Analysis
-
max time kernel
75s -
max time network
80s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
14-05-2023 09:00
Static task
static1
Behavioral task
behavioral1
Sample
f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139.exe
Resource
win10-20230220-en
General
-
Target
f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139.exe
-
Size
1.1MB
-
MD5
f25435a51ec3b14d0b17dd3c16ed8443
-
SHA1
a6c9920d1c8662c0dab591e4c976f5d2a6469103
-
SHA256
f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139
-
SHA512
cf8dca6aefdd4093271f259a0ab681435d3a160b140fb254386646ae80533529cc6352061426a55d729780d0bd24c2c20f00908afafba7ba49a142d3ba08e868
-
SSDEEP
24576:kydmFcg6LjPAz4Oo8akUFOwexYn0OkkurEoMA38QVjSb+nFmRe0aG:zkFcg6LjPLrEUsrL/MApjoiie0a
Malware Config
Extracted
redline
luka
185.161.248.75:4132
-
auth_value
44560bcd37d6bf076da309730fdb519a
Signatures
-
Processes:
o3012766.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" o3012766.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" o3012766.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" o3012766.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" o3012766.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" o3012766.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
z8037975.exez1804452.exeo3012766.exep2452203.exepid process 2356 z8037975.exe 2488 z1804452.exe 2816 o3012766.exe 1360 p2452203.exe -
Processes:
o3012766.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" o3012766.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features o3012766.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139.exez8037975.exez1804452.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z8037975.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z8037975.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z1804452.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z1804452.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2712 1360 WerFault.exe p2452203.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
o3012766.exepid process 2816 o3012766.exe 2816 o3012766.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
o3012766.exedescription pid process Token: SeDebugPrivilege 2816 o3012766.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139.exez8037975.exez1804452.exedescription pid process target process PID 1724 wrote to memory of 2356 1724 f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139.exe z8037975.exe PID 1724 wrote to memory of 2356 1724 f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139.exe z8037975.exe PID 1724 wrote to memory of 2356 1724 f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139.exe z8037975.exe PID 2356 wrote to memory of 2488 2356 z8037975.exe z1804452.exe PID 2356 wrote to memory of 2488 2356 z8037975.exe z1804452.exe PID 2356 wrote to memory of 2488 2356 z8037975.exe z1804452.exe PID 2488 wrote to memory of 2816 2488 z1804452.exe o3012766.exe PID 2488 wrote to memory of 2816 2488 z1804452.exe o3012766.exe PID 2488 wrote to memory of 2816 2488 z1804452.exe o3012766.exe PID 2488 wrote to memory of 1360 2488 z1804452.exe p2452203.exe PID 2488 wrote to memory of 1360 2488 z1804452.exe p2452203.exe PID 2488 wrote to memory of 1360 2488 z1804452.exe p2452203.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139.exe"C:\Users\Admin\AppData\Local\Temp\f253afd3fe057085b30cb4cfd5c0a027a4bfebe58812279ac469a48fc57be139.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8037975.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8037975.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1804452.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1804452.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3012766.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3012766.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2452203.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2452203.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 9485⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8037975.exeFilesize
702KB
MD5f7dfcf2a7f8f36e3177975e4b17441f8
SHA1e74366cfaf14a4cbafe73e065a070f718b65dde7
SHA256466803e0ab52a645a7bdcc865a4e6731086cc436fd4fef5236bde40ac5eb6fc6
