Analysis
-
max time kernel
133s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2023, 18:58
Static task
static1
Behavioral task
behavioral1
Sample
ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74.exe
Resource
win10v2004-20230220-en
General
-
Target
ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74.exe
-
Size
480KB
-
MD5
00bc08db16053d06de3dde825bd163e2
-
SHA1
38b0038120678226e437a0ee5e7517079a4dee0a
-
SHA256
ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74
-
SHA512
4d5cb9da4e0bb065ea2171aa1f33aa2638247ff48a07234880c341b0aa3488ae9fb8ed040b163ce6fd0527cbc81c8b799267adbffaacdef1e3f982821337b7c4
-
SSDEEP
6144:Kgy+bnr+9p0yN90QEEaNE+p9YMLQ3TckMnpD2DPfwUI/AdP00NFB3wEQr2cDVAzH:AMrpy90zDDQ02DnrsQFBnQaKDPH+BMU
Malware Config
Extracted
redline
misar
217.196.96.101:4132
-
auth_value
069dd9eeee8cff502b661416888f692a
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8048361.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8048361.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8048361.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8048361.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a8048361.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8048361.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation d8124573.exe Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 6 IoCs
pid Process 1888 v4037480.exe 4052 a8048361.exe 3172 b3319523.exe 3404 d8124573.exe 4644 oneetx.exe 640 oneetx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a8048361.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a8048361.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v4037480.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v4037480.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1392 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4052 a8048361.exe 4052 a8048361.exe 3172 b3319523.exe 3172 b3319523.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4052 a8048361.exe Token: SeDebugPrivilege 3172 b3319523.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3404 d8124573.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1888 1972 ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74.exe 82 PID 1972 wrote to memory of 1888 1972 ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74.exe 82 PID 1972 wrote to memory of 1888 1972 ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74.exe 82 PID 1888 wrote to memory of 4052 1888 v4037480.exe 83 PID 1888 wrote to memory of 4052 1888 v4037480.exe 83 PID 1888 wrote to memory of 4052 1888 v4037480.exe 83 PID 1888 wrote to memory of 3172 1888 v4037480.exe 85 PID 1888 wrote to memory of 3172 1888 v4037480.exe 85 PID 1888 wrote to memory of 3172 1888 v4037480.exe 85 PID 1972 wrote to memory of 3404 1972 ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74.exe 86 PID 1972 wrote to memory of 3404 1972 ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74.exe 86 PID 1972 wrote to memory of 3404 1972 ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74.exe 86 PID 3404 wrote to memory of 4644 3404 d8124573.exe 87 PID 3404 wrote to memory of 4644 3404 d8124573.exe 87 PID 3404 wrote to memory of 4644 3404 d8124573.exe 87 PID 4644 wrote to memory of 1392 4644 oneetx.exe 88 PID 4644 wrote to memory of 1392 4644 oneetx.exe 88 PID 4644 wrote to memory of 1392 4644 oneetx.exe 88 PID 4644 wrote to memory of 840 4644 oneetx.exe 90 PID 4644 wrote to memory of 840 4644 oneetx.exe 90 PID 4644 wrote to memory of 840 4644 oneetx.exe 90 PID 840 wrote to memory of 4808 840 cmd.exe 92 PID 840 wrote to memory of 4808 840 cmd.exe 92 PID 840 wrote to memory of 4808 840 cmd.exe 92 PID 840 wrote to memory of 4696 840 cmd.exe 93 PID 840 wrote to memory of 4696 840 cmd.exe 93 PID 840 wrote to memory of 4696 840 cmd.exe 93 PID 840 wrote to memory of 2452 840 cmd.exe 94 PID 840 wrote to memory of 2452 840 cmd.exe 94 PID 840 wrote to memory of 2452 840 cmd.exe 94 PID 840 wrote to memory of 4592 840 cmd.exe 95 PID 840 wrote to memory of 4592 840 cmd.exe 95 PID 840 wrote to memory of 4592 840 cmd.exe 95 PID 840 wrote to memory of 3412 840 cmd.exe 96 PID 840 wrote to memory of 3412 840 cmd.exe 96 PID 840 wrote to memory of 3412 840 cmd.exe 96 PID 840 wrote to memory of 1876 840 cmd.exe 97 PID 840 wrote to memory of 1876 840 cmd.exe 97 PID 840 wrote to memory of 1876 840 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74.exe"C:\Users\Admin\AppData\Local\Temp\ccd3a0864a7f159f1b1253a990224f7901459e7f3a85256edd391c1c9919fe74.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4037480.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4037480.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8048361.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8048361.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3319523.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3319523.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8124573.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8124573.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:1392
