Analysis
-
max time kernel
137s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2023 05:31
Static task
static1
Behavioral task
behavioral1
Sample
b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0.exe
Resource
win10v2004-20230220-en
General
-
Target
b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0.exe
-
Size
479KB
-
MD5
bf67c3b553af9e16f492858ccb51f152
-
SHA1
876fd67d69de7efaf300cc150cdc917e4fc7982f
-
SHA256
b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0
-
SHA512
da115c700a70d1093715f2b5a55e69a2dd990b2c3a8dadd4e85bd0143c0002551bcd9a98bd510da4a0b11befb449b4985791a465630b16bea52dc56b3838bcb7
-
SSDEEP
12288:9MrSy90BXThEtYRQ8hx4G6FX8zrHiAtCB6Gi2rn:7ykXThEtYR3lrzGDrn
Malware Config
Extracted
redline
divan
217.196.96.102:4132
-
auth_value
b414986bebd7f5a3ec9aee0341b8e769
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h2586188.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h2586188.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h2586188.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h2586188.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h2586188.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h2586188.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation i9781007.exe Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 7 IoCs
pid Process 1820 x3502999.exe 2384 g1096407.exe 460 h2586188.exe 4624 i9781007.exe 4484 oneetx.exe 4452 oneetx.exe 944 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 3612 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h2586188.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h2586188.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x3502999.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x3502999.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4556 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2384 g1096407.exe 2384 g1096407.exe 460 h2586188.exe 460 h2586188.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2384 g1096407.exe Token: SeDebugPrivilege 460 h2586188.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4624 i9781007.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1500 wrote to memory of 1820 1500 b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0.exe 83 PID 1500 wrote to memory of 1820 1500 b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0.exe 83 PID 1500 wrote to memory of 1820 1500 b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0.exe 83 PID 1820 wrote to memory of 2384 1820 x3502999.exe 84 PID 1820 wrote to memory of 2384 1820 x3502999.exe 84 PID 1820 wrote to memory of 2384 1820 x3502999.exe 84 PID 1820 wrote to memory of 460 1820 x3502999.exe 91 PID 1820 wrote to memory of 460 1820 x3502999.exe 91 PID 1820 wrote to memory of 460 1820 x3502999.exe 91 PID 1500 wrote to memory of 4624 1500 b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0.exe 92 PID 1500 wrote to memory of 4624 1500 b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0.exe 92 PID 1500 wrote to memory of 4624 1500 b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0.exe 92 PID 4624 wrote to memory of 4484 4624 i9781007.exe 93 PID 4624 wrote to memory of 4484 4624 i9781007.exe 93 PID 4624 wrote to memory of 4484 4624 i9781007.exe 93 PID 4484 wrote to memory of 4556 4484 oneetx.exe 94 PID 4484 wrote to memory of 4556 4484 oneetx.exe 94 PID 4484 wrote to memory of 4556 4484 oneetx.exe 94 PID 4484 wrote to memory of 4536 4484 oneetx.exe 96 PID 4484 wrote to memory of 4536 4484 oneetx.exe 96 PID 4484 wrote to memory of 4536 4484 oneetx.exe 96 PID 4536 wrote to memory of 1700 4536 cmd.exe 98 PID 4536 wrote to memory of 1700 4536 cmd.exe 98 PID 4536 wrote to memory of 1700 4536 cmd.exe 98 PID 4536 wrote to memory of 4980 4536 cmd.exe 99 PID 4536 wrote to memory of 4980 4536 cmd.exe 99 PID 4536 wrote to memory of 4980 4536 cmd.exe 99 PID 4536 wrote to memory of 4988 4536 cmd.exe 100 PID 4536 wrote to memory of 4988 4536 cmd.exe 100 PID 4536 wrote to memory of 4988 4536 cmd.exe 100 PID 4536 wrote to memory of 888 4536 cmd.exe 101 PID 4536 wrote to memory of 888 4536 cmd.exe 101 PID 4536 wrote to memory of 888 4536 cmd.exe 101 PID 4536 wrote to memory of 768 4536 cmd.exe 102 PID 4536 wrote to memory of 768 4536 cmd.exe 102 PID 4536 wrote to memory of 768 4536 cmd.exe 102 PID 4536 wrote to memory of 1636 4536 cmd.exe 103 PID 4536 wrote to memory of 1636 4536 cmd.exe 103 PID 4536 wrote to memory of 1636 4536 cmd.exe 103 PID 4484 wrote to memory of 3612 4484 oneetx.exe 106 PID 4484 wrote to memory of 3612 4484 oneetx.exe 106 PID 4484 wrote to memory of 3612 4484 oneetx.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0.exe"C:\Users\Admin\AppData\Local\Temp\b866397dcd34fa55c468ef01081cee2b9761f6eeea998b3fe5b609e8ca29c6c0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3502999.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3502999.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1096407.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1096407.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2586188.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2586188.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i9781007.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i9781007.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:4556
