Analysis
-
max time kernel
133s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-05-2023 20:48
Static task
static1
Behavioral task
behavioral1
Sample
1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe
Resource
win10v2004-20230220-en
General
-
Target
1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe
-
Size
1.2MB
-
MD5
df7766644429147defcfbf52e0d66820
-
SHA1
99590600560d874b868d0dc4cc058a5731eb21a6
-
SHA256
1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200
-
SHA512
3051e4382ced519729f16121f67881f0f1c9ed8ed1d623e2aac65639c4ae14dc69b02db11826ca9999d8546df6292e12bc53491ffc214936f4996fac46972c36
-
SSDEEP
24576:xy82+uEH5krSnSs2hKnH//FnK+PTJ4KFwvoanSZk9Zb7:k1SSs24H/xJooanSZk9
Malware Config
Extracted
redline
lisa
185.161.248.73:4164
-
auth_value
c2dc311db9820012377b054447d37949
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" s88696686.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" s88696686.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" s88696686.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection s88696686.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" s88696686.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" s88696686.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 332 z47808691.exe 472 z86481943.exe 592 z70605767.exe 1720 s88696686.exe 1468 t25872183.exe -
Loads dropped DLL 10 IoCs
pid Process 1524 1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe 332 z47808691.exe 332 z47808691.exe 472 z86481943.exe 472 z86481943.exe 592 z70605767.exe 592 z70605767.exe 1720 s88696686.exe 592 z70605767.exe 1468 t25872183.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features s88696686.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" s88696686.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z70605767.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z47808691.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z47808691.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z86481943.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z86481943.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z70605767.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1720 s88696686.exe 1720 s88696686.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1720 s88696686.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1524 wrote to memory of 332 1524 1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe 27 PID 1524 wrote to memory of 332 1524 1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe 27 PID 1524 wrote to memory of 332 1524 1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe 27 PID 1524 wrote to memory of 332 1524 1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe 27 PID 1524 wrote to memory of 332 1524 1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe 27 PID 1524 wrote to memory of 332 1524 1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe 27 PID 1524 wrote to memory of 332 1524 1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe 27 PID 332 wrote to memory of 472 332 z47808691.exe 28 PID 332 wrote to memory of 472 332 z47808691.exe 28 PID 332 wrote to memory of 472 332 z47808691.exe 28 PID 332 wrote to memory of 472 332 z47808691.exe 28 PID 332 wrote to memory of 472 332 z47808691.exe 28 PID 332 wrote to memory of 472 332 z47808691.exe 28 PID 332 wrote to memory of 472 332 z47808691.exe 28 PID 472 wrote to memory of 592 472 z86481943.exe 29 PID 472 wrote to memory of 592 472 z86481943.exe 29 PID 472 wrote to memory of 592 472 z86481943.exe 29 PID 472 wrote to memory of 592 472 z86481943.exe 29 PID 472 wrote to memory of 592 472 z86481943.exe 29 PID 472 wrote to memory of 592 472 z86481943.exe 29 PID 472 wrote to memory of 592 472 z86481943.exe 29 PID 592 wrote to memory of 1720 592 