Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2023 20:43

General

  • Target

    19819f4ea570e94503a68fad11a217e04d1c83859f2e1098e3db041138d6ec07.exe

  • Size

    1.5MB

  • MD5

    b9127db8990a46384d358d30145007b4

  • SHA1

    bb96cb2a065665cd71321d9d645a00786e0ffd81

  • SHA256

    19819f4ea570e94503a68fad11a217e04d1c83859f2e1098e3db041138d6ec07

  • SHA512

    8faa7af23a239a860b7bc03b1f645ebb85041407b53007fa3375cd3c6da1e8e7b1f8bde4867486b6e698c4c774a980bbb3c393ea7b026a1d896425a804ddb120

  • SSDEEP

    49152:U5ZxH0spTfPm+ovEQ8OMQ8a1NRoRQ8I0:WP0QTVzODzROQV

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19819f4ea570e94503a68fad11a217e04d1c83859f2e1098e3db041138d6ec07.exe
    "C:\Users\Admin\AppData\Local\Temp\19819f4ea570e94503a68fad11a217e04d1c83859f2e1098e3db041138d6ec07.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8299904.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8299904.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6400475.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6400475.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4561915.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4561915.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1456
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4684807.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4684807.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1744
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3033719.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3033719.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Loads dropped DLL
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1472
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4418012.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4418012.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:820

Network

    No results found
  • 217.196.96.56:4138
    b4418012.exe
    152 B
    120 B
    3
    3
  • 217.196.96.56:4138
    b4418012.exe
    152 B
    120 B
    3
    3
  • 217.196.96.56:4138
    b4418012.exe
    152 B
    120 B
    3
    3
  • 217.196.96.56:4138
    b4418012.exe
    152 B
    120 B
    3
    3
  • 217.196.96.56:4138
    b4418012.exe
    152 B
    120 B
    3
    3
  • 217.196.96.56:4138
    b4418012.exe
    152 B
    120 B
    3
    3
  • 217.196.96.56:4138
    b4418012.exe
    152 B
    120 B
    3
    3
  • 217.196.96.56:4138
    b4418012.exe
    152 B
    120 B
    3
    3
  • 217.196.96.56:4138
    b4418012.exe
    152 B
    120 B
    3
    3
  • 217.196.96.56:4138
    b4418012.exe
    152 B
    120 B
    3
    3
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8299904.exe

    Filesize

    1.4MB

    MD5

    f752e0ae33aff1ad1734077c35e5cca0

    SHA1

    b3760d6e69bfca120e8fdb9db4ab2870c64f8182

    SHA256

    81c751c208fcad531ffc2d045ddf5ffabb70c22f7a830df4fbc78d9ee1340f42

    SHA512

    5188e1a2a3c51af29dec3dc09d077b6df9d1ecd479ee51220e69d7aa516986e3275a2c2bdc6948d2a05bc768eb11ce92f5e261d2247f1b796c84c23f3e0d6b7a

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8299904.exe

    Filesize

    1.4MB

    MD5

    f752e0ae33aff1ad1734077c35e5cca0

    SHA1

    b3760d6e69bfca120e8fdb9db4ab2870c64f8182

    SHA256

    81c751c208fcad531ffc2d045ddf5ffabb70c22f7a830df4fbc78d9ee1340f42

    SHA512

    5188e1a2a3c51af29dec3dc09d077b6df9d1ecd479ee51220e69d7aa516986e3275a2c2bdc6948d2a05bc768eb11ce92f5e261d2247f1b796c84c23f3e0d6b7a

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6400475.exe

    Filesize

    915KB

    MD5

    af3d14223d673e2cfb5aaee86dca12fe

    SHA1

    8953b77e39b172fb604c721e94f1345ec3d1abbe

    SHA256

    009e307022f8f033114165e1d09b15677bf37fa17dcc6fb1bc3ce6f27c136b1b

    SHA512

    c9fdb5924e92e2c34295195f2eff916370d3083c45edbb27df5d3714024ad472ef8781eecf083a8bb78a5c87de513c7e84d0518048159c6895adae6193b2fa3f

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6400475.exe

    Filesize

    915KB

    MD5

    af3d14223d673e2cfb5aaee86dca12fe

    SHA1

    8953b77e39b172fb604c721e94f1345ec3d1abbe

    SHA256

    009e307022f8f033114165e1d09b15677bf37fa17dcc6fb1bc3ce6f27c136b1b

    SHA512

    c9fdb5924e92e2c34295195f2eff916370d3083c45edbb27df5d3714024ad472ef8781eecf083a8bb78a5c87de513c7e84d0518048159c6895adae6193b2fa3f