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4808
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:4696
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:2452
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4592
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:3412
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:1876
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD5993e3e6726b754566442bc28d240087e
SHA1f9dc18a40f02b64b454d5d2243437b2848691bf9
SHA25661731d72baec2af466f66f251580e064171728b4e31f3ceb47b7b8b80131d1f0
SHA512db31e6b08f4abf8ee3296f7da08dc632f0eeae2629f08cfb35e490536e7874a936a168779cae6fa6af14ed72cee9f662cfefebdadf95177684884013a745d0fd
-
Filesize
209KB
MD5993e3e6726b754566442bc28d240087e
SHA1f9dc18a40f02b64b454d5d2243437b2848691bf9
SHA25661731d72baec2af466f66f251580e064171728b4e31f3ceb47b7b8b80131d1f0
SHA512db31e6b08f4abf8ee3296f7da08dc632f0eeae2629f08cfb35e490536e7874a936a168779cae6fa6af14ed72cee9f662cfefebdadf95177684884013a745d0fd
-
Filesize
309KB
MD5b0d9c5db14ebf57b07af375813da394a
SHA16e3c1726068f781ff0edbd8c0a541027a997510a
SHA256b8ae5739c680a408e911a73865bbfbb2343222e7ca4ee99b17a3859fb5c7b92e
SHA512d1ff9dd9e3cd5fb5905575bed308db9291bcf502f4be083e907429e908be209e2ad1d20576b6ff20cb762514e12b90d1982184b0d5bee9178f3d09abbc0a6b1f
-
Filesize
309KB
MD5b0d9c5db14ebf57b07af375813da394a
SHA16e3c1726068f781ff0edbd8c0a541027a997510a
SHA256b8ae5739c680a408e911a73865bbfbb2343222e7ca4ee99b17a3859fb5c7b92e
SHA512d1ff9dd9e3cd5fb5905575bed308db9291bcf502f4be083e907429e908be209e2ad1d20576b6ff20cb762514e12b90d1982184b0d5bee9178f3d09abbc0a6b1f
-
Filesize
178KB
MD5bd7f518fa23a0432f37446d6b10ec49f
SHA187fbc1d6fd374375b9ad81f9b823cdf209f3ffc7
SHA256d1603d1eda764200c56ce006726e0f4828cf53bbc22916175a4eb7cb31cf0347
SHA512ef9d15faf944fd9609cc4c998773b859e26899d70dcb8bbdc1df4c66ce05fceeafe95f3456ae28ef3228520bd04aa00da53546713847df4578b626f0bbf160fa
-
Filesize
178KB
MD5bd7f518fa23a0432f37446d6b10ec49f
SHA187fbc1d6fd374375b9ad81f9b823cdf209f3ffc7
SHA256d1603d1eda764200c56ce006726e0f4828cf53bbc22916175a4eb7cb31cf0347
SHA512ef9d15faf944fd9609cc4c998773b859e26899d70dcb8bbdc1df4c66ce05fceeafe95f3456ae28ef3228520bd04aa00da53546713847df4578b626f0bbf160fa
-
Filesize
168KB
MD5c51c784cff6af2fe897a414349779ed2
SHA13e15484c3d7b0927294bf0538af0e2983cc2c098
SHA256ba854a6d676d16d249155e5d2b51b5843d67dc6b29761b9d29c73b9ef735a20d
SHA512c6247e2ca4c3f9ead23d7168d926772f26bfbe571cc2d15a8408186723ac73bb06f415880289b10f240866de566df1924f73c937379b0794d2262f7417012851
-
Filesize
168KB
MD5c51c784cff6af2fe897a414349779ed2
SHA13e15484c3d7b0927294bf0538af0e2983cc2c098
SHA256ba854a6d676d16d249155e5d2b51b5843d67dc6b29761b9d29c73b9ef735a20d
SHA512c6247e2ca4c3f9ead23d7168d926772f26bfbe571cc2d15a8408186723ac73bb06f415880289b10f240866de566df1924f73c937379b0794d2262f7417012851
-
Filesize
209KB
MD5993e3e6726b754566442bc28d240087e
SHA1f9dc18a40f02b64b454d5d2243437b2848691bf9
SHA25661731d72baec2af466f66f251580e064171728b4e31f3ceb47b7b8b80131d1f0
SHA512db31e6b08f4abf8ee3296f7da08dc632f0eeae2629f08cfb35e490536e7874a936a168779cae6fa6af14ed72cee9f662cfefebdadf95177684884013a745d0fd
-
Filesize
209KB
MD5993e3e6726b754566442bc28d240087e
SHA1f9dc18a40f02b64b454d5d2243437b2848691bf9
SHA25661731d72baec2af466f66f251580e064171728b4e31f3ceb47b7b8b80131d1f0
SHA512db31e6b08f4abf8ee3296f7da08dc632f0eeae2629f08cfb35e490536e7874a936a168779cae6fa6af14ed72cee9f662cfefebdadf95177684884013a745d0fd
-
Filesize
209KB
MD5993e3e6726b754566442bc28d240087e
SHA1f9dc18a40f02b64b454d5d2243437b2848691bf9
SHA25661731d72baec2af466f66f251580e064171728b4e31f3ceb47b7b8b80131d1f0
SHA512db31e6b08f4abf8ee3296f7da08dc632f0eeae2629f08cfb35e490536e7874a936a168779cae6fa6af14ed72cee9f662cfefebdadf95177684884013a745d0fd
-
Filesize
209KB
MD5993e3e6726b754566442bc28d240087e
SHA1f9dc18a40f02b64b454d5d2243437b2848691bf9
SHA25661731d72baec2af466f66f251580e064171728b4e31f3ceb47b7b8b80131d1f0
SHA512db31e6b08f4abf8ee3296f7da08dc632f0eeae2629f08cfb35e490536e7874a936a168779cae6fa6af14ed72cee9f662cfefebdadf95177684884013a745d0fd