Analysis
-
max time kernel
100s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2023, 14:43
Static task
static1
Behavioral task
behavioral1
Sample
7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0.exe
Resource
win10v2004-20230221-en
General
-
Target
7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0.exe
-
Size
488KB
-
MD5
da5c3d119ea459fde127362cdfecc6c7
-
SHA1
5e147a42b7db9ab9b50b62c9d01c8b006a1f8949
-
SHA256
7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0
-
SHA512
8783a4068c002218911d49df58383a8847bf4c67a146a8a6703b6ff6fe35dfb2bf09684e584bc47427efdac45cbd645335244a18ee372d62426c6c0655d084ea
-
SSDEEP
12288:QMrSy90E3JA18wWLKu9dHynCYNj/VPXqWF3tR:SyB5A1rWOu9ZitpPJtR
Malware Config
Extracted
redline
mauga
217.196.96.102:4132
-
auth_value
36f5411cf117f54076fbbb9ea0631fee
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a8834149.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8834149.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8834149.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8834149.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8834149.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8834149.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation oneetx.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation d4330736.exe -
Executes dropped EXE 7 IoCs
pid Process 3516 v9340159.exe 4840 a8834149.exe 1036 b7169157.exe 3880 d4330736.exe 844 oneetx.exe 3228 oneetx.exe 4780 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 2692 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a8834149.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a8834149.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9340159.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v9340159.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3144 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4840 a8834149.exe 4840 a8834149.exe 1036 b7169157.exe 1036 b7169157.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4840 a8834149.exe Token: SeDebugPrivilege 1036 b7169157.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3880 d4330736.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3724 wrote to memory of 3516 3724 7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0.exe 83 PID 3724 wrote to memory of 3516 3724 7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0.exe 83 PID 3724 wrote to memory of 3516 3724 7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0.exe 83 PID 3516 wrote to memory of 4840 3516 v9340159.exe 84 PID 3516 wrote to memory of 4840 3516 v9340159.exe 84 PID 3516 wrote to memory of 4840 3516 v9340159.exe 84 PID 3516 wrote to memory of 1036 3516 v9340159.exe 88 PID 3516 wrote to memory of 1036 3516 v9340159.exe 88 PID 3516 wrote to memory of 1036 3516 v9340159.exe 88 PID 3724 wrote to memory of 3880 3724 7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0.exe 89 PID 3724 wrote to memory of 3880 3724 7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0.exe 89 PID 3724 wrote to memory of 3880 3724 7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0.exe 89 PID 3880 wrote to memory of 844 3880 d4330736.exe 90 PID 3880 wrote to memory of 844 3880 d4330736.exe 90 PID 3880 wrote to memory of 844 3880 d4330736.exe 90 PID 844 wrote to memory of 3144 844 oneetx.exe 91 PID 844 wrote to memory of 3144 844 oneetx.exe 91 PID 844 wrote to memory of 3144 844 oneetx.exe 91 PID 844 wrote to memory of 2856 844 oneetx.exe 93 PID 844 wrote to memory of 2856 844 oneetx.exe 93 PID 844 wrote to memory of 2856 844 oneetx.exe 93 PID 2856 wrote to memory of 3316 2856 cmd.exe 95 PID 2856 wrote to memory of 3316 2856 cmd.exe 95 PID 2856 wrote to memory of 3316 2856 cmd.exe 95 PID 2856 wrote to memory of 768 2856 cmd.exe 96 PID 2856 wrote to memory of 768 2856 cmd.exe 96 PID 2856 wrote to memory of 768 2856 cmd.exe 96 PID 2856 wrote to memory of 5088 2856 cmd.exe 97 PID 2856 wrote to memory of 5088 2856 cmd.exe 97 PID 2856 wrote to memory of 5088 2856 cmd.exe 97 PID 2856 wrote to memory of 4916 2856 cmd.exe 98 PID 2856 wrote to memory of 4916 2856 cmd.exe 98 PID 2856 wrote to memory of 4916 2856 cmd.exe 98 PID 2856 wrote to memory of 3224 2856 cmd.exe 99 PID 2856 wrote to memory of 3224 2856 cmd.exe 99 PID 2856 wrote to memory of 3224 2856 cmd.exe 99 PID 2856 wrote to memory of 3992 2856 cmd.exe 100 PID 2856 wrote to memory of 3992 2856 cmd.exe 100 PID 2856 wrote to memory of 3992 2856 cmd.exe 100 PID 844 wrote to memory of 2692 844 oneetx.exe 107 PID 844 wrote to memory of 2692 844 oneetx.exe 107 PID 844 wrote to memory of 2692 844 oneetx.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0.exe"C:\Users\Admin\AppData\Local\Temp\7e2d5e21ab02e6983bdcb465f0a3de0ad0db16be122633f60200d5d19da8f4f0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9340159.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9340159.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8834149.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8834149.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7169157.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7169157.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4330736.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4330736.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:3144