z70605767.exe 30 PID 592 wrote to memory of 1720 592 z70605767.exe 30 PID 592 wrote to memory of 1720 592 z70605767.exe 30 PID 592 wrote to memory of 1720 592 z70605767.exe 30 PID 592 wrote to memory of 1720 592 z70605767.exe 30 PID 592 wrote to memory of 1720 592 z70605767.exe 30 PID 592 wrote to memory of 1720 592 z70605767.exe 30 PID 592 wrote to memory of 1468 592 z70605767.exe 31 PID 592 wrote to memory of 1468 592 z70605767.exe 31 PID 592 wrote to memory of 1468 592 z70605767.exe 31 PID 592 wrote to memory of 1468 592 z70605767.exe 31 PID 592 wrote to memory of 1468 592 z70605767.exe 31 PID 592 wrote to memory of 1468 592 z70605767.exe 31 PID 592 wrote to memory of 1468 592 z70605767.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe"C:\Users\Admin\AppData\Local\Temp\1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z47808691.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z47808691.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z86481943.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z86481943.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z70605767.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z70605767.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s88696686.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s88696686.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t25872183.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t25872183.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
979KB
MD5f6103e0b00a2bdd96699acbfe3ad2661
SHA1da92ee7657a4a6c8331dd985ea9cd98a26048eab
SHA25633a7d7ba45a05b90b68453572f5b258ef60af216893d8ee311c065a0900d5fbb
SHA5125a982c8992866d449826cdcc703476a746f7da0b52ac6ffb5524981471862b9217479b2023ccbbfc378415570c388996e53b84d4b1c0b7639a32b38d776d144c
-
Filesize
979KB
MD5f6103e0b00a2bdd96699acbfe3ad2661
SHA1da92ee7657a4a6c8331dd985ea9cd98a26048eab
SHA25633a7d7ba45a05b90b68453572f5b258ef60af216893d8ee311c065a0900d5fbb
SHA5125a982c8992866d449826cdcc703476a746f7da0b52ac6ffb5524981471862b9217479b2023ccbbfc378415570c388996e53b84d4b1c0b7639a32b38d776d144c
-
Filesize
796KB
MD562dde79d46cf2a27f4414287b2cae269
SHA1f9d1a45cc622500129d4b870e0ce2688839c50b0
SHA256ee1445f6872e01ec7f880b4c1a2f99136d5ee85ea0deaaaa925dfacae6789d99
SHA5126e5e1e19d1b053283225e8f1cd11ae09d86f0e1e9a0797f5b2f9e2143594026a33a402744169d41edbed1162aac7b47f4e06dda54cbd8d100f3611e57828ecf6
-
Filesize
796KB
MD562dde79d46cf2a27f4414287b2cae269
SHA1f9d1a45cc622500129d4b870e0ce2688839c50b0
SHA256ee1445f6872e01ec7f880b4c1a2f99136d5ee85ea0deaaaa925dfacae6789d99
SHA5126e5e1e19d1b053283225e8f1cd11ae09d86f0e1e9a0797f5b2f9e2143594026a33a402744169d41edbed1162aac7b47f4e06dda54cbd8d100f3611e57828ecf6
-
Filesize
310KB
MD5ac6d9e942afb345cfd34c31e3c1090c4
SHA1c3f1537197e9df73fc0dd3c5c7a35c13be255d53
SHA25673ca18df1ac0851b1178b90baabf6c4bbc7d9804de10033ef1ea2ce740eb48f6
SHA512ef502068f666466291ef2ae0b11526649873e8d8d61832ba1dac0eec50859b9a8f8d347e8c2f1c5410430137489930a3cf0003ffd86daa6522851251125ec486
-
Filesize
310KB
MD5ac6d9e942afb345cfd34c31e3c1090c4
SHA1c3f1537197e9df73fc0dd3c5c7a35c13be255d53
SHA25673ca18df1ac0851b1178b90baabf6c4bbc7d9804de10033ef1ea2ce740eb48f6
SHA512ef502068f666466291ef2ae0b11526649873e8d8d61832ba1dac0eec50859b9a8f8d347e8c2f1c5410430137489930a3cf0003ffd86daa6522851251125ec486
-
Filesize
177KB
MD5315004f0bf0ad63ef13d8e7b7bce9cf4
SHA1711bb77789ef1dcbe6fc5ad97f8aafc717715676
SHA2569b71e96b163fd2bb59185fcdc65189a52190aaa7ca919f23c661119e4a918ad1
SHA5127d999724d7d4e6c247017faea84ac1fb170ee9f02368fda144abe1bd365db75e2d20ee37059b81c4badf67d358344bfd7fc892ab5cddd4272f163cd6360dbfe7
-
Filesize
177KB
MD5315004f0bf0ad63ef13d8e7b7bce9cf4
SHA1711bb77789ef1dcbe6fc5ad97f8aafc717715676
SHA2569b71e96b163fd2bb59185fcdc65189a52190aaa7ca919f23c661119e4a918ad1
