redline | ded0c0f527a2edb91c438b6b4644bad58a28a8a17c112cfb6567e91c3197b6bf

Resubmissions

11/05/2023, 21:05

230511-zxhydaaf49 10

11/05/2023, 18:45

230511-xd1yqscb7v 10

Analysis

max time kernel
204s
max time network
256s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2023, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ded0c0f527a2edb91c438b6b4644bad58a28a8a17c112cfb6567e91c3197b6bf.exe
Size

884KB
MD5

2742063570ede152a3ba426deb3acf44
SHA1

56e3378da24efc470f8d5f229ac7e1a7ad3d31ba
SHA256

ded0c0f527a2edb91c438b6b4644bad58a28a8a17c112cfb6567e91c3197b6bf
SHA512

e183dff67c27256c31816f71579fc9f0263352254b2b7ece473e746953c93a55e7ae9341188bb396c984845f69ca313af4d85a205fcbfc9567facaf149463be5
SSDEEP

12288:MMrCy9057F6Xd5WM6oE/iX+8+eUtBiAPpY0b+xUb8fYYt4Gqxz5o6ve2s5sqi/dF:GyH692+53iq9+qb8fY9GqlmGqQo6p

Score

10^/10

redline mixa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

185.161.248.75:4132

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3572199.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3572199.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a3572199.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3572199.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3572199.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3572199.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2940	v8951614.exe
4696	v5866088.exe
1480	a3572199.exe
2620	b6492614.exe
2692	c3151009.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a3572199.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3572199.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ded0c0f527a2edb91c438b6b4644bad58a28a8a17c112cfb6567e91c3197b6bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ded0c0f527a2edb91c438b6b4644bad58a28a8a17c112cfb6567e91c3197b6bf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8951614.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8951614.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5866088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5866088.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1480	a3572199.exe
1480	a3572199.exe
2620	b6492614.exe
2620	b6492614.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	a3572199.exe
Token: SeDebugPrivilege	2620	b6492614.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2940	2172	ded0c0f527a2edb91c438b6b4644bad58a28a8a17c112cfb6567e91c3197b6bf.exe	78
PID 2172 wrote to memory of 2940	2172	ded0c0f527a2edb91c438b6b4644bad58a28a8a17c112cfb6567e91c3197b6bf.exe	78
PID 2172 wrote to memory of 2940	2172	ded0c0f527a2edb91c438b6b4644bad58a28a8a17c112cfb6567e91c3197b6bf.exe	78
PID 2940 wrote to memory of 4696	2940	v8951614.exe	79
PID 2940 wrote to memory of 4696	2940	v8951614.exe	79
PID 2940 wrote to memory of 4696	2940	v8951614.exe	79
PID 4696 wrote to memory of 1480	4696	v5866088.exe	80
PID 4696 wrote to memory of 1480	4696	v5866088.exe	80
PID 4696 wrote to memory of 1480	4696	v5866088.exe	80
PID 4696 wrote to memory of 2620	4696	v5866088.exe	83
PID 4696 wrote to memory of 2620	4696	v5866088.exe	83
PID 4696 wrote to memory of 2620	4696	v5866088.exe	83
PID 2940 wrote to memory of 2692	2940	v8951614.exe	84
PID 2940 wrote to memory of 2692	2940	v8951614.exe	84
PID 2940 wrote to memory of 2692	2940	v8951614.exe	84

C:\Users\Admin\AppData\Local\Temp\ded0c0f527a2edb91c438b6b4644bad58a28a8a17c112cfb6567e91c3197b6bf.exe
"C:\Users\Admin\AppData\Local\Temp\ded0c0f527a2edb91c438b6b4644bad58a28a8a17c112cfb6567e91c3197b6bf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951614.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951614.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5866088.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5866088.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3572199.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3572199.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6492614.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6492614.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3151009.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3151009.exe
    3⤵
    - Executes dropped EXE
    PID:2692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951614.exe

Filesize
488KB

MD5
42b63bc3d5cd2a57af51b793f52c1c98

SHA1
96db37c85585c1a8d395edff387b464c51c7816c

SHA256
1bb605b26c3af91caec4196173aa726ec14193e750b5082ed61f2d9a5ed95f9a

SHA512
742342f54cdab3884c807c324904fb0e2e0cb7080625a4ba2fa6fe5fcc667aa2faf1ffab91116ca47544fd1836e3eb942fd3c280e8c9f4ef55065c5adfeaa755

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8951614.exe

Filesize
488KB

MD5
42b63bc3d5cd2a57af51b793f52c1c98

SHA1
96db37c85585c1a8d395edff387b464c51c7816c

SHA256
1bb605b26c3af91caec4196173aa726ec14193e750b5082ed61f2d9a5ed95f9a

SHA512
742342f54cdab3884c807c324904fb0e2e0cb7080625a4ba2fa6fe5fcc667aa2faf1ffab91116ca47544fd1836e3eb942fd3c280e8c9f4ef55065c5adfeaa755

