redline | 1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363

Analysis

max time kernel
127s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe
Size

890KB
MD5

4a9241cea1e97f426c367b8c598f1ba1
SHA1

c22143f31692ee2fd60689a3ab796738b6c03a7f
SHA256

1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363
SHA512

bae9c4f00edd8432756fcad5a50685db3a9aced6c285d38509cd44b3e72752894575c2f0d21832ea5c6e525e214f71f18b6ed9e2e34949e3a8da617a1946dde7
SSDEEP

24576:NyHEr9XVu8UPJsaP7MifsCQbcAxPAi/evrw7w5Z:oiVLUPJ3P7MsJuPJevrwk

Score

10^/10

redline dork gena infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dork

185.161.248.73:4164

Attributes

auth_value
e81be7d6cfb453cc812e1b4890eeadad

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
912	y77471050.exe
668	p86152569.exe
1624	1.exe
1876	r17692701.exe

Loads dropped DLL 9 IoCs

pid	Process
2024	1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe
912	y77471050.exe
912	y77471050.exe
912	y77471050.exe
668	p86152569.exe
668	p86152569.exe
1624	1.exe
912	y77471050.exe
1876	r17692701.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y77471050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y77471050.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	p86152569.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 912	2024	1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe	28
PID 2024 wrote to memory of 912	2024	1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe	28
PID 2024 wrote to memory of 912	2024	1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe	28
PID 2024 wrote to memory of 912	2024	1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe	28
PID 2024 wrote to memory of 912	2024	1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe	28
PID 2024 wrote to memory of 912	2024	1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe	28
PID 2024 wrote to memory of 912	2024	1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe	28
PID 912 wrote to memory of 668	912	y77471050.exe	29
PID 912 wrote to memory of 668	912	y77471050.exe	29
PID 912 wrote to memory of 668	912	y77471050.exe	29
PID 912 wrote to memory of 668	912	y77471050.exe	29
PID 912 wrote to memory of 668	912	y77471050.exe	29
PID 912 wrote to memory of 668	912	y77471050.exe	29
PID 912 wrote to memory of 668	912	y77471050.exe	29
PID 668 wrote to memory of 1624	668	p86152569.exe	30
PID 668 wrote to memory of 1624	668	p86152569.exe	30
PID 668 wrote to memory of 1624	668	p86152569.exe	30
PID 668 wrote to memory of 1624	668	p86152569.exe	30
PID 668 wrote to memory of 1624	668	p86152569.exe	30
PID 668 wrote to memory of 1624	668	p86152569.exe	30
PID 668 wrote to memory of 1624	668	p86152569.exe	30
PID 912 wrote to memory of 1876	912	y77471050.exe	31
PID 912 wrote to memory of 1876	912	y77471050.exe	31
PID 912 wrote to memory of 1876	912	y77471050.exe	31
PID 912 wrote to memory of 1876	912	y77471050.exe	31
PID 912 wrote to memory of 1876	912	y77471050.exe	31
PID 912 wrote to memory of 1876	912	y77471050.exe	31
PID 912 wrote to memory of 1876	912	y77471050.exe	31

C:\Users\Admin\AppData\Local\Temp\1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe
"C:\Users\Admin\AppData\Local\Temp\1cd8a52a30a728f941ccb9c57a171c9fd84a537cd44de7baf97c54dc4452f363.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77471050.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77471050.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p86152569.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p86152569.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r17692701.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r17692701.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77471050.exe

Filesize
590KB

MD5
7817184dd637f8fa175ab19156a3e9b7

SHA1
ceb5656cda9cc2d3b510c6847a5e3c4994f533ab

SHA256
2fcb7122d82537af1dddcdc4716b51eb67aa11c084fa0d70599542dbcfea0810

SHA512
ff6b0b23b09947e3cb18b04dbac6b06bcf45b0b387485af3d940e81433da2d9abbd81f6cea72663902c99e386c889fb199de98413cb01b83e6f471e93b068c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77471050.exe

Filesize
590KB

MD5
7817184dd637f8fa175ab19156a3e9b7

SHA1
ceb5656cda9cc2d3b510c6847a5e3c4994f533ab

SHA256
2fcb7122d82537af1dddcdc4716b51eb67aa11c084fa0d70599542dbcfea0810

SHA512
ff6b0b23b09947e3cb18b04dbac6b06bcf45b0b387485af3d940e81433da2d9abbd81f6cea72663902c99e386c889fb199de98413cb01b83e6f471e93b068c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p86152569.exe