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3316
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:768
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:5088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4916
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:3224
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:3992
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:2692
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:3228
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:4780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD543ba32cd79d775e637d25bee7fdb3f68
SHA1ac6d178f669f794d1c2104d10dbb8616124e923a
SHA256c820481b6abffd618b6a1c6f653172f96602d155c916f20b53a724e2ba3a45cb
SHA512ed80a71a54808f27399be98cde0ff54bfa5713f74509f4ff461cc907140dd228a85586245e3441b25d393228aa0a16c422ffd3b425c7add9bdcfb39267ec0db2
-
Filesize
213KB
MD543ba32cd79d775e637d25bee7fdb3f68
SHA1ac6d178f669f794d1c2104d10dbb8616124e923a
SHA256c820481b6abffd618b6a1c6f653172f96602d155c916f20b53a724e2ba3a45cb
SHA512ed80a71a54808f27399be98cde0ff54bfa5713f74509f4ff461cc907140dd228a85586245e3441b25d393228aa0a16c422ffd3b425c7add9bdcfb39267ec0db2
-
Filesize
316KB
MD5858c786bc79f1a89cf886a2bb5281829
SHA18fb09d40e24593379f53927cf9566ec14526a585
SHA25681fcae2d8e62b5a1d828e5562e5681cb793172f43aaa779dd60b88c934e68373
SHA5129325bb1827c6016b96dbc3c2d4e051983f16f533f155cd0097e147b929bd65a173eb518fec663ea29109a1ac1682969e5be338647cc26137732a4c5c60950dbd
-
Filesize
316KB
MD5858c786bc79f1a89cf886a2bb5281829
SHA18fb09d40e24593379f53927cf9566ec14526a585
SHA25681fcae2d8e62b5a1d828e5562e5681cb793172f43aaa779dd60b88c934e68373
SHA5129325bb1827c6016b96dbc3c2d4e051983f16f533f155cd0097e147b929bd65a173eb518fec663ea29109a1ac1682969e5be338647cc26137732a4c5c60950dbd
-
Filesize
184KB
MD5382eea76313d3e8783cbc41e7a71441d
SHA1ea7b778f5b4c53e61591e025e8c595baef81eefc
SHA256366d735e1bddf797f1f9fc6890884112c3e4558c6af87afc54172f081e34b666
SHA512fd34210c8d94af985587dc68b00a1e6f68454458d40e570c2ffa7405663d366301f45d48c48236558ee4d7f808dc76d8da4350110c3a51f704811e902ce482a2
-
Filesize
184KB
MD5382eea76313d3e8783cbc41e7a71441d
SHA1ea7b778f5b4c53e61591e025e8c595baef81eefc
SHA256366d735e1bddf797f1f9fc6890884112c3e4558c6af87afc54172f081e34b666
SHA512fd34210c8d94af985587dc68b00a1e6f68454458d40e570c2ffa7405663d366301f45d48c48236558ee4d7f808dc76d8da4350110c3a51f704811e902ce482a2
-
Filesize
168KB
MD54a45824b78c92a59e967ac7cab6d028f
SHA1e0a0d08d7f09f83b0d0f7ada26c5e6b02225ec1d
SHA25673dbda21e14f4f0d5d63c51fce24afc6e70f5d254f012c93bcfeb5f72abfb166
SHA512d904abfc39d1e3693ea653ed73508feddae264877a1cb1ff162ff761674621f17c11237d87014ec521d2ea454f50be464814ef4a48d47e483544ebc833574a91
-
Filesize
168KB
MD54a45824b78c92a59e967ac7cab6d028f
SHA1e0a0d08d7f09f83b0d0f7ada26c5e6b02225ec1d
SHA25673dbda21e14f4f0d5d63c51fce24afc6e70f5d254f012c93bcfeb5f72abfb166
SHA512d904abfc39d1e3693ea653ed73508feddae264877a1cb1ff162ff761674621f17c11237d87014ec521d2ea454f50be464814ef4a48d47e483544ebc833574a91
-
Filesize
213KB
MD543ba32cd79d775e637d25bee7fdb3f68
SHA1ac6d178f669f794d1c2104d10dbb8616124e923a
SHA256c820481b6abffd618b6a1c6f653172f96602d155c916f20b53a724e2ba3a45cb
SHA512ed80a71a54808f27399be98cde0ff54bfa5713f74509f4ff461cc907140dd228a85586245e3441b25d393228aa0a16c422ffd3b425c7add9bdcfb39267ec0db2
-
Filesize
213KB
MD543ba32cd79d775e637d25bee7fdb3f68
SHA1ac6d178f669f794d1c2104d10dbb8616124e923a
SHA256c820481b6abffd618b6a1c6f653172f96602d155c916f20b53a724e2ba3a45cb
SHA512ed80a71a54808f27399be98cde0ff54bfa5713f74509f4ff461cc907140dd228a85586245e3441b25d393228aa0a16c422ffd3b425c7add9bdcfb39267ec0db2
-
Filesize
213KB
MD543ba32cd79d775e637d25bee7fdb3f68
SHA1ac6d178f669f794d1c2104d10dbb8616124e923a
SHA256c820481b6abffd618b6a1c6f653172f96602d155c916f20b53a724e2ba3a45cb
SHA512ed80a71a54808f27399be98cde0ff54bfa5713f74509f4ff461cc907140dd228a85586245e3441b25d393228aa0a16c422ffd3b425c7add9bdcfb39267ec0db2
-
Filesize
213KB
MD543ba32cd79d775e637d25bee7fdb3f68
SHA1ac6d178f669f794d1c2104d10dbb8616124e923a
SHA256c820481b6abffd618b6a1c6f653172f96602d155c916f20b53a724e2ba3a45cb
SHA512ed80a71a54808f27399be98cde0ff54bfa5713f74509f4ff461cc907140dd228a85586245e3441b25d393228aa0a16c422ffd3b425c7add9bdcfb39267ec0db2
-
Filesize
213KB
MD543ba32cd79d775e637d25bee7fdb3f68
SHA1ac6d178f669f794d1c2104d10dbb8616124e923a
SHA256c820481b6abffd618b6a1c6f653172f96602d155c916f20b53a724e2ba3a45cb
SHA512ed80a71a54808f27399be98cde0ff54bfa5713f74509f4ff461cc907140dd228a85586245e3441b25d393228aa0a16c422ffd3b425c7add9bdcfb39267ec0db2
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5