Overview

overview

10

Static

static

3

d382a5b2d5...38.exe

windows7-x64

10

d382a5b2d5...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d382a5b2d5d8204c6d533b71f9499b38.exe

  • Size

    479KB

  • MD5

    d382a5b2d5d8204c6d533b71f9499b38

  • SHA1

    b3e8e2c2dc479102e95ffa9fdb35da83c268b1a8

  • SHA256

    11581748c5ef29c021f7c7310ed13ea6b835b15daa069134f37f62899e8c1ecf

  • SHA512

    f94b4ea0004b27ef6d270afb2318be0d53aebead8c8fb111e4735b76bb8d814fa51f40e77def60d1e3a8141bf2159ba5258c26a5f6cdbd40fc36e1415ee87d0a

  • SSDEEP

    12288:rMrVy9012quKKmDOU+6EjPKPFl1tQ5G9Ye4mK58KMAbSP:ayVK96StleG9zg87WY

Score
10/10
redlinedariydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

dariy

C2

217.196.96.101:4132

Attributes
  • auth_value

    2f34aa0d1cb1023a826825b68ebedcc8

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d382a5b2d5d8204c6d533b71f9499b38.exe
    "C:\Users\Admin\AppData\Local\Temp\d382a5b2d5d8204c6d533b71f9499b38.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8491233.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8491233.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5396301.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5396301.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:532
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1947578.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1947578.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4620
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i9749757.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i9749757.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:3052
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5000
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:1692
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:N"
              5⤵
                PID:4368
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                5⤵
                  PID:4308
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:3252
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\c3912af058" /P "Admin:N"
                    5⤵
                      PID:3744
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\c3912af058" /P "Admin:R" /E
                      5⤵
                        PID:2624
                    • C:\Windows\SysWOW64\rundll32.exe
                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                      4⤵
                      • Loads dropped DLL
                      PID:2168
              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                1⤵
                • Executes dropped EXE
                PID:4840
              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                1⤵
                • Executes dropped EXE
                PID:856

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i9749757.exe
                Filesize

                208KB

                MD5

                0420697fd6d3c81a29746cc28e6425aa

                SHA1

                d2b3024535e830ce09e27e173d5fc46cb95e96a3

                SHA256

                0cfd065cec2891a6cdbe978cb930c1a7be3352731baede87255fdece79888985

                SHA512

                d70ef2ce982ad25d8663e32d11f2db168f082846bec2a23ee8321c850a17e89a3ed9cd2d660a2df3a41063f6d58a38abe12e0766880df14ff354d66609434f53

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i9749757.exe
                Filesize

                208KB

                MD5

                0420697fd6d3c81a29746cc28e6425aa

                SHA1

                d2b3024535e830ce09e27e173d5fc46cb95e96a3

                SHA256

                0cfd065cec2891a6cdbe978cb930c1a7be3352731baede87255fdece79888985

                SHA512

                d70ef2ce982ad25d8663e32d11f2db168f082846bec2a23ee8321c850a17e89a3ed9cd2d660a2df3a41063f6d58a38abe12e0766880df14ff354d66609434f53

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8491233.exe
                Filesize

                307KB

                MD5

                dff610772b9b334d08b54cde0868b587

                SHA1

                b01de22ceba923dab9921a161a3798fc4fb0d624

                SHA256

                8f886d72565f6dd71d859797b9d1624302a49419f09b31e10afb5cc723c23dd7

                SHA512

                8d2cfd1bdc48b6edcb3b5315541a1ff2dd531bfe29b25e0cab4890fef3031b1bdd63a697d5607b6daf0c6894296689afd4a0f2067510b13a87fc3d3cd8077697

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8491233.exe
                Filesize

