Analysis
-
max time kernel
189s -
max time network
230s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06-05-2023 20:59
General
-
Target
2378a089e86fe43035b8d0fa3705cd28.exe
-
Size
1.1MB
-
MD5
2378a089e86fe43035b8d0fa3705cd28
-
SHA1
5ce4651a5e00d94c5b51c6f44a12f8d167223b43
-
SHA256
bdf0f48d5fe2fbc3e89e5a370afea4306980daef0e4db38b3f48fb5979513f53
-
SHA512
6c88e726a772da47fb5f99ab98c7aa7816f788a1fc316f0ee54007fc01ad882e9e1d995c4753fce192e748771056511da73f6a12ed8891368a37bad1209785fb
-
SSDEEP
24576:qyRHOXfDEmTl0Z8ctUEQeWKS8iCBL9SLckRME1+uFVlUozHwFIW:xEX1dct+7TlMAL1+DuLlHkF
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2378a089e86fe43035b8d0fa3705cd28.exe"C:\Users\Admin\AppData\Local\Temp\2378a089e86fe43035b8d0fa3705cd28.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fF269465.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fF269465.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\le137535.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\le137535.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ve690686.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ve690686.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\106718830.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\106718830.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282773176.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282773176.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 10886⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389074692.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389074692.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457879449.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457879449.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2252 -ip 22521⤵
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
993KB
MD580aaf67aec35cb8d3d85a224cb04eee2
SHA11ec3ec9015cf7338fde523a70cb0c4e8dc34d4bf
SHA25621f51c99566f597b5d1808499b25dd25f75a7a202fc86d3472eda333f207c46a
SHA51283ab28f5b56a82a37a66f62e7b2a8cfb9350649a87f5ac5bb4db72d0c9668ffe3c1f20518b15e60269e6137ae1bf96af959a0ba05255bcce5053801389a26aa4
-
Filesize
993KB
MD580aaf67aec35cb8d3d85a224cb04eee2
SHA11ec3ec9015cf7338fde523a70cb0c4e8dc34d4bf
SHA25621f51c99566f597b5d1808499b25dd25f75a7a202fc86d3472eda333f207c46a
SHA51283ab28f5b56a82a37a66f62e7b2a8cfb9350649a87f5ac5bb4db72d0c9668ffe3c1f20518b15e60269e6137ae1bf96af959a0ba05255bcce5053801389a26aa4
-
Filesize
415KB
MD5bb5734e6ce0ce7c53702701160ed351f
SHA1425fd1c9f583496089d3aa3ef481d8db3a864085
SHA256b58952c85508aec56b9312bdd5ca71e085123227b754ad8797243ef6a1846c90
SHA5126ab9684c270587c568d5d70eae6e0bd1efb0f70d5420a6d0cd66a009841988b31c9db65ffa605e209018a807aae57c68750b484254733a4d4d2833cc7fca52b8
-
Filesize
415KB
MD5bb5734e6ce0ce7c53702701160ed351f
SHA1425fd1c9f583496089d3aa3ef481d8db3a864085
SHA256b58952c85508aec56b9312bdd5ca71e085123227b754ad8797243ef6a1846c90
SHA5126ab9684c270587c568d5d70eae6e0bd1efb0f70d5420a6d0cd66a009841988b31c9db65ffa605e209018a807aae57c68750b484254733a4d4d2833cc7fca52b8
-
Filesize
609KB
MD59e835d999a4690b0c2973cecb4450f31
SHA1c34402c03c106d931602e0ea8554a6de71f55a89
SHA2567ecdfb4c57e4e03fcab03eb57e7da29347cc64c5620b51fdeb764e7e5f48f249
SHA512cd9f39a1c11bdd4dce9c3ea62709e2b648deb14bd0386a4c3872d1aeb95bb3fe14c87ef54e2570091a638a7d952e151ac96e50930b64f47b0b8bbec6f2a41cf3
-
Filesize
609KB
MD59e835d999a4690b0c2973cecb4450f31
SHA1c34402c03c106d931602e0ea8554a6de71f55a89
SHA2567ecdfb4c57e4e03fcab03eb57e7da29347cc64c5620b51fdeb764e7e5f48f249
SHA512cd9f39a1c11bdd4dce9c3ea62709e2b648deb14bd0386a4c3872d1aeb95bb3fe14c87ef54e2570091a638a7d952e151ac96e50930b64f47b0b8bbec6f2a41cf3
-
Filesize
204KB
MD5c4852145b0b71f65b513ebbc0bdc0fbb
SHA1b63fe8c5313a89a76f82c4c6843da4b34a3991a4
SHA256171663052a944cb6f45b1b41432620a5834e8ec8a954dca658e294a28b99cff5
SHA51238f7842ffebb2a0b7d092c505bd8cdf41d925609b61dfc6c8457f27d6ddaeee46c11040b53823bba0756e4eb9a7a4bbb799eabcfdb24ee773cd2c1c821aea767
-
Filesize
204KB