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4561915.exe

    Filesize

    711KB

    MD5

    c4501c2993c22221b76fc0e06857de6c

    SHA1

    1c842f40a491882ff0c5673feb1afaaa86fb96b2

    SHA256

    a5ac83ae92ad7796c1ed7030a50e61f1c190e49b4d074523d454d99728cc43d2

    SHA512

    141dcccd214595da48989addbb3564ee4711f5732dc3c7ef650c86e582730eec7276dcaedc603846682afd9d464cf57a54f4439ba82e12c13c0f96e43b655c12

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4561915.exe

    Filesize

    711KB

    MD5

    c4501c2993c22221b76fc0e06857de6c

    SHA1

    1c842f40a491882ff0c5673feb1afaaa86fb96b2

    SHA256

    a5ac83ae92ad7796c1ed7030a50e61f1c190e49b4d074523d454d99728cc43d2

    SHA512

    141dcccd214595da48989addbb3564ee4711f5732dc3c7ef650c86e582730eec7276dcaedc603846682afd9d464cf57a54f4439ba82e12c13c0f96e43b655c12

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4684807.exe

    Filesize

    416KB

    MD5

    176626b397c26b21f7039af130c5e6ff

    SHA1

    58a32d27ef53441d7e138eb516262673b4f2ff1b

    SHA256

    2cf863ec8712b290272ca8f00cabf9ce1897e58a673a880e3d3ee12c39d2ed6a

    SHA512

    935cb5a728c5155ee9870ac7b4629e8ee6c9b28efe881b8366f0a01d416fa1439954ee829320b8f8ecd36b8d39adb7da187556ad4ab684e001e4ce4355164200

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4684807.exe

    Filesize

    416KB

    MD5

    176626b397c26b21f7039af130c5e6ff

    SHA1

    58a32d27ef53441d7e138eb516262673b4f2ff1b

    SHA256

    2cf863ec8712b290272ca8f00cabf9ce1897e58a673a880e3d3ee12c39d2ed6a

    SHA512

    935cb5a728c5155ee9870ac7b4629e8ee6c9b28efe881b8366f0a01d416fa1439954ee829320b8f8ecd36b8d39adb7da187556ad4ab684e001e4ce4355164200

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3033719.exe

    Filesize

    360KB

    MD5

    8209160d8c9b0131fe697f1d88fe97f5

    SHA1

    03684e12df921bd3baca9d1444eb0073d3141b5e

    SHA256

    4ac6227c780510887619af70f4405b0275ca837a2118e493a78747c89e1d2306

    SHA512

    0360aaaf32aa5372b74acd5b3cddb660416156ed782e940ec6651caf15ad9ff29303bcfc07731a684e1fd002a027778cfb8095719a17ccf3af673d698dc6c974

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3033719.exe

    Filesize

    360KB

    MD5

    8209160d8c9b0131fe697f1d88fe97f5

    SHA1

    03684e12df921bd3baca9d1444eb0073d3141b5e

    SHA256

    4ac6227c780510887619af70f4405b0275ca837a2118e493a78747c89e1d2306

    SHA512

    0360aaaf32aa5372b74acd5b3cddb660416156ed782e940ec6651caf15ad9ff29303bcfc07731a684e1fd002a027778cfb8095719a17ccf3af673d698dc6c974

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3033719.exe

    Filesize

    360KB

    MD5

    8209160d8c9b0131fe697f1d88fe97f5

    SHA1

    03684e12df921bd3baca9d1444eb0073d3141b5e

    SHA256

    4ac6227c780510887619af70f4405b0275ca837a2118e493a78747c89e1d2306

    SHA512

    0360aaaf32aa5372b74acd5b3cddb660416156ed782e940ec6651caf15ad9ff29303bcfc07731a684e1fd002a027778cfb8095719a17ccf3af673d698dc6c974

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4418012.exe

    Filesize

    168KB

    MD5

    b8e87690722a9b17184fa634e5f796ce

    SHA1

    64381eac0d5f2c89906efd53a6276035aa6371c6

    SHA256

    2e5bfb0c6d20edf448115341ac9dab233147481aa64d98fe677e02c5f0af7618

    SHA512

    e9a710f9c3155af5670713d9b0117060cac3775fa0777729a390a969a21e881473b384c1df1947d19b691afb8b5c4603111f962c62f4fca99c92ad8485112fae

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4418012.exe

    Filesize

    168KB

    MD5

    b8e87690722a9b17184fa634e5f796ce

    SHA1

    64381eac0d5f2c89906efd53a6276035aa6371c6

    SHA256

    2e5bfb0c6d20edf448115341ac9dab233147481aa64d98fe677e02c5f0af7618

    SHA512

    e9a710f9c3155af5670713d9b0117060cac3775fa0777729a390a969a21e881473b384c1df1947d19b691afb8b5c4603111f962c62f4fca99c92ad8485112fae