SHA512309414567bfd3c16c397a0c224103238af7d8c25405ad674f91269d528f546180c5602a2210d055d79d47952ab5a6f11dae5ceac0d9f036fb771210034588edd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8037975.exeFilesize
702KB
MD5f7dfcf2a7f8f36e3177975e4b17441f8
SHA1e74366cfaf14a4cbafe73e065a070f718b65dde7
SHA256466803e0ab52a645a7bdcc865a4e6731086cc436fd4fef5236bde40ac5eb6fc6
SHA512309414567bfd3c16c397a0c224103238af7d8c25405ad674f91269d528f546180c5602a2210d055d79d47952ab5a6f11dae5ceac0d9f036fb771210034588edd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1804452.exeFilesize
306KB
MD53e3ae8072563123bce08b4eb6c6f1b67
SHA120db67fc57cdd9d8839c43ddb00242c0338dae47
SHA256a5c0d785ca25cd3ee2bb483f292523fc3e40a9c32d7c9f7347430f56edd65ef5
SHA5120e6699957038639967e820958cbc6958dcadac1a4a9d14dc957dfe24e060b1dc574d0e6108d3c55b98aece1d94f98d5958188d89d3242820ce0622f29ef79c24
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1804452.exeFilesize
306KB
MD53e3ae8072563123bce08b4eb6c6f1b67
SHA120db67fc57cdd9d8839c43ddb00242c0338dae47
SHA256a5c0d785ca25cd3ee2bb483f292523fc3e40a9c32d7c9f7347430f56edd65ef5
SHA5120e6699957038639967e820958cbc6958dcadac1a4a9d14dc957dfe24e060b1dc574d0e6108d3c55b98aece1d94f98d5958188d89d3242820ce0622f29ef79c24
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3012766.exeFilesize
185KB
MD577ee8120fde7adafb34dcc1ebc2e91e6
SHA1aac8e3f5caef8968b7cdbe29a186c713bbc6a2aa
SHA256e9dcad0f7dd6b1f5803745b6a9e3281d357412ee7bb1ea848f794d60d5fd80c7
SHA512645ff36cf2e550294e6be3b2414318633fbda781ce93c7129354f8b5cfe0e3b2c378da502e2d394d53308773cd8659679518a497f07a6cd41a305e167867859a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3012766.exeFilesize
185KB
MD577ee8120fde7adafb34dcc1ebc2e91e6
SHA1aac8e3f5caef8968b7cdbe29a186c713bbc6a2aa
SHA256e9dcad0f7dd6b1f5803745b6a9e3281d357412ee7bb1ea848f794d60d5fd80c7
SHA512645ff36cf2e550294e6be3b2414318633fbda781ce93c7129354f8b5cfe0e3b2c378da502e2d394d53308773cd8659679518a497f07a6cd41a305e167867859a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2452203.exeFilesize
145KB
MD5440a61c10632eb0bd369fabce00c17c2
SHA1d97a3ee713e0eddd6403a3c67c639e33eabc5f41
SHA256ed3b41b749668717487760cd71e1a8a772919c323ee513e66f21593a729b852d
SHA512feb2f4be1802bfe7702fd224e745aebd6637f4ca4185912a9d16c0bde0b3de29a65ca63f96785f03df8bc621cc8131345ddf82b1e14c7822dcffde9031e039df
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2452203.exeFilesize
145KB
MD5440a61c10632eb0bd369fabce00c17c2
SHA1d97a3ee713e0eddd6403a3c67c639e33eabc5f41
SHA256ed3b41b749668717487760cd71e1a8a772919c323ee513e66f21593a729b852d
SHA512feb2f4be1802bfe7702fd224e745aebd6637f4ca4185912a9d16c0bde0b3de29a65ca63f96785f03df8bc621cc8131345ddf82b1e14c7822dcffde9031e039df
-
memory/1360-181-0x0000000000980000-0x00000000009AA000-memory.dmpFilesize
168KB
-
memory/2816-151-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-163-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-147-0x0000000004930000-0x0000000004940000-memory.dmpFilesize
64KB
-
memory/2816-149-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-148-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-145-0x0000000004E40000-0x0000000004E5C000-memory.dmpFilesize
112KB
-
memory/2816-153-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-155-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-157-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-159-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-161-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-146-0x0000000004930000-0x0000000004940000-memory.dmpFilesize
64KB
-
memory/2816-165-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-167-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-169-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-171-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-173-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-175-0x0000000004E40000-0x0000000004E56000-memory.dmpFilesize
88KB
-
memory/2816-176-0x0000000004930000-0x0000000004940000-memory.dmpFilesize
64KB
-
memory/2816-144-0x0000000004940000-0x0000000004E3E000-memory.dmpFilesize
5.0MB
-
memory/2816-143-0x0000000004930000-0x0000000004940000-memory.dmpFilesize
64KB
-
memory/2816-142-0x0000000002070000-0x000000000208E000-memory.dmpFilesize
120KB