Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
14-05-2023 07:28
Static task
static1
Behavioral task
behavioral1
Sample
ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf.exe
Resource
win10-20230220-en
General
-
Target
ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf.exe
-
Size
1.1MB
-
MD5
41f6fa0bcb7ebbf71ba9f7bad407648e
-
SHA1
c9947b3e67322b76afcc8a533fb481d73ae61b1c
-
SHA256
ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf
-
SHA512
2d414a953c012b57c5e4cc38fc862d7540e2da472957d69e9d55b7c1a760f8b105e4c49bfaf8c11641fa6fe858d989284b3fe30b612350fb6152caf5e707f906
-
SSDEEP
24576:byYK08jGLtsa5+k8WXxRYb04Qg43+F5yzmqRHtRk6g5w:OYBsatv5L1x14UiumYHIv5
Malware Config
Extracted
redline
luka
185.161.248.75:4132
-
auth_value
44560bcd37d6bf076da309730fdb519a
Signatures
-
Processes:
o5177988.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" o5177988.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" o5177988.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" o5177988.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" o5177988.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" o5177988.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
z6845710.exez6912425.exeo5177988.exep0737301.exepid process 2252 z6845710.exe 2516 z6912425.exe 2832 o5177988.exe 4548 p0737301.exe -
Processes:
o5177988.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features o5177988.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" o5177988.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
z6912425.exeff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf.exez6845710.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z6912425.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z6845710.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z6845710.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z6912425.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2712 4548 WerFault.exe p0737301.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
o5177988.exepid process 2832 o5177988.exe 2832 o5177988.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
o5177988.exedescription pid process Token: SeDebugPrivilege 2832 o5177988.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf.exez6845710.exez6912425.exedescription pid process target process PID 1688 wrote to memory of 2252 1688 ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf.exe z6845710.exe PID 1688 wrote to memory of 2252 1688 ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf.exe z6845710.exe PID 1688 wrote to memory of 2252 1688 ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf.exe z6845710.exe PID 2252 wrote to memory of 2516 2252 z6845710.exe z6912425.exe PID 2252 wrote to memory of 2516 2252 z6845710.exe z6912425.exe PID 2252 wrote to memory of 2516 2252 z6845710.exe z6912425.exe PID 2516 wrote to memory of 2832 2516 z6912425.exe o5177988.exe PID 2516 wrote to memory of 2832 2516 z6912425.exe o5177988.exe PID 2516 wrote to memory of 2832 2516 z6912425.exe o5177988.exe PID 2516 wrote to memory of 4548 2516 z6912425.exe p0737301.exe PID 2516 wrote to memory of 4548 2516 z6912425.exe p0737301.exe PID 2516 wrote to memory of 4548 2516 z6912425.exe p0737301.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf.exe"C:\Users\Admin\AppData\Local\Temp\ff6f9e2634dbeeeaded817e008e7dbe487c316a7546093de3fee20dfbc21b4bf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6845710.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6845710.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6912425.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6912425.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5177988.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5177988.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0737301.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0737301.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 9485⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6845710.exeFilesize
702KB
MD5312b78b387d3c0dee8929eefeefdc2d4
SHA1696972a9af583b1286d613ea055734ad939c0ffb