                307KB

                MD5

                dff610772b9b334d08b54cde0868b587

                SHA1

                b01de22ceba923dab9921a161a3798fc4fb0d624

                SHA256

                8f886d72565f6dd71d859797b9d1624302a49419f09b31e10afb5cc723c23dd7

                SHA512

                8d2cfd1bdc48b6edcb3b5315541a1ff2dd531bfe29b25e0cab4890fef3031b1bdd63a697d5607b6daf0c6894296689afd4a0f2067510b13a87fc3d3cd8077697

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5396301.exe
                Filesize

                168KB

                MD5

                b551e1fcf16e7db19f2de36f5d2966a1

                SHA1

                15be2af45822a7774d955cf9846afc8aaa08778c

                SHA256

                78945a064bd3d1aa364c0d1ea95c55a0ba03bb800df500730ef3a2f28f97a858

                SHA512

                c939d29518176530911adac41ea15f791db479122691ab15236673c869ac44728e8d799b639db47590948af329b8c9401ec97cc8205db57e5d020093feb9c620

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5396301.exe
                Filesize

                168KB

                MD5

                b551e1fcf16e7db19f2de36f5d2966a1

                SHA1

                15be2af45822a7774d955cf9846afc8aaa08778c

                SHA256

                78945a064bd3d1aa364c0d1ea95c55a0ba03bb800df500730ef3a2f28f97a858

                SHA512

                c939d29518176530911adac41ea15f791db479122691ab15236673c869ac44728e8d799b639db47590948af329b8c9401ec97cc8205db57e5d020093feb9c620

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1947578.exe
                Filesize

                176KB

                MD5

                ecc53e291e0d53ea0b8b0e17bb0ecff5

                SHA1

                d3aba1beb9d0e78789a8b768d401463594197064

                SHA256

                36c70019846612604160a4c9d2f90f907f040a75316de3dcb27c44248994f402

                SHA512

                0d5b551acae7821758ec8a666562b7f08e8de87eb9534028c49e1fcebe19fed5b9d47d85a6024404bcc56cd4c13921d528288cc7a2b8d1a611579038cb0109b9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h1947578.exe
                Filesize

                176KB

                MD5

                ecc53e291e0d53ea0b8b0e17bb0ecff5

                SHA1

                d3aba1beb9d0e78789a8b768d401463594197064

                SHA256

                36c70019846612604160a4c9d2f90f907f040a75316de3dcb27c44248994f402

                SHA512

                0d5b551acae7821758ec8a666562b7f08e8de87eb9534028c49e1fcebe19fed5b9d47d85a6024404bcc56cd4c13921d528288cc7a2b8d1a611579038cb0109b9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                208KB

                MD5

                0420697fd6d3c81a29746cc28e6425aa

                SHA1

                d2b3024535e830ce09e27e173d5fc46cb95e96a3

                SHA256

                0cfd065cec2891a6cdbe978cb930c1a7be3352731baede87255fdece79888985

                SHA512

                d70ef2ce982ad25d8663e32d11f2db168f082846bec2a23ee8321c850a17e89a3ed9cd2d660a2df3a41063f6d58a38abe12e0766880df14ff354d66609434f53

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                208KB

                MD5

                0420697fd6d3c81a29746cc28e6425aa

                SHA1

                d2b3024535e830ce09e27e173d5fc46cb95e96a3

                SHA256

                0cfd065cec2891a6cdbe978cb930c1a7be3352731baede87255fdece79888985

                SHA512

                d70ef2ce982ad25d8663e32d11f2db168f082846bec2a23ee8321c850a17e89a3ed9cd2d660a2df3a41063f6d58a38abe12e0766880df14ff354d66609434f53

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                208KB

                MD5

                0420697fd6d3c81a29746cc28e6425aa

                SHA1

                d2b3024535e830ce09e27e173d5fc46cb95e96a3

                SHA256

                0cfd065cec2891a6cdbe978cb930c1a7be3352731baede87255fdece79888985

                SHA512

                d70ef2ce982ad25d8663e32d11f2db168f082846bec2a23ee8321c850a17e89a3ed9cd2d660a2df3a41063f6d58a38abe12e0766880df14ff354d66609434f53