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3151009.exe

Filesize
214KB

MD5
d604c2f2e2227ef5b90ba2fc06667b05

SHA1
cdd2621b5d6c144a4f4e56ed3f1ed84c3a6a5b10

SHA256
a5e8617efe17d3993e6d49e57650aa58657545ca5c43d7f487946f49111e4e36

SHA512
5e8be5ccba56aa38fdf4f0a694862bdc1f78e289db982bfd2c044eb9ff9f0cff9a41fb010c90bd3483127457154fbb4f490b4d4c36472dc5286837ca9f0ab341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3151009.exe

Filesize
214KB

MD5
d604c2f2e2227ef5b90ba2fc06667b05

SHA1
cdd2621b5d6c144a4f4e56ed3f1ed84c3a6a5b10

SHA256
a5e8617efe17d3993e6d49e57650aa58657545ca5c43d7f487946f49111e4e36

SHA512
5e8be5ccba56aa38fdf4f0a694862bdc1f78e289db982bfd2c044eb9ff9f0cff9a41fb010c90bd3483127457154fbb4f490b4d4c36472dc5286837ca9f0ab341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5866088.exe

Filesize
316KB

MD5
44c75582da81c0ed32b642851096976a

SHA1
a3d40310ca8e6969b646a8f1bdaa2ee9f34f7e23

SHA256
a4b3157b7caf74c765ded41bed8806d3682629dbbb83b9f9526b254f48a5e302

SHA512
2a89af370d1cbc2f4a50e6e8f3696f040111570efc6d63fd2fa5d2de5f90e7b92697c07b1f7b2a60abc931c6a9947590f4ada6c3dd6b40d1144311cb768c4677

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5866088.exe

Filesize
316KB

MD5
44c75582da81c0ed32b642851096976a

SHA1
a3d40310ca8e6969b646a8f1bdaa2ee9f34f7e23

SHA256
a4b3157b7caf74c765ded41bed8806d3682629dbbb83b9f9526b254f48a5e302

SHA512
2a89af370d1cbc2f4a50e6e8f3696f040111570efc6d63fd2fa5d2de5f90e7b92697c07b1f7b2a60abc931c6a9947590f4ada6c3dd6b40d1144311cb768c4677

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3572199.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3572199.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6492614.exe

Filesize
168KB

MD5
5e9c2fa10ef5142a4ef37add4d1a3394

SHA1
785def4be935d67beeff40e1d784c97032ff1f56

SHA256
ea8e3bc7aaa133559480480d2328fe59c7aa606995e39fad8d2064384cc9149b

SHA512
9811525b1c36c7cc58c7ffde851351708069bd0255b9f04b546b0f63150eb228f2f4e2d580815c5827d327da5407b7102c858516738b1304905e16d1684e43e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6492614.exe

Filesize
168KB

MD5
5e9c2fa10ef5142a4ef37add4d1a3394

SHA1
785def4be935d67beeff40e1d784c97032ff1f56

SHA256
ea8e3bc7aaa133559480480d2328fe59c7aa606995e39fad8d2064384cc9149b

SHA512
9811525b1c36c7cc58c7ffde851351708069bd0255b9f04b546b0f63150eb228f2f4e2d580815c5827d327da5407b7102c858516738b1304905e16d1684e43e2

Download Submit
memory/1480-181-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-188-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/1480-158-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-166-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-168-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-170-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-174-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/1480-173-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/1480-172-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-176-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-177-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/1480-179-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-162-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-183-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-185-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-186-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/1480-187-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/1480-160-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-164-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-156-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1480-154-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/1480-155-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2620-201-0x000000000B880000-0x000000000B912000-memory.dmp

Filesize
584KB

Download
memory/2620-196-0x000000000AC90000-0x000000000ACA2000-memory.dmp

Filesize
72KB

Download
memory/2620-197-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/2620-198-0x000000000ACF0000-0x000000000AD2C000-memory.dmp

Filesize
240KB

Download
memory/2620-199-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/2620-200-0x000000000B760000-0x000000000B7D6000-memory.dmp

Filesize
472KB

Download
memory/2620-195-0x000000000AD60000-0x000000000AE6A000-memory.dmp

Filesize
1.0MB

Download
memory/2620-202-0x000000000BA20000-0x000000000BA86000-memory.dmp

Filesize
408KB

Download
memory/2620-203-0x000000000C480000-0x000000000C642000-memory.dmp

Filesize
1.8MB

Download
memory/2620-204-0x000000000CB80000-0x000000000D0AC000-memory.dmp

Filesize
5.2MB

Download
memory/2620-205-0x000000000BE10000-0x000000000BE60000-memory.dmp

Filesize
320KB

Download
memory/2620-194-0x000000000B0A0000-0x000000000B6B8000-memory.dmp

Filesize
6.1MB

Download
memory/2620-193-0x0000000000DE0000-0x0000000000E0E000-memory.dmp

Filesize
184KB

Download