MD5c4852145b0b71f65b513ebbc0bdc0fbb
SHA1b63fe8c5313a89a76f82c4c6843da4b34a3991a4
SHA256171663052a944cb6f45b1b41432620a5834e8ec8a954dca658e294a28b99cff5
SHA51238f7842ffebb2a0b7d092c505bd8cdf41d925609b61dfc6c8457f27d6ddaeee46c11040b53823bba0756e4eb9a7a4bbb799eabcfdb24ee773cd2c1c821aea767
-
Filesize
437KB
MD5c2cbbdcf64bbc03e78d8b229cd07ec55
SHA1669927c6ad5e3f386196e62512d0ff3f970112d8
SHA256990be1d0d55861f39655f3f9e61d4c8cba8ed5923e7719bca34576807b39a72c
SHA512040214cc5d0a646a62a5cdecb6f2c33d99bb5ef4dd55bef223b2855a7ffe8ceb8a347e7d69d3058c03176681ae2583d605ec859ccc1e42480f83dc1aed512f66
-
Filesize
437KB
MD5c2cbbdcf64bbc03e78d8b229cd07ec55
SHA1669927c6ad5e3f386196e62512d0ff3f970112d8
SHA256990be1d0d55861f39655f3f9e61d4c8cba8ed5923e7719bca34576807b39a72c
SHA512040214cc5d0a646a62a5cdecb6f2c33d99bb5ef4dd55bef223b2855a7ffe8ceb8a347e7d69d3058c03176681ae2583d605ec859ccc1e42480f83dc1aed512f66
-
Filesize
175KB
MD52150ad95f5185c58e92e74d081b11440
SHA11fc797085a90335b61e126966a182acc4a23b643
SHA256d2a4c04d79c06939a99978d0525dacb9e5c9f4947001fce704a2104391763f83
SHA5127848bb43aea63192ae53027639291cb50f69a205ffa24fd77adbb00fee857d6a4632ba56d59939fb17f37f96e43932780164b15e321693fa1d5bbe320f567228
-
Filesize
175KB
MD52150ad95f5185c58e92e74d081b11440
SHA11fc797085a90335b61e126966a182acc4a23b643
SHA256d2a4c04d79c06939a99978d0525dacb9e5c9f4947001fce704a2104391763f83
SHA5127848bb43aea63192ae53027639291cb50f69a205ffa24fd77adbb00fee857d6a4632ba56d59939fb17f37f96e43932780164b15e321693fa1d5bbe320f567228
-
Filesize
332KB
MD592f61c1366d0e36062f9cea8c74f1970
SHA18d008c94c79add745979dcab1cc02eb670a53bd7
SHA25665b781d9af30a3a59d4c027ce750b3fc654845da7cb83947ad4db5ef441567a9
SHA51200e8116bef4a9c270f3f31e4f7b4737bd4114fabce3bcdb381894392ae5222a0d8156e1fd18c442964176c9981d166516b5255f8cc208c703b42a18666f903b9
-
Filesize
332KB
MD592f61c1366d0e36062f9cea8c74f1970
SHA18d008c94c79add745979dcab1cc02eb670a53bd7
SHA25665b781d9af30a3a59d4c027ce750b3fc654845da7cb83947ad4db5ef441567a9
SHA51200e8116bef4a9c270f3f31e4f7b4737bd4114fabce3bcdb381894392ae5222a0d8156e1fd18c442964176c9981d166516b5255f8cc208c703b42a18666f903b9
-
Filesize
204KB
MD5c4852145b0b71f65b513ebbc0bdc0fbb
SHA1b63fe8c5313a89a76f82c4c6843da4b34a3991a4
SHA256171663052a944cb6f45b1b41432620a5834e8ec8a954dca658e294a28b99cff5
SHA51238f7842ffebb2a0b7d092c505bd8cdf41d925609b61dfc6c8457f27d6ddaeee46c11040b53823bba0756e4eb9a7a4bbb799eabcfdb24ee773cd2c1c821aea767
-
Filesize
204KB
MD5c4852145b0b71f65b513ebbc0bdc0fbb
SHA1b63fe8c5313a89a76f82c4c6843da4b34a3991a4
SHA256171663052a944cb6f45b1b41432620a5834e8ec8a954dca658e294a28b99cff5
SHA51238f7842ffebb2a0b7d092c505bd8cdf41d925609b61dfc6c8457f27d6ddaeee46c11040b53823bba0756e4eb9a7a4bbb799eabcfdb24ee773cd2c1c821aea767
-
Filesize
204KB
MD5c4852145b0b71f65b513ebbc0bdc0fbb
SHA1b63fe8c5313a89a76f82c4c6843da4b34a3991a4
SHA256171663052a944cb6f45b1b41432620a5834e8ec8a954dca658e294a28b99cff5
SHA51238f7842ffebb2a0b7d092c505bd8cdf41d925609b61dfc6c8457f27d6ddaeee46c11040b53823bba0756e4eb9a7a4bbb799eabcfdb24ee773cd2c1c821aea767
-
Filesize
204KB
MD5c4852145b0b71f65b513ebbc0bdc0fbb
SHA1b63fe8c5313a89a76f82c4c6843da4b34a3991a4
SHA256171663052a944cb6f45b1b41432620a5834e8ec8a954dca658e294a28b99cff5
SHA51238f7842ffebb2a0b7d092c505bd8cdf41d925609b61dfc6c8457f27d6ddaeee46c11040b53823bba0756e4eb9a7a4bbb799eabcfdb24ee773cd2c1c821aea767
-
Filesize
204KB
MD5c4852145b0b71f65b513ebbc0bdc0fbb
SHA1b63fe8c5313a89a76f82c4c6843da4b34a3991a4
SHA256171663052a944cb6f45b1b41432620a5834e8ec8a954dca658e294a28b99cff5
SHA51238f7842ffebb2a0b7d092c505bd8cdf41d925609b61dfc6c8457f27d6ddaeee46c11040b53823bba0756e4eb9a7a4bbb799eabcfdb24ee773cd2c1c821aea767
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
212KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
212KB
-
Filesize
6.1MB
-
Filesize
212KB
-
Filesize
64KB
-
Filesize
212KB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
64KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
76KB
-
Filesize
64KB
-
Filesize
5.6MB