Filesize
530KB

MD5
e9dc2ba3ab6e3eb50c052c9e421f371e

SHA1
e157cdbec494017c193b3674e9c1b4c96fc8db03

SHA256
2af79ad32ed87ec89b199615c26ba218603414d2acd3ef5fb195c823717061d2

SHA512
f78e96474d5e6c49d174df9a669afcd9bd3eee1790db04ea0dff3e1a9b75fb4248ede198945fe2f9c75da0efa9225b57aa2dfa7b7d1dd1e3cd9f36c382c16a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p86152569.exe

Filesize
530KB

MD5
e9dc2ba3ab6e3eb50c052c9e421f371e

SHA1
e157cdbec494017c193b3674e9c1b4c96fc8db03

SHA256
2af79ad32ed87ec89b199615c26ba218603414d2acd3ef5fb195c823717061d2

SHA512
f78e96474d5e6c49d174df9a669afcd9bd3eee1790db04ea0dff3e1a9b75fb4248ede198945fe2f9c75da0efa9225b57aa2dfa7b7d1dd1e3cd9f36c382c16a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p86152569.exe

Filesize
530KB

MD5
e9dc2ba3ab6e3eb50c052c9e421f371e

SHA1
e157cdbec494017c193b3674e9c1b4c96fc8db03

SHA256
2af79ad32ed87ec89b199615c26ba218603414d2acd3ef5fb195c823717061d2

SHA512
f78e96474d5e6c49d174df9a669afcd9bd3eee1790db04ea0dff3e1a9b75fb4248ede198945fe2f9c75da0efa9225b57aa2dfa7b7d1dd1e3cd9f36c382c16a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r17692701.exe

Filesize
168KB

MD5
ff98657d4e0f1d3a9b6141b32d3c5600

SHA1
c8f13decf23bbf3a020db7397cf698477b00f224

SHA256
db3026b7488e9bdc40ab6b85b4c05fdc53861f2ecfacfcf3f7d4fdd726a0caf7

SHA512
e1e8078e459d95d5e210e87e8287a00dfe58c7aeb3f438afcf06f7392fb861f2c92cfc4164e12836b5be08c9280dbcf3c44154468bbf436b40974808c153081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r17692701.exe

Filesize
168KB

MD5
ff98657d4e0f1d3a9b6141b32d3c5600

SHA1
c8f13decf23bbf3a020db7397cf698477b00f224

SHA256
db3026b7488e9bdc40ab6b85b4c05fdc53861f2ecfacfcf3f7d4fdd726a0caf7

SHA512
e1e8078e459d95d5e210e87e8287a00dfe58c7aeb3f438afcf06f7392fb861f2c92cfc4164e12836b5be08c9280dbcf3c44154468bbf436b40974808c153081b

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77471050.exe

Filesize
590KB

MD5
7817184dd637f8fa175ab19156a3e9b7

SHA1
ceb5656cda9cc2d3b510c6847a5e3c4994f533ab

SHA256
2fcb7122d82537af1dddcdc4716b51eb67aa11c084fa0d70599542dbcfea0810

SHA512
ff6b0b23b09947e3cb18b04dbac6b06bcf45b0b387485af3d940e81433da2d9abbd81f6cea72663902c99e386c889fb199de98413cb01b83e6f471e93b068c73

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y77471050.exe

Filesize
590KB

MD5
7817184dd637f8fa175ab19156a3e9b7

SHA1
ceb5656cda9cc2d3b510c6847a5e3c4994f533ab

SHA256
2fcb7122d82537af1dddcdc4716b51eb67aa11c084fa0d70599542dbcfea0810

SHA512
ff6b0b23b09947e3cb18b04dbac6b06bcf45b0b387485af3d940e81433da2d9abbd81f6cea72663902c99e386c889fb199de98413cb01b83e6f471e93b068c73

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p86152569.exe

Filesize
530KB

MD5
e9dc2ba3ab6e3eb50c052c9e421f371e

SHA1
e157cdbec494017c193b3674e9c1b4c96fc8db03

SHA256
2af79ad32ed87ec89b199615c26ba218603414d2acd3ef5fb195c823717061d2

SHA512
f78e96474d5e6c49d174df9a669afcd9bd3eee1790db04ea0dff3e1a9b75fb4248ede198945fe2f9c75da0efa9225b57aa2dfa7b7d1dd1e3cd9f36c382c16a86