SHA5127d999724d7d4e6c247017faea84ac1fb170ee9f02368fda144abe1bd365db75e2d20ee37059b81c4badf67d358344bfd7fc892ab5cddd4272f163cd6360dbfe7
-
Filesize
168KB
MD5630dbb29491ee1e66ecce3f2627eae78
SHA14896ed4e19096b70a247013589239e16b0c865de
SHA2566373f077eead9fb9e8a34fbca2fea9dc2446dab7d0f2994d9f36134f289e6270
SHA51263dabfac22949550ecb237802a2cc99774f8e6c61008e867683389e43f23dba7ca80bdfb4cfe8a6c4d0d621f1a4c5fbdee606ec005afdc1f41023ca5ace66444
-
Filesize
168KB
MD5630dbb29491ee1e66ecce3f2627eae78
SHA14896ed4e19096b70a247013589239e16b0c865de
SHA2566373f077eead9fb9e8a34fbca2fea9dc2446dab7d0f2994d9f36134f289e6270
SHA51263dabfac22949550ecb237802a2cc99774f8e6c61008e867683389e43f23dba7ca80bdfb4cfe8a6c4d0d621f1a4c5fbdee606ec005afdc1f41023ca5ace66444
-
Filesize
979KB
MD5f6103e0b00a2bdd96699acbfe3ad2661
SHA1da92ee7657a4a6c8331dd985ea9cd98a26048eab
SHA25633a7d7ba45a05b90b68453572f5b258ef60af216893d8ee311c065a0900d5fbb
SHA5125a982c8992866d449826cdcc703476a746f7da0b52ac6ffb5524981471862b9217479b2023ccbbfc378415570c388996e53b84d4b1c0b7639a32b38d776d144c
-
Filesize
979KB
MD5f6103e0b00a2bdd96699acbfe3ad2661
SHA1da92ee7657a4a6c8331dd985ea9cd98a26048eab
SHA25633a7d7ba45a05b90b68453572f5b258ef60af216893d8ee311c065a0900d5fbb
SHA5125a982c8992866d449826cdcc703476a746f7da0b52ac6ffb5524981471862b9217479b2023ccbbfc378415570c388996e53b84d4b1c0b7639a32b38d776d144c
-
Filesize
796KB
MD562dde79d46cf2a27f4414287b2cae269
SHA1f9d1a45cc622500129d4b870e0ce2688839c50b0
SHA256ee1445f6872e01ec7f880b4c1a2f99136d5ee85ea0deaaaa925dfacae6789d99
SHA5126e5e1e19d1b053283225e8f1cd11ae09d86f0e1e9a0797f5b2f9e2143594026a33a402744169d41edbed1162aac7b47f4e06dda54cbd8d100f3611e57828ecf6
-
Filesize
796KB
MD562dde79d46cf2a27f4414287b2cae269
SHA1f9d1a45cc622500129d4b870e0ce2688839c50b0
SHA256ee1445f6872e01ec7f880b4c1a2f99136d5ee85ea0deaaaa925dfacae6789d99
SHA5126e5e1e19d1b053283225e8f1cd11ae09d86f0e1e9a0797f5b2f9e2143594026a33a402744169d41edbed1162aac7b47f4e06dda54cbd8d100f3611e57828ecf6
-
Filesize
310KB
MD5ac6d9e942afb345cfd34c31e3c1090c4
SHA1c3f1537197e9df73fc0dd3c5c7a35c13be255d53
SHA25673ca18df1ac0851b1178b90baabf6c4bbc7d9804de10033ef1ea2ce740eb48f6
SHA512ef502068f666466291ef2ae0b11526649873e8d8d61832ba1dac0eec50859b9a8f8d347e8c2f1c5410430137489930a3cf0003ffd86daa6522851251125ec486
-
Filesize
310KB
MD5ac6d9e942afb345cfd34c31e3c1090c4
SHA1c3f1537197e9df73fc0dd3c5c7a35c13be255d53
SHA25673ca18df1ac0851b1178b90baabf6c4bbc7d9804de10033ef1ea2ce740eb48f6
SHA512ef502068f666466291ef2ae0b11526649873e8d8d61832ba1dac0eec50859b9a8f8d347e8c2f1c5410430137489930a3cf0003ffd86daa6522851251125ec486
-
Filesize
177KB
MD5315004f0bf0ad63ef13d8e7b7bce9cf4
SHA1711bb77789ef1dcbe6fc5ad97f8aafc717715676
SHA2569b71e96b163fd2bb59185fcdc65189a52190aaa7ca919f23c661119e4a918ad1
SHA5127d999724d7d4e6c247017faea84ac1fb170ee9f02368fda144abe1bd365db75e2d20ee37059b81c4badf67d358344bfd7fc892ab5cddd4272f163cd6360dbfe7
-
Filesize
177KB
MD5315004f0bf0ad63ef13d8e7b7bce9cf4
SHA1711bb77789ef1dcbe6fc5ad97f8aafc717715676
SHA2569b71e96b163fd2bb59185fcdc65189a52190aaa7ca919f23c661119e4a918ad1
SHA5127d999724d7d4e6c247017faea84ac1fb170ee9f02368fda144abe1bd365db75e2d20ee37059b81c4badf67d358344bfd7fc892ab5cddd4272f163cd6360dbfe7
-
Filesize
168KB
MD5630dbb29491ee1e66ecce3f2627eae78
SHA14896ed4e19096b70a247013589239e16b0c865de
SHA2566373f077eead9fb9e8a34fbca2fea9dc2446dab7d0f2994d9f36134f289e6270
SHA51263dabfac22949550ecb237802a2cc99774f8e6c61008e867683389e43f23dba7ca80bdfb4cfe8a6c4d0d621f1a4c5fbdee606ec005afdc1f41023ca5ace66444
-
Filesize
168KB
MD5630dbb29491ee1e66ecce3f2627eae78
SHA14896ed4e19096b70a247013589239e16b0c865de
SHA2566373f077eead9fb9e8a34fbca2fea9dc2446dab7d0f2994d9f36134f289e6270
SHA51263dabfac22949550ecb237802a2cc99774f8e6c61008e867683389e43f23dba7ca80bdfb4cfe8a6c4d0d621f1a4c5fbdee606ec005afdc1f41023ca5ace66444