Analysis
-
max time kernel
100s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2023, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6.exe
Resource
win10v2004-20230220-en
General
-
Target
12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6.exe
-
Size
1.0MB
-
MD5
87ead40b28cfae2fc3ba500bb492186a
-
SHA1
225d1fc818233ec0e2dddc9ed907643eb0c3fbc2
-
SHA256
12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6
-
SHA512
e4e25d7e7f95ef22790b177d738a02d7f68fcc0b2960b8398858d6868c23b051b1e7a4649d7ad9fba17001c017e0334efa205c3ab624d85bc77b170fa9086d59
-
SSDEEP
24576:Wy/JZEL1P+aLh6qmfGhU9cGbBtk0ghTFQLYDJHozBEsuZT8s:lBmL9zd6qmfyU9co33ghTMM2zBYT8
Malware Config
Extracted
redline
diza
185.161.248.37:4138
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k0080621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k0080621.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k0080621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k0080621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k0080621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k0080621.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/4256-221-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-224-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-222-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-226-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-228-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-230-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-232-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-234-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-236-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-238-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-240-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-242-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-244-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-246-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-248-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-250-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-252-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline behavioral1/memory/4256-254-0x0000000004990000-0x00000000049CC000-memory.dmp family_redline -
Executes dropped EXE 7 IoCs
pid Process 696 y8424491.exe 3056 y0633339.exe 3132 k0080621.exe 4784 l1506566.exe 3660 m2534222.exe 4864 m2534222.exe 4256 n7664606.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k0080621.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k0080621.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y8424491.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y8424491.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y0633339.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y0633339.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3660 set thread context of 4864 3660 m2534222.exe 89 -
Program crash 1 IoCs
pid pid_target Process procid_target 728 4864 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3132 k0080621.exe 3132 k0080621.exe 4784 l1506566.exe 4784 l1506566.exe 4256 n7664606.exe 4256 n7664606.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3132 k0080621.exe Token: SeDebugPrivilege 4784 l1506566.exe Token: SeDebugPrivilege 3660 m2534222.exe Token: SeDebugPrivilege 4256 n7664606.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 4864 m2534222.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1596 wrote to memory of 696 1596 12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6.exe 84 PID 1596 wrote to memory of 696 1596 12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6.exe 84 PID 1596 wrote to memory of 696 1596 12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6.exe 84 PID 696 wrote to memory of 3056 696 y8424491.exe 85 PID 696 wrote to memory of 3056 696 y8424491.exe 85 PID 696 wrote to memory of 3056 696 y8424491.exe 85 PID 3056 wrote to memory of 3132 3056 y0633339.exe 86 PID 3056 wrote to memory of 3132 3056 y0633339.exe 86 PID 3056 wrote to memory of 3132 3056 y0633339.exe 86 PID 3056 wrote to memory of 4784 3056 y0633339.exe 87 PID 3056 wrote to memory of 4784 3056 y0633339.exe 87 PID 3056 wrote to memory of 4784 3056 y0633339.exe 87 PID 696 wrote to memory of 3660 696 y8424491.exe 88 PID 696 wrote to memory of 3660 696 y8424491.exe 88 PID 696 wrote to memory of 3660 696 y8424491.exe 88 PID 3660 wrote to memory of 4864 3660 m2534222.exe 89 PID 3660 wrote to memory of 4864 3660 m2534222.exe 89 PID 3660 wrote to memory of 4864 3660 m2534222.exe 89 PID 3660 wrote to memory of 4864 3660 m2534222.exe 89 PID 3660 wrote to memory of 4864 3660 m2534222.exe 89 PID 3660 wrote to memory of 4864 3660 m2534222.exe 89 PID 3660 wrote to memory of 4864 3660 m2534222.exe 89 PID 3660 wrote to memory of 4864 3660 m2534222.exe 89 PID 3660 wrote to memory of 4864 3660 m2534222.exe 89 PID 3660 wrote to memory of 4864 3660 m2534222.exe 89 PID 1596 wrote to memory of 4256 1596 12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6.exe 91 PID 1596 wrote to memory of 4256 1596 12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6.exe 91 PID 1596 wrote to memory of 4256 1596 12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6.exe"C:\Users\Admin\AppData\Local\Temp\12ce14cfa643f47aba44b9fe2105cbb3a6605b7d1a64fe021b482bbf1abb49c6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8424491.