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p86152569.exe

Filesize
530KB

MD5
e9dc2ba3ab6e3eb50c052c9e421f371e

SHA1
e157cdbec494017c193b3674e9c1b4c96fc8db03

SHA256
2af79ad32ed87ec89b199615c26ba218603414d2acd3ef5fb195c823717061d2

SHA512
f78e96474d5e6c49d174df9a669afcd9bd3eee1790db04ea0dff3e1a9b75fb4248ede198945fe2f9c75da0efa9225b57aa2dfa7b7d1dd1e3cd9f36c382c16a86

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p86152569.exe

Filesize
530KB

MD5
e9dc2ba3ab6e3eb50c052c9e421f371e

SHA1
e157cdbec494017c193b3674e9c1b4c96fc8db03

SHA256
2af79ad32ed87ec89b199615c26ba218603414d2acd3ef5fb195c823717061d2

SHA512
f78e96474d5e6c49d174df9a669afcd9bd3eee1790db04ea0dff3e1a9b75fb4248ede198945fe2f9c75da0efa9225b57aa2dfa7b7d1dd1e3cd9f36c382c16a86

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\r17692701.exe

Filesize
168KB

MD5
ff98657d4e0f1d3a9b6141b32d3c5600

SHA1
c8f13decf23bbf3a020db7397cf698477b00f224

SHA256
db3026b7488e9bdc40ab6b85b4c05fdc53861f2ecfacfcf3f7d4fdd726a0caf7

SHA512
e1e8078e459d95d5e210e87e8287a00dfe58c7aeb3f438afcf06f7392fb861f2c92cfc4164e12836b5be08c9280dbcf3c44154468bbf436b40974808c153081b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\r17692701.exe

Filesize
168KB

MD5
ff98657d4e0f1d3a9b6141b32d3c5600

SHA1
c8f13decf23bbf3a020db7397cf698477b00f224

SHA256
db3026b7488e9bdc40ab6b85b4c05fdc53861f2ecfacfcf3f7d4fdd726a0caf7

SHA512
e1e8078e459d95d5e210e87e8287a00dfe58c7aeb3f438afcf06f7392fb861f2c92cfc4164e12836b5be08c9280dbcf3c44154468bbf436b40974808c153081b

Download Submit
\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/668-116-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-134-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-92-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-94-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-96-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-98-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-100-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-102-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-104-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-106-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-108-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-110-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-112-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-114-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-88-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-118-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-120-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-122-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-124-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-126-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-128-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-130-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-132-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-90-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-136-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-140-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-138-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-144-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-146-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-142-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-2229-0x00000000054C0000-0x00000000054F2000-memory.dmp

Filesize
200KB

Download
memory/668-86-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-84-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-83-0x00000000027A0000-0x0000000002800000-memory.dmp

Filesize
384KB

Download
memory/668-81-0x0000000005070000-0x00000000050B0000-memory.dmp

Filesize
256KB

Download
memory/668-78-0x0000000001220000-0x0000000001288000-memory.dmp

Filesize
416KB

Download
memory/668-82-0x00000000027A0000-0x0000000002806000-memory.dmp

Filesize
408KB

Download
memory/668-80-0x0000000005070000-0x00000000050B0000-memory.dmp

Filesize
256KB

Download
memory/668-79-0x0000000000240000-0x000000000029B000-memory.dmp

Filesize
364KB

Download
memory/1624-2245-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/1624-2239-0x0000000000B30000-0x0000000000B5E000-memory.dmp

Filesize
184KB

Download
memory/1624-2251-0x0000000000670000-0x00000000006B0000-memory.dmp

Filesize
256KB

Download
memory/1624-2253-0x0000000000670000-0x00000000006B0000-memory.dmp

Filesize
256KB

Download
memory/1876-2248-0x0000000000EA0000-0x0000000000ED0000-memory.dmp

Filesize
192KB

Download
memory/1876-2249-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/1876-2250-0x0000000000A70000-0x0000000000AB0000-memory.dmp

Filesize
256KB

Download
memory/1876-2252-0x0000000000A70000-0x0000000000AB0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads