Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2023, 02:29
Static task
static1
Behavioral task
behavioral1
Sample
8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da.exe
Resource
win10v2004-20230220-en
General
-
Target
8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da.exe
-
Size
481KB
-
MD5
6d78c49d036c32687968824e9d00dfd7
-
SHA1
d77a5171c7a95b76dc19a3032d2669b8022b17a1
-
SHA256
8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da
-
SHA512
4e571797a133674cf70f5b717c9667e4293527caed3e446b8ae9b9d01948ef296724588c09149e082503c555e98834abda974d02f36966618d6204045603607b
-
SSDEEP
12288:qMrty90d9ZU8c7BTE5geRBib2rTYzqwCG7x:nyAqdTHQez0ix
Malware Config
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4970721.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4970721.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a4970721.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4970721.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4970721.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4970721.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation d6222579.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 7 IoCs
pid Process 2036 v0883620.exe 1636 a4970721.exe 4684 b3747420.exe 4296 d6222579.exe 2404 oneetx.exe 636 oneetx.exe 3932 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 2556 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a4970721.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a4970721.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0883620.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0883620.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4100 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1636 a4970721.exe 1636 a4970721.exe 4684 b3747420.exe 4684 b3747420.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1636 a4970721.exe Token: SeDebugPrivilege 4684 b3747420.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4296 d6222579.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3420 wrote to memory of 2036 3420 8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da.exe 84 PID 3420 wrote to memory of 2036 3420 8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da.exe 84 PID 3420 wrote to memory of 2036 3420 8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da.exe 84 PID 2036 wrote to memory of 1636 2036 v0883620.exe 85 PID 2036 wrote to memory of 1636 2036 v0883620.exe 85 PID 2036 wrote to memory of 1636 2036 v0883620.exe 85 PID 2036 wrote to memory of 4684 2036 v0883620.exe 90 PID 2036 wrote to memory of 4684 2036 v0883620.exe 90 PID 2036 wrote to memory of 4684 2036 v0883620.exe 90 PID 3420 wrote to memory of 4296 3420 8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da.exe 94 PID 3420 wrote to memory of 4296 3420 8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da.exe 94 PID 3420 wrote to memory of 4296 3420 8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da.exe 94 PID 4296 wrote to memory of 2404 4296 d6222579.exe 95 PID 4296 wrote to memory of 2404 4296 d6222579.exe 95 PID 4296 wrote to memory of 2404 4296 d6222579.exe 95 PID 2404 wrote to memory of 4100 2404 oneetx.exe 96 PID 2404 wrote to memory of 4100 2404 oneetx.exe 96 PID 2404 wrote to memory of 4100 2404 oneetx.exe 96 PID 2404 wrote to memory of 2696 2404 oneetx.exe 98 PID 2404 wrote to memory of 2696 2404 oneetx.exe 98 PID 2404 wrote to memory of 2696 2404 oneetx.exe 98 PID 2696 wrote to memory of 3100 2696 cmd.exe 100 PID 2696 wrote to memory of 3100 2696 cmd.exe 100 PID 2696 wrote to memory of 3100 2696 cmd.exe 100 PID 2696 wrote to memory of 3936 2696 cmd.exe 101 PID 2696 wrote to memory of 3936 2696 cmd.exe 101 PID 2696 wrote to memory of 3936 2696 cmd.exe 101 PID 2696 wrote to memory of 336 2696 cmd.exe 102 PID 2696 wrote to memory of 336 2696 cmd.exe 102 PID 2696 wrote to memory of 336 2696 cmd.exe 102 PID 2696 wrote to memory of 1176 2696 cmd.exe 103 PID 2696 wrote to memory of 1176 2696 cmd.exe 103 PID 2696 wrote to memory of 1176 2696 cmd.exe 103 PID 2696 wrote to memory of 872 2696 cmd.exe 104 PID 2696 wrote to memory of 872 2696 cmd.exe 104 PID 2696 wrote to memory of 872 2696 cmd.exe 104 PID 2696 wrote to memory of 1764 2696 cmd.exe 105 PID 2696 wrote to memory of 1764 2696 cmd.exe 105 PID 2696 wrote to memory of 1764 2696 cmd.exe 105 PID 2404 wrote to memory of 2556 2404 oneetx.exe 107 PID 2404 wrote to memory of 2556 2404 oneetx.exe 107 PID 2404 wrote to memory of 2556 2404 oneetx.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da.exe"C:\Users\Admin\AppData\Local\Temp\8c8a98a84b8953ba6f8729d84d282a679749635925a98e9057768f70bdcfb3da.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0883620.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0883620.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4970721.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4970721.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3747420.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3747420.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6222579.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6222579.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:4100
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3100
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:3936
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:336
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1176
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:872
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:1764
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:2556
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:636
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:3932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5cbe374d93258149c49c81b1f45b38657
SHA15166170470da5cae3a1e3bf563e92cd09f9ba7ed
SHA256d0cafdcbc21ba1315995e97e685859e698823ac04204c85c4cddeda75072d6e0
SHA51206c12b8ac9732acbe41023a50cb51a065c8527d6340af08878c484e2540b12595ebf3af55c61a7755a0fb80691aed44af5c58d7e49c2c49d02728548740c93db
-
Filesize
211KB
MD5cbe374d93258149c49c81b1f45b38657
SHA15166170470da5cae3a1e3bf563e92cd09f9ba7ed
SHA256d0cafdcbc21ba1315995e97e685859e698823ac04204c85c4cddeda75072d6e0
SHA51206c12b8ac9732acbe41023a50cb51a065c8527d6340af08878c484e2540b12595ebf3af55c61a7755a0fb80691aed44af5c58d7e49c2c49d02728548740c93db
-
Filesize
309KB
MD5ced5b3d1d64811e9025f1dfd8495722c
SHA1c0dcf10b5fd1893c680c90e87e19854cc294b2a8
SHA25664d10c930c78ed38ee23737b22ec03cd37b46ae5afe79858bd4810fb862b91d1
SHA512e49a543f75af4c9dddf8bc3757b57f1e512cf7255f7e743a30c9b46c2cf98d95b797877318ae352bd3df5f85a0238e77104871458fc71c7357771bce573686cb
-
Filesize
309KB
MD5ced5b3d1d64811e9025f1dfd8495722c
SHA1c0dcf10b5fd1893c680c90e87e19854cc294b2a8
SHA25664d10c930c78ed38ee23737b22ec03cd37b46ae5afe79858bd4810fb862b91d1
SHA512e49a543f75af4c9dddf8bc3757b57f1e512cf7255f7e743a30c9b46c2cf98d95b797877318ae352bd3df5f85a0238e77104871458fc71c7357771bce573686cb
-
Filesize
180KB
MD558cd1cd2c0f2428a3ba2c65d8d7afd27
SHA10699b2ea4f055f1c0ddad76a3b907e5e2d7846f0
SHA25603cb201349063b2efa68e453fe8aaa6453bb45306e3b4661d5d916c90b57c242
SHA512b193ccbc6844b8c9fdbecaa1ded21b873158d8c57ec98741c8512bd6363c03a39fd099a7c7b4f6e6c15f52d46a63f4977df01853f98815ba82cbf93f7ea8e248
-
Filesize
180KB
MD558cd1cd2c0f2428a3ba2c65d8d7afd27
SHA10699b2ea4f055f1c0ddad76a3b907e5e2d7846f0
SHA25603cb201349063b2efa68e453fe8aaa6453bb45306e3b4661d5d916c90b57c242
SHA512b193ccbc6844b8c9fdbecaa1ded21b873158d8c57ec98741c8512bd6363c03a39fd099a7c7b4f6e6c15f52d46a63f4977df01853f98815ba82cbf93f7ea8e248
-
Filesize
168KB
MD53b07997cc09a27289be9fc3b9bae2825
SHA155149ef3654ec4db3e1ccabdc436c45fff3b45c2
SHA256fb8a70e7e4238770d225610e50055ed7e62c7ca89a056bf1ae6d63be1fef15d8
SHA512e90b2255d9b1c5637d7dc60505c51794d5135c6be96cc54c32d9e9c695fe638fcfe12ca7fa0e54c6eb0829e6cd578700e4bc807ee2bffdbe721534974f19f364
-
Filesize
168KB
MD53b07997cc09a27289be9fc3b9bae2825
SHA155149ef3654ec4db3e1ccabdc436c45fff3b45c2
SHA256fb8a70e7e4238770d225610e50055ed7e62c7ca89a056bf1ae6d63be1fef15d8
SHA512e90b2255d9b1c5637d7dc60505c51794d5135c6be96cc54c32d9e9c695fe638fcfe12ca7fa0e54c6eb0829e6cd578700e4bc807ee2bffdbe721534974f19f364
-
Filesize
211KB
MD5cbe374d93258149c49c81b1f45b38657
SHA15166170470da5cae3a1e3bf563e92cd09f9ba7ed
SHA256d0cafdcbc21ba1315995e97e685859e698823ac04204c85c4cddeda75072d6e0
SHA51206c12b8ac9732acbe41023a50cb51a065c8527d6340af08878c484e2540b12595ebf3af55c61a7755a0fb80691aed44af5c58d7e49c2c49d02728548740c93db
-
Filesize
211KB
MD5cbe374d93258149c49c81b1f45b38657
SHA15166170470da5cae3a1e3bf563e92cd09f9ba7ed
SHA256d0cafdcbc21ba1315995e97e685859e698823ac04204c85c4cddeda75072d6e0
SHA51206c12b8ac9732acbe41023a50cb51a065c8527d6340af08878c484e2540b12595ebf3af55c61a7755a0fb80691aed44af5c58d7e49c2c49d02728548740c93db
-
Filesize
211KB
MD5cbe374d93258149c49c81b1f45b38657
SHA15166170470da5cae3a1e3bf563e92cd09f9ba7ed
SHA256d0cafdcbc21ba1315995e97e685859e698823ac04204c85c4cddeda75072d6e0
SHA51206c12b8ac9732acbe41023a50cb51a065c8527d6340af08878c484e2540b12595ebf3af55c61a7755a0fb80691aed44af5c58d7e49c2c49d02728548740c93db
-
Filesize
211KB
MD5cbe374d93258149c49c81b1f45b38657
SHA15166170470da5cae3a1e3bf563e92cd09f9ba7ed
SHA256d0cafdcbc21ba1315995e97e685859e698823ac04204c85c4cddeda75072d6e0
SHA51206c12b8ac9732acbe41023a50cb51a065c8527d6340af08878c484e2540b12595ebf3af55c61a7755a0fb80691aed44af5c58d7e49c2c49d02728548740c93db
-
Filesize
211KB
MD5cbe374d93258149c49c81b1f45b38657
SHA15166170470da5cae3a1e3bf563e92cd09f9ba7ed
SHA256d0cafdcbc21ba1315995e97e685859e698823ac04204c85c4cddeda75072d6e0
SHA51206c12b8ac9732acbe41023a50cb51a065c8527d6340af08878c484e2540b12595ebf3af55c61a7755a0fb80691aed44af5c58d7e49c2c49d02728548740c93db
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5