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8424491.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0633339.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0633339.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0080621.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0080621.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1506566.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1506566.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2534222.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2534222.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2534222.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2534222.exe4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 125⤵
- Program crash
PID:728
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7664606.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7664606.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4864 -ip 48641⤵PID:3168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
285KB
MD56633bbd533da8e3cfe1722d44c74e7ca
SHA14fecb99eebf4db0b84c2566b277fa449aa933043
SHA256e75fc60733432c3a361942e87779520c4b2a6f239fd2e5f85cfd9fb3db5a4c41
SHA512531a56af50c0c1df986968f29d210eec045d6ba854385db04fda829b9ff718f51bb53f6c618499dd2a8fd21b7f65d3381398366ee328e39eebcf723ab88143d5
-
Filesize
285KB
MD56633bbd533da8e3cfe1722d44c74e7ca
SHA14fecb99eebf4db0b84c2566b277fa449aa933043
SHA256e75fc60733432c3a361942e87779520c4b2a6f239fd2e5f85cfd9fb3db5a4c41
SHA512531a56af50c0c1df986968f29d210eec045d6ba854385db04fda829b9ff718f51bb53f6c618499dd2a8fd21b7f65d3381398366ee328e39eebcf723ab88143d5
-
Filesize
750KB
MD5ce27976034751f060abab13a264ed209
SHA1b56414a5cdc07fc95d8bfc4834125c17fba4d0a0
SHA256252dd9823672779e4175cb82bb47d6494596b2030a30a9d8c4c1aaa68edb1729
SHA512eab6d3bf7e2393204414f7525222b6365a713038c6f97e742b0c892c3de6750ba6bd1d510f66fba0834c733d16ce42c73483a397b196f85c4314528d8c1f91cc
-
Filesize
750KB
MD5ce27976034751f060abab13a264ed209
SHA1b56414a5cdc07fc95d8bfc4834125c17fba4d0a0
SHA256252dd9823672779e4175cb82bb47d6494596b2030a30a9d8c4c1aaa68edb1729
SHA512eab6d3bf7e2393204414f7525222b6365a713038c6f97e742b0c892c3de6750ba6bd1d510f66fba0834c733d16ce42c73483a397b196f85c4314528d8c1f91cc
-
Filesize
965KB
MD5779526adf273365f69ff2f89cbe41efd
SHA1e08582dd33baf8b8e55b5a02a803a73d23148308
SHA2565bf88782c5c7be4ba5b30df7005f5aab3a09643ff2a168c8415c8ae4052a9a19
SHA512cf044caf276d2c1ae054fca67865f8f159ac5eb082fa56c7c9850e8f2382b555540801464e15f7422bf22ad1193dbf85ae415beb4f8686890bc9ea1f5c161677
-
Filesize
965KB
MD5779526adf273365f69ff2f89cbe41efd
SHA1e08582dd33baf8b8e55b5a02a803a73d23148308
SHA2565bf88782c5c7be4ba5b30df7005f5aab3a09643ff2a168c8415c8ae4052a9a19
SHA512cf044caf276d2c1ae054fca67865f8f159ac5eb082fa56c7c9850e8f2382b555540801464e15f7422bf22ad1193dbf85ae415beb4f8686890bc9ea1f5c161677
-
Filesize
965KB
MD5779526adf273365f69ff2f89cbe41efd
SHA1e08582dd33baf8b8e55b5a02a803a73d23148308
SHA2565bf88782c5c7be4ba5b30df7005f5aab3a09643ff2a168c8415c8ae4052a9a19
SHA512cf044caf276d2c1ae054fca67865f8f159ac5eb082fa56c7c9850e8f2382b555540801464e15f7422bf22ad1193dbf85ae415beb4f8686890bc9ea1f5c161677
-
Filesize
305KB
MD56e350202f926394d3a2e3de7ab425272
SHA173c64755da7dcc6fb7f1f3b3da6c7897695262a0
SHA2568209ffb25912c5c268901b03bbe109d669921958044edca639ea6bdc242d0b75
SHA512315488ecce96c9f19d261e6f97d4281253e5379774e1ed95d13a1a1cce3f3299ce1b0618782ed7b1fc4fff891c06f650fde360e7436d7dedd8867c068de3b3f8
-
Filesize
305KB
MD56e350202f926394d3a2e3de7ab425272
SHA173c64755da7dcc6fb7f1f3b3da6c7897695262a0
SHA2568209ffb25912c5c268901b03bbe109d669921958044edca639ea6bdc242d0b75
SHA512315488ecce96c9f19d261e6f97d4281253e5379774e1ed95d13a1a1cce3f3299ce1b0618782ed7b1fc4fff891c06f650fde360e7436d7dedd8867c068de3b3f8
-
Filesize
186KB
MD5b708bf161180a5ee4e1a7faa26a962a9
SHA102d68430bf41e56f0f16264e920c04d67cd2943b
SHA25662c7203c4004a4bda736895cf1e2a4490a0ff848c5959438c164816d6a5ea77d
SHA51251bd304bc2fa29638bc498944bc1e7b24aa38813c82fe2dbc738eec630020b64b0e675d4048f08bca008efcd8e35155da9f8b911d466b8b8ee214ac84f588643
-
Filesize
186KB
MD5b708bf161180a5ee4e1a7faa26a962a9
SHA102d68430bf41e56f0f16264e920c04d67cd2943b
SHA25662c7203c4004a4bda736895cf1e2a4490a0ff848c5959438c164816d6a5ea77d
SHA51251bd304bc2fa29638bc498944bc1e7b24aa38813c82fe2dbc738eec630020b64b0e675d4048f08bca008efcd8e35155da9f8b911d466b8b8ee214ac84f588643
-
Filesize
145KB
MD57380b406c903e9d3dea85f9dfb22bc65
SHA13151f1a47e1196ea45809b149cf23bdd576d15d7
SHA256172e4e6eeb53dffc04415e4b271bca466f9c70e40004b8492ee776e5e20fa6f1
SHA51260f55af075b050d1261e956e8efc646343a2cdf4aa400ac4bf1b158ec1f18f98061d0225ba4dab3926a7935b9619c215ddbb7aa4c621188d5996ddd594c60d2c
-
Filesize
145KB
MD57380b406c903e9d3dea85f9dfb22bc65
SHA13151f1a47e1196ea45809b149cf23bdd576d15d7
SHA256172e4e6eeb53dffc04415e4b271bca466f9c70e40004b8492ee776e5e20fa6f1
SHA51260f55af075b050d1261e956e8efc646343a2cdf4aa400ac4bf1b158ec1f18f98061d0225ba4dab3926a7935b9619c215ddbb7aa4c621188d5996ddd594c60d2c