SHA256d4eab44041e430da3e207e213fca7e5d953f86499f6989cc37a38cb8a0f035f7
SHA51269d3dfaaffc6bfb546a68e7a94dcbd05b8db24247fe218ac1be3a63320fa36847adb9586bde70113bb281e0a6ac3b9612602ec5b339e04d655d830818e4a5c63
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6845710.exeFilesize
702KB
MD5312b78b387d3c0dee8929eefeefdc2d4
SHA1696972a9af583b1286d613ea055734ad939c0ffb
SHA256d4eab44041e430da3e207e213fca7e5d953f86499f6989cc37a38cb8a0f035f7
SHA51269d3dfaaffc6bfb546a68e7a94dcbd05b8db24247fe218ac1be3a63320fa36847adb9586bde70113bb281e0a6ac3b9612602ec5b339e04d655d830818e4a5c63
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6912425.exeFilesize
306KB
MD5967f20a06cdb4f001539179c04b0823c
SHA151fccf1b6ad12a02063155e786abaa319abf6457
SHA256930f4b5a0103b3c61c99e1dbfd37255aca69eba8cee2e9048fc3f0f09a9c09a2
SHA512c8de5eb3634163bcdc037b64cd038ddd44906628e4803a4836d4333090f3de2ffe9ff53d6a18e76737bb83866bf488381a0f7771a89e667b7d7ab883d4dff544
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6912425.exeFilesize
306KB
MD5967f20a06cdb4f001539179c04b0823c
SHA151fccf1b6ad12a02063155e786abaa319abf6457
SHA256930f4b5a0103b3c61c99e1dbfd37255aca69eba8cee2e9048fc3f0f09a9c09a2
SHA512c8de5eb3634163bcdc037b64cd038ddd44906628e4803a4836d4333090f3de2ffe9ff53d6a18e76737bb83866bf488381a0f7771a89e667b7d7ab883d4dff544
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5177988.exeFilesize
185KB
MD51254e30a2b2dc023d0e9ff10bd94a3d2
SHA122f19e06c0c1ad73282c2a4855844a1c5b1eb9de
SHA256bea1ba43bd5b68441179d8b0fedf7ba052505d51b032513e71e740b49d56aca2
SHA5120b4158cbcc3dc6ce9481284d49ad585f61f5260ded6d6db92022a106f7a0eba682960239bd2ee2fd8fc31e93fa1f8865c2d5a9939ddd3f2784e254142c26c6a5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5177988.exeFilesize
185KB
MD51254e30a2b2dc023d0e9ff10bd94a3d2
SHA122f19e06c0c1ad73282c2a4855844a1c5b1eb9de
SHA256bea1ba43bd5b68441179d8b0fedf7ba052505d51b032513e71e740b49d56aca2
SHA5120b4158cbcc3dc6ce9481284d49ad585f61f5260ded6d6db92022a106f7a0eba682960239bd2ee2fd8fc31e93fa1f8865c2d5a9939ddd3f2784e254142c26c6a5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0737301.exeFilesize
145KB
MD5192abbd3b51e1ba1af97ec5b588ae502
SHA1bf5e2f3e3b004f2f289cf09e8b473f2bf2ec27da
SHA2560617471dd9022974281665ba15084854936b524950ebf04b989772562c66fc17
SHA512af0b7f020fae01cdeb8a196bec3a71f790946399f9cad295c1491c84489aef0fc326ff94269e3dc0f28bc811acaf696946ab7711be21019afbe3fec4102a2877
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0737301.exeFilesize
145KB
MD5192abbd3b51e1ba1af97ec5b588ae502
SHA1bf5e2f3e3b004f2f289cf09e8b473f2bf2ec27da
SHA2560617471dd9022974281665ba15084854936b524950ebf04b989772562c66fc17
SHA512af0b7f020fae01cdeb8a196bec3a71f790946399f9cad295c1491c84489aef0fc326ff94269e3dc0f28bc811acaf696946ab7711be21019afbe3fec4102a2877
-
memory/2832-153-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-159-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-146-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-147-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-149-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-151-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-144-0x0000000004AA0000-0x0000000004F9E000-memory.dmpFilesize
5.0MB
-
memory/2832-155-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-157-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-145-0x00000000024F0000-0x000000000250C000-memory.dmpFilesize
112KB
-
memory/2832-161-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-163-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-165-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-167-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-169-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-171-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-173-0x00000000024F0000-0x0000000002506000-memory.dmpFilesize
88KB
-
memory/2832-143-0x0000000004A90000-0x0000000004AA0000-memory.dmpFilesize
64KB
-
memory/2832-142-0x0000000000630000-0x000000000064E000-memory.dmpFilesize
120KB
-
memory/4548-178-0x0000000000DE0000-0x0000000000E0A000-memory.dmpFilesize
168KB