Overview

overview

10

Static

static

3

f3f7c727a9...3d.exe

windows7-x64

10

f3f7c727a9...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2023, 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3f7c727a9f743d2162b7e119d5969b73ba671a69138a66f9069defd99ba123d.exe

  • Size

    1.0MB

  • MD5

    0acaeccb230c0d5aec117a471c1dca84

  • SHA1

    55179af371986e97dde6e4470f755a6b0d2a9841

  • SHA256

    f3f7c727a9f743d2162b7e119d5969b73ba671a69138a66f9069defd99ba123d

  • SHA512

    f8d5e3d643baa49d3889a86099109043676e7471cef7e3a0e0788599529701a3703a0f87a91da16379c396c047210088af7f857d19383c4bf3ed9832d3806e09

  • SSDEEP

    24576:/y+5eGuwMo6q0pxZtO1ghWJKUILjdAttM1OZWl:K1GPMo6qqt0GWJKUgAgc

Score
10/10
redlinedizaevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3f7c727a9f743d2162b7e119d5969b73ba671a69138a66f9069defd99ba123d.exe
    "C:\Users\Admin\AppData\Local\Temp\f3f7c727a9f743d2162b7e119d5969b73ba671a69138a66f9069defd99ba123d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9505562.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9505562.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2065260.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2065260.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4104
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7265131.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7265131.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3768
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1795422.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1795422.exe
          4⤵
          • Executes dropped EXE
          PID:228

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9505562.exe
    Filesize

    751KB

    MD5

    813d703194c34e6cda8af4b042ff7184

    SHA1

    e02a154d7e2d2975d682a7c09bfa1732eccde8cd

    SHA256

    2022eeed53cffcd1d82d0baed327e9d290475d640a9fc4f26ddff844efc268e3

    SHA512

    7b40e00cff9c9a192d30fd7111b46055fac2a7e2d486a0dc8e3da9e15c7c02b42dc3214f2d9011afc0d9436142a75177894b9b52048935211810ef5424db5b25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9505562.exe
    Filesize

    751KB

    MD5

    813d703194c34e6cda8af4b042ff7184

    SHA1

    e02a154d7e2d2975d682a7c09bfa1732eccde8cd

    SHA256

    2022eeed53cffcd1d82d0baed327e9d290475d640a9fc4f26ddff844efc268e3

    SHA512

    7b40e00cff9c9a192d30fd7111b46055fac2a7e2d486a0dc8e3da9e15c7c02b42dc3214f2d9011afc0d9436142a75177894b9b52048935211810ef5424db5b25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2065260.exe
    Filesize

    305KB

    MD5

    ea953d723f931b554299f5bb45323bd0

    SHA1

    8e09963ca7d227fef3707d555860944af887c195

    SHA256

    6202e1ef8aa85b50a6f25ef3b3c9f136f6c605b016bf35b7d990b3cd6e0f6557

    SHA512

    e50271d4b236aad780cc4f9444e3b4c507b872332125d74aa928c85f0c4929c290cb67fdd5b581321206efc1c797dc640c4a2f0cbec32f00d188a99e59d4164a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2065260.exe
    Filesize

    305KB

    MD5

    ea953d723f931b554299f5bb45323bd0

    SHA1

    8e09963ca7d227fef3707d555860944af887c195

    SHA256

    6202e1ef8aa85b50a6f25ef3b3c9f136f6c605b016bf35b7d990b3cd6e0f6557

    SHA512

    e50271d4b236aad780cc4f9444e3b4c507b872332125d74aa928c85f0c4929c290cb67fdd5b581321206efc1c797dc640c4a2f0cbec32f00d188a99e59d4164a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7265131.exe
    Filesize

    185KB

    MD5

    99ce08dd99428dc7830abb315b57e000

    SHA1

    349d67a1d8f15b2ae82a1d4fd33522c5784f4274

    SHA256

    83725721a72435a19e4bca613a6c5dd2d429fe5094e83533e3b88536ffb4f630

    SHA512

    c85a21baf692d2655f56229b1aacf9400c14284305094745a67f454e362ccfd8a86960242af0cc7239c0fc903fd7880fed6cbedc107e03308cc7ee57a014cfe2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7265131.exe
    Filesize

    185KB

    MD5

    99ce08dd99428dc7830abb315b57e000

    SHA1

    349d67a1d8f15b2ae82a1d4fd33522c5784f4274

    SHA256

    83725721a72435a19e4bca613a6c5dd2d429fe5094e83533e3b88536ffb4f630

    SHA512

    c85a21baf692d2655f56229b1aacf9400c14284305094745a67f454e362ccfd8a86960242af0cc7239c0fc903fd7880fed6cbedc107e03308cc7ee57a014cfe2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1795422.exe
    Filesize

    145KB

    MD5

    5850b8c1a181a329366b01d058b96717

    SHA1

    fa163aa7feb9a9abc4d5714790da72ac383f476b

    SHA256

    f2953b5ebe87272d5da256eed6f78113250aa0371267f9d8ca4de8f4ce7d0b9a

    SHA512

    e3aadc5493b8c32eab2eecc43ca4b2d047237611c681e5478a6da680b3e3bdd318406b68b347cd847513ace56bfa91c9294064bbafaddcb54d2d8502ab7b5be6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1795422.exe
    Filesize

    145KB

    MD5

    5850b8c1a181a329366b01d058b96717

    SHA1

    fa163aa7feb9a9abc4d5714790da72ac383f476b

    SHA256

    f2953b5ebe87272d5da256eed6f78113250aa0371267f9d8ca4de8f4ce7d0b9a

    SHA512

    e3aadc5493b8c32eab2eecc43ca4b2d047237611c681e5478a6da680b3e3bdd318406b68b347cd847513ace56bfa91c9294064bbafaddcb54d2d8502ab7b5be6

    Download Submit

  • memory/228-199-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/228-196-0x0000000004E20000-0x0000000004E32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/228-195-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/228-194-0x0000000005370000-0x0000000005988000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/228-193-0x0000000000450000-0x000000000047A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/228-197-0x0000000005000000-0x000000000503C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/228-198-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-173-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-187-0x0000000004990000-0x00000000049A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-171-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-167-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-175-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-177-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-179-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-181-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-183-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-185-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-186-0x0000000004990000-0x00000000049A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-169-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-188-0x0000000004990000-0x00000000049A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-165-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-163-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-161-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-159-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-158-0x0000000004960000-0x0000000004976000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3768-157-0x0000000004990000-0x00000000049A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-155-0x0000000004990000-0x00000000049A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-156-0x0000000004990000-0x00000000049A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-154-0x00000000049A0000-0x0000000004F44000-memory.dmp

    Filesize

    5.6MB

    Download