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                208KB

                MD5

                0420697fd6d3c81a29746cc28e6425aa

                SHA1

                d2b3024535e830ce09e27e173d5fc46cb95e96a3

                SHA256

                0cfd065cec2891a6cdbe978cb930c1a7be3352731baede87255fdece79888985

                SHA512

                d70ef2ce982ad25d8663e32d11f2db168f082846bec2a23ee8321c850a17e89a3ed9cd2d660a2df3a41063f6d58a38abe12e0766880df14ff354d66609434f53

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                208KB

                MD5

                0420697fd6d3c81a29746cc28e6425aa

                SHA1

                d2b3024535e830ce09e27e173d5fc46cb95e96a3

                SHA256

                0cfd065cec2891a6cdbe978cb930c1a7be3352731baede87255fdece79888985

                SHA512

                d70ef2ce982ad25d8663e32d11f2db168f082846bec2a23ee8321c850a17e89a3ed9cd2d660a2df3a41063f6d58a38abe12e0766880df14ff354d66609434f53

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                8451a2c5daa42b25333b1b2089c5ea39

                SHA1

                700cc99ec8d3113435e657070d2d6bde0a833adc

                SHA256

                b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

                SHA512

                6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                8451a2c5daa42b25333b1b2089c5ea39

                SHA1

                700cc99ec8d3113435e657070d2d6bde0a833adc

                SHA256

                b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

                SHA512

                6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                8451a2c5daa42b25333b1b2089c5ea39

                SHA1

                700cc99ec8d3113435e657070d2d6bde0a833adc

                SHA256

                b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

                SHA512

                6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
                Filesize

                162B

                MD5

                1b7c22a214949975556626d7217e9a39

                SHA1

                d01c97e2944166ed23e47e4a62ff471ab8fa031f

                SHA256

                340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

                SHA512

                ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

                Download Submit

              • memory/532-152-0x0000000005040000-0x0000000005050000-memory.dmp

                Filesize

                64KB

                Download

              • memory/532-156-0x000000000B320000-0x000000000B386000-memory.dmp

                Filesize

                408KB

                Download

              • memory/532-157-0x000000000B750000-0x000000000B7A0000-memory.dmp

                Filesize

                320KB

                Download

              • memory/532-158-0x000000000C050000-0x000000000C212000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/532-159-0x000000000C750000-0x000000000CC7C000-memory.dmp

                Filesize

                5.2MB

                Download

              • memory/532-160-0x0000000005040000-0x0000000005050000-memory.dmp

                Filesize

                64KB

                Download

              • memory/532-155-0x000000000B7D0000-0x000000000BD74000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/532-154-0x000000000AB40000-0x000000000ABD2000-memory.dmp

                Filesize

                584KB

                Download

              • memory/532-153-0x000000000AA20000-0x000000000AA96000-memory.dmp

                Filesize

                472KB

                Download

              • memory/532-151-0x000000000A710000-0x000000000A74C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/532-150-0x000000000A6B0000-0x000000000A6C2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/532-149-0x000000000A780000-0x000000000A88A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/532-148-0x000000000AC00000-0x000000000B218000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/532-147-0x0000000000800000-0x000000000082E000-memory.dmp

                Filesize

                184KB

                Download

              • memory/4620-166-0x0000000004990000-0x00000000049A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4620-179-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-181-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-183-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-185-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-187-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-189-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-191-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-193-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-177-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-175-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-173-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-171-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-169-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-168-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-167-0x0000000004990000-0x00000000049A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4620-165-0x0000000004990000-0x00000000049A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4620-195-0x0000000004950000-0x0000000004962000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4620-196-0x0000000004990000-0x00000000049A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4620-197-0x0000000004990000-0x00000000049A0000-memory.dmp

                Filesize

                64KB

                Download