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1700
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:4980
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:4988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:888
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:768
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:1636
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:3612
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:4452
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5eee564b2d2098f8a94ce0c5f0e08c914
SHA1cef36e6622d5007e10c745be77c691a2a60a407f
SHA2569dd092d2ab7720991df4ac02f1aaf2ed62423b612c50612caed534aba88d79f1
SHA512f0a84a6eae5a5249c1f0e456f9c8da77e4664349af64110fbc9100ffa47bc5508dc06729a9ff11818f16288252a9e53e58d2e966f08fd361c6997ed0f1c54218
-
Filesize
212KB
MD5eee564b2d2098f8a94ce0c5f0e08c914
SHA1cef36e6622d5007e10c745be77c691a2a60a407f
SHA2569dd092d2ab7720991df4ac02f1aaf2ed62423b612c50612caed534aba88d79f1
SHA512f0a84a6eae5a5249c1f0e456f9c8da77e4664349af64110fbc9100ffa47bc5508dc06729a9ff11818f16288252a9e53e58d2e966f08fd361c6997ed0f1c54218
-
Filesize
307KB
MD50ecd8bad04a231bea58bdad0b7ccb5da
SHA1816ee1ffebc4d5eeeb5148743b3260fe90c65402
SHA2568fdec3ee6747aa76f337dfea1564a7615ac4c7502491e4c037de475299e1ea39
SHA512a9def924c5e8cba6bfdad730368cef2c485d2446b976f1611efab208bb8a48a5115ed408525f4d69c22fa754811dec857e70cb51f0550cefb5ac007e793da802
-
Filesize
307KB
MD50ecd8bad04a231bea58bdad0b7ccb5da
SHA1816ee1ffebc4d5eeeb5148743b3260fe90c65402
SHA2568fdec3ee6747aa76f337dfea1564a7615ac4c7502491e4c037de475299e1ea39
SHA512a9def924c5e8cba6bfdad730368cef2c485d2446b976f1611efab208bb8a48a5115ed408525f4d69c22fa754811dec857e70cb51f0550cefb5ac007e793da802
-
Filesize
168KB
MD50bb242407577095ba8e996a5b6acb92d
SHA153f48151de9971ea5ccac63691b990a904769ee6
SHA256605a15d159036567302eb36045d4680493f0eadfb34aa48ee59072870bfc32bc
SHA512a6351ef61a1e09f1fbc4a117c0e461eefef660e173c48ae2e5960a385f9eda77604a6229269b8571c51fbb4dd9d4e4cd1cbdbeef326374a5aa59b300a627ced2
-
Filesize
168KB
MD50bb242407577095ba8e996a5b6acb92d
SHA153f48151de9971ea5ccac63691b990a904769ee6
SHA256605a15d159036567302eb36045d4680493f0eadfb34aa48ee59072870bfc32bc
SHA512a6351ef61a1e09f1fbc4a117c0e461eefef660e173c48ae2e5960a385f9eda77604a6229269b8571c51fbb4dd9d4e4cd1cbdbeef326374a5aa59b300a627ced2
-
Filesize
182KB
MD56b4ead496749ebe82db9ad7ab14b4c56
SHA1d06213b92233a88be797d869e94274013d226d7b
SHA2560f8ee775fdac804a444f0af1dcdca36ed8544363f29626721ae81a255bde3c2b
SHA512d4b1540a3ecc51e50a290e5247a750b5477712c43919095eb3d60b164e592054f0daca4119a74b635e90b77ad104c099e040710caefbe511ce901c69cad04f5b
-
Filesize
182KB
MD56b4ead496749ebe82db9ad7ab14b4c56
SHA1d06213b92233a88be797d869e94274013d226d7b
SHA2560f8ee775fdac804a444f0af1dcdca36ed8544363f29626721ae81a255bde3c2b
SHA512d4b1540a3ecc51e50a290e5247a750b5477712c43919095eb3d60b164e592054f0daca4119a74b635e90b77ad104c099e040710caefbe511ce901c69cad04f5b
-
Filesize
212KB
MD5eee564b2d2098f8a94ce0c5f0e08c914
SHA1cef36e6622d5007e10c745be77c691a2a60a407f
SHA2569dd092d2ab7720991df4ac02f1aaf2ed62423b612c50612caed534aba88d79f1
SHA512f0a84a6eae5a5249c1f0e456f9c8da77e4664349af64110fbc9100ffa47bc5508dc06729a9ff11818f16288252a9e53e58d2e966f08fd361c6997ed0f1c54218
-
Filesize
212KB
MD5eee564b2d2098f8a94ce0c5f0e08c914
SHA1cef36e6622d5007e10c745be77c691a2a60a407f
SHA2569dd092d2ab7720991df4ac02f1aaf2ed62423b612c50612caed534aba88d79f1
SHA512f0a84a6eae5a5249c1f0e456f9c8da77e4664349af64110fbc9100ffa47bc5508dc06729a9ff11818f16288252a9e53e58d2e966f08fd361c6997ed0f1c54218
-
Filesize
212KB
MD5eee564b2d2098f8a94ce0c5f0e08c914
SHA1cef36e6622d5007e10c745be77c691a2a60a407f
SHA2569dd092d2ab7720991df4ac02f1aaf2ed62423b612c50612caed534aba88d79f1
SHA512f0a84a6eae5a5249c1f0e456f9c8da77e4664349af64110fbc9100ffa47bc5508dc06729a9ff11818f16288252a9e53e58d2e966f08fd361c6997ed0f1c54218
-
Filesize
212KB
MD5eee564b2d2098f8a94ce0c5f0e08c914
SHA1cef36e6622d5007e10c745be77c691a2a60a407f
SHA2569dd092d2ab7720991df4ac02f1aaf2ed62423b612c50612caed534aba88d79f1
SHA512f0a84a6eae5a5249c1f0e456f9c8da77e4664349af64110fbc9100ffa47bc5508dc06729a9ff11818f16288252a9e53e58d2e966f08fd361c6997ed0f1c54218
-
Filesize
212KB
MD5eee564b2d2098f8a94ce0c5f0e08c914
SHA1cef36e6622d5007e10c745be77c691a2a60a407f
SHA2569dd092d2ab7720991df4ac02f1aaf2ed62423b612c50612caed534aba88d79f1
SHA512f0a84a6eae5a5249c1f0e456f9c8da77e4664349af64110fbc9100ffa47bc5508dc06729a9ff11818f16288252a9e53e58d2e966f08fd361c6997ed0f1c54218
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5