
SHA2568eb8f4b2ba12dc68d6e7dfcb1ba88c468b9f7901c6cef8b9b9e19149f9492727
SHA512ac2963625a232ed20c3372779d3e5917e512d4b675a38381a7e2d952d5dfef393d8a77fd31d85431cbe8cfbba2c107bce754d76801a5219605c20bf238d15313
-
Filesize
378KB
MD54adae486a01c0b993bb5a6a5111e4f82
SHA1c16a61a8dc90039a88f32cab5344648e7390bfb1
SHA2568eb8f4b2ba12dc68d6e7dfcb1ba88c468b9f7901c6cef8b9b9e19149f9492727
SHA512ac2963625a232ed20c3372779d3e5917e512d4b675a38381a7e2d952d5dfef393d8a77fd31d85431cbe8cfbba2c107bce754d76801a5219605c20bf238d15313
-
Filesize
204KB
MD59e3f116c33cedc0733764c31348e8296
SHA1b2e73b9b122b3c15cb3e29c4c033eb6f84ddea15
SHA2569329436e9b50e748cbe42e0cc8d625d9084024a5f611836d0827b88bec66a16e
SHA51244429c07e259a78110936972606089567d4e5cf566ce9b9ccb2aae7f02cc736bd034d4e027221157ecfbccdc28eb95eff6eb77897184496002696cf66a050aa8
-
Filesize
204KB
MD59e3f116c33cedc0733764c31348e8296
SHA1b2e73b9b122b3c15cb3e29c4c033eb6f84ddea15
SHA2569329436e9b50e748cbe42e0cc8d625d9084024a5f611836d0827b88bec66a16e
SHA51244429c07e259a78110936972606089567d4e5cf566ce9b9ccb2aae7f02cc736bd034d4e027221157ecfbccdc28eb95eff6eb77897184496002696cf66a050aa8
-
Filesize
204KB
MD59e3f116c33cedc0733764c31348e8296
SHA1b2e73b9b122b3c15cb3e29c4c033eb6f84ddea15
SHA2569329436e9b50e748cbe42e0cc8d625d9084024a5f611836d0827b88bec66a16e
SHA51244429c07e259a78110936972606089567d4e5cf566ce9b9ccb2aae7f02cc736bd034d4e027221157ecfbccdc28eb95eff6eb77897184496002696cf66a050aa8
-
Filesize
204KB
MD59e3f116c33cedc0733764c31348e8296
SHA1b2e73b9b122b3c15cb3e29c4c033eb6f84ddea15
SHA2569329436e9b50e748cbe42e0cc8d625d9084024a5f611836d0827b88bec66a16e
SHA51244429c07e259a78110936972606089567d4e5cf566ce9b9ccb2aae7f02cc736bd034d4e027221157ecfbccdc28eb95eff6eb77897184496002696cf66a050aa8
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
212KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
212KB
-
Filesize
6.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
64KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
76KB
-
Filesize
64KB