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\v8299904.exe

    Filesize

    1.4MB

    MD5

    f752e0ae33aff1ad1734077c35e5cca0

    SHA1

    b3760d6e69bfca120e8fdb9db4ab2870c64f8182

    SHA256

    81c751c208fcad531ffc2d045ddf5ffabb70c22f7a830df4fbc78d9ee1340f42

    SHA512

    5188e1a2a3c51af29dec3dc09d077b6df9d1ecd479ee51220e69d7aa516986e3275a2c2bdc6948d2a05bc768eb11ce92f5e261d2247f1b796c84c23f3e0d6b7a

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\v8299904.exe

    Filesize

    1.4MB

    MD5

    f752e0ae33aff1ad1734077c35e5cca0

    SHA1

    b3760d6e69bfca120e8fdb9db4ab2870c64f8182

    SHA256

    81c751c208fcad531ffc2d045ddf5ffabb70c22f7a830df4fbc78d9ee1340f42

    SHA512

    5188e1a2a3c51af29dec3dc09d077b6df9d1ecd479ee51220e69d7aa516986e3275a2c2bdc6948d2a05bc768eb11ce92f5e261d2247f1b796c84c23f3e0d6b7a

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\v6400475.exe

    Filesize

    915KB

    MD5

    af3d14223d673e2cfb5aaee86dca12fe

    SHA1

    8953b77e39b172fb604c721e94f1345ec3d1abbe

    SHA256

    009e307022f8f033114165e1d09b15677bf37fa17dcc6fb1bc3ce6f27c136b1b

    SHA512

    c9fdb5924e92e2c34295195f2eff916370d3083c45edbb27df5d3714024ad472ef8781eecf083a8bb78a5c87de513c7e84d0518048159c6895adae6193b2fa3f

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\v6400475.exe

    Filesize

    915KB

    MD5

    af3d14223d673e2cfb5aaee86dca12fe

    SHA1

    8953b77e39b172fb604c721e94f1345ec3d1abbe

    SHA256

    009e307022f8f033114165e1d09b15677bf37fa17dcc6fb1bc3ce6f27c136b1b

    SHA512

    c9fdb5924e92e2c34295195f2eff916370d3083c45edbb27df5d3714024ad472ef8781eecf083a8bb78a5c87de513c7e84d0518048159c6895adae6193b2fa3f

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\v4561915.exe

    Filesize

    711KB

    MD5

    c4501c2993c22221b76fc0e06857de6c

    SHA1

    1c842f40a491882ff0c5673feb1afaaa86fb96b2

    SHA256

    a5ac83ae92ad7796c1ed7030a50e61f1c190e49b4d074523d454d99728cc43d2

    SHA512

    141dcccd214595da48989addbb3564ee4711f5732dc3c7ef650c86e582730eec7276dcaedc603846682afd9d464cf57a54f4439ba82e12c13c0f96e43b655c12

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\v4561915.exe

    Filesize

    711KB

    MD5

    c4501c2993c22221b76fc0e06857de6c

    SHA1

    1c842f40a491882ff0c5673feb1afaaa86fb96b2

    SHA256

    a5ac83ae92ad7796c1ed7030a50e61f1c190e49b4d074523d454d99728cc43d2

    SHA512

    141dcccd214595da48989addbb3564ee4711f5732dc3c7ef650c86e582730eec7276dcaedc603846682afd9d464cf57a54f4439ba82e12c13c0f96e43b655c12

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\v4684807.exe

    Filesize

    416KB

    MD5

    176626b397c26b21f7039af130c5e6ff

    SHA1

    58a32d27ef53441d7e138eb516262673b4f2ff1b

    SHA256

    2cf863ec8712b290272ca8f00cabf9ce1897e58a673a880e3d3ee12c39d2ed6a

    SHA512

    935cb5a728c5155ee9870ac7b4629e8ee6c9b28efe881b8366f0a01d416fa1439954ee829320b8f8ecd36b8d39adb7da187556ad4ab684e001e4ce4355164200

  • \Users\Admin\AppData\Local\Temp\IXP003.TMP\v4684807.exe

    Filesize

    416KB

    MD5

    176626b397c26b21f7039af130c5e6ff

    SHA1

    58a32d27ef53441d7e138eb516262673b4f2ff1b

    SHA256

    2cf863ec8712b290272ca8f00cabf9ce1897e58a673a880e3d3ee12c39d2ed6a

    SHA512

    935cb5a728c5155ee9870ac7b4629e8ee6c9b28efe881b8366f0a01d416fa1439954ee829320b8f8ecd36b8d39adb7da187556ad4ab684e001e4ce4355164200

  • \Users\Admin\AppData\Local\Temp\IXP004.TMP\a3033719.exe

    Filesize

    360KB

    MD5

    8209160d8c9b0131fe697f1d88fe97f5

    SHA1

    03684e12df921bd3baca9d1444eb0073d3141b5e

    SHA256

    4ac6227c780510887619af70f4405b0275ca837a2118e493a78747c89e1d2306

    SHA512

    0360aaaf32aa5372b74acd5b3cddb660416156ed782e940ec6651caf15ad9ff29303bcfc07731a684e1fd002a027778cfb8095719a17ccf3af673d698dc6c974

  • \Users\Admin\AppData\Local\Temp\IXP004.TMP\a3033719.exe

    Filesize

    360KB

    MD5

    8209160d8c9b0131fe697f1d88fe97f5

    SHA1

    03684e12df921bd3baca9d1444eb0073d3141b5e

    SHA256

    4ac6227c780510887619af70f4405b0275ca837a2118e493a78747c89e1d2306

    SHA512

    0360aaaf32aa5372b74acd5b3cddb660416156ed782e940ec6651caf15ad9ff29303bcfc07731a684e1fd002a027778cfb8095719a17ccf3af673d698dc6c974

  • \Users\Admin\AppData\Local\Temp\IXP004.TMP\a3033719.exe

    Filesize

    360KB

    MD5

    8209160d8c9b0131fe697f1d88fe97f5

    SHA1

    03684e12df921bd3baca9d1444eb0073d3141b5e

    SHA256

    4ac6227c780510887619af70f4405b0275ca837a2118e493a78747c89e1d2306

    SHA512

    0360aaaf32aa5372b74acd5b3cddb660416156ed782e940ec6651caf15ad9ff29303bcfc07731a684e1fd002a027778cfb8095719a17ccf3af673d698dc6c974

  • \Users\Admin\AppData\Local\Temp\IXP004.TMP\b4418012.exe

    Filesize

    168KB

    MD5

    b8e87690722a9b17184fa634e5f796ce

    SHA1

    64381eac0d5f2c89906efd53a6276035aa6371c6

    SHA256

    2e5bfb0c6d20edf448115341ac9dab233147481aa64d98fe677e02c5f0af7618

    SHA512

    e9a710f9c3155af5670713d9b0117060cac3775fa0777729a390a969a21e881473b384c1df1947d19b691afb8b5c4603111f962c62f4fca99c92ad8485112fae

  • \Users\Admin\AppData\Local\Temp\IXP004.TMP\b4418012.exe

    Filesize

    168KB

    MD5

    b8e87690722a9b17184fa634e5f796ce

    SHA1

    64381eac0d5f2c89906efd53a6276035aa6371c6

    SHA256

    2e5bfb0c6d20edf448115341ac9dab233147481aa64d98fe677e02c5f0af7618

    SHA512

    e9a710f9c3155af5670713d9b0117060cac3775fa0777729a390a969a21e881473b384c1df1947d19b691afb8b5c4603111f962c62f4fca99c92ad8485112fae

  • memory/820-156-0x0000000004BE0000-0x0000000004C20000-memory.dmp

    Filesize

    256KB

  • memory/820-155-0x0000000004BE0000-0x0000000004C20000-memory.dmp

    Filesize

    256KB

  • memory/820-154-0x0000000000220000-0x0000000000226000-memory.dmp

    Filesize

    24KB

  • memory/820-153-0x00000000011E0000-0x0000000001210000-memory.dmp

    Filesize

    192KB

  • memory/1472-112-0x0000000002210000-0x0000000002228000-memory.dmp

    Filesize

    96KB

  • memory/1472-120-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-122-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-124-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-126-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-128-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-130-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-132-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-134-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-136-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-138-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-140-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-141-0x0000000000400000-0x00000000006F4000-memory.dmp

    Filesize

    3.0MB

  • memory/1472-142-0x0000000004B40000-0x0000000004B80000-memory.dmp

    Filesize

    256KB

  • memory/1472-146-0x0000000000400000-0x00000000006F4000-memory.dmp

    Filesize

    3.0MB

  • memory/1472-118-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-114-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-116-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-113-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

  • memory/1472-111-0x0000000004B40000-0x0000000004B80000-memory.dmp

    Filesize

    256KB

  • memory/1472-110-0x0000000004B40000-0x0000000004B80000-memory.dmp

    Filesize

    256KB

  • memory/1472-109-0x00000000002D0000-0x00000000002FD000-memory.dmp

    Filesize

    180KB

  • memory/1472-108-0x0000000002180000-0x000000000219A000-memory.dmp

    Filesize

    104KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.