Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2023, 08:43
Static task
static1
Behavioral task
behavioral1
Sample
f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4.exe
Resource
win10v2004-20230221-en
General
-
Target
f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4.exe
-
Size
1.0MB
-
MD5
b432a2632c41cceb3d9f7da400bab670
-
SHA1
dbb0f561ba68dee18ac93c5d40cfe60a9b9996df
-
SHA256
f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4
-
SHA512
a653ec98f4a070904f3a5224b9a940d4947504f6a43dcb4fb5228b1bcfa79eea69878fe2f0643e2f5ce075238ecd51ee0fd23dee3c8c58b54f1a8a4a6e6ac380
-
SSDEEP
24576:EyvDPSBOjMHvbq8vmk3lS+RAODeeNaJFKwzPA:TvDjjMucR8SA5sZg
Malware Config
Extracted
redline
lusa
83.97.73.127:19062
-
auth_value
c9df946711e01c378b42221de692acbd
Extracted
redline
munder
83.97.73.127:19062
-
auth_value
159bf350f6393f0d879c80a22059fba2
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 1400 z1990114.exe 2176 z6522215.exe 2756 o4484740.exe 5088 p0516930.exe 1044 r0761983.exe 4084 s7845842.exe 4316 s7845842.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z1990114.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z1990114.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z6522215.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z6522215.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2756 set thread context of 4980 2756 o4484740.exe 87 PID 1044 set thread context of 3964 1044 r0761983.exe 91 PID 4084 set thread context of 4316 4084 s7845842.exe 93 -
Program crash 1 IoCs
pid pid_target Process procid_target 3284 4316 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4980 AppLaunch.exe 4980 AppLaunch.exe 5088 p0516930.exe 5088 p0516930.exe 3964 AppLaunch.exe 3964 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4980 AppLaunch.exe Token: SeDebugPrivilege 5088 p0516930.exe Token: SeDebugPrivilege 4084 s7845842.exe Token: SeDebugPrivilege 3964 AppLaunch.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 4316 s7845842.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4616 wrote to memory of 1400 4616 f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4.exe 83 PID 4616 wrote to memory of 1400 4616 f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4.exe 83 PID 4616 wrote to memory of 1400 4616 f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4.exe 83 PID 1400 wrote to memory of 2176 1400 z1990114.exe 84 PID 1400 wrote to memory of 2176 1400 z1990114.exe 84 PID 1400 wrote to memory of 2176 1400 z1990114.exe 84 PID 2176 wrote to memory of 2756 2176 z6522215.exe 85 PID 2176 wrote to memory of 2756 2176 z6522215.exe 85 PID 2176 wrote to memory of 2756 2176 z6522215.exe 85 PID 2756 wrote to memory of 4980 2756 o4484740.exe 87 PID 2756 wrote to memory of 4980 2756 o4484740.exe 87 PID 2756 wrote to memory of 4980 2756 o4484740.exe 87 PID 2756 wrote to memory of 4980 2756 o4484740.exe 87 PID 2756 wrote to memory of 4980 2756 o4484740.exe 87 PID 2176 wrote to memory of 5088 2176 z6522215.exe 88 PID 2176 wrote to memory of 5088 2176 z6522215.exe 88 PID 2176 wrote to memory of 5088 2176 z6522215.exe 88 PID 1400 wrote to memory of 1044 1400 z1990114.exe 89 PID 1400 wrote to memory of 1044 1400 z1990114.exe 89 PID 1400 wrote to memory of 1044 1400 z1990114.exe 89 PID 1044 wrote to memory of 3964 1044 r0761983.exe 91 PID 1044 wrote to memory of 3964 1044 r0761983.exe 91 PID 1044 wrote to memory of 3964 1044 r0761983.exe 91 PID 1044 wrote to memory of 3964 1044 r0761983.exe 91 PID 1044 wrote to memory of 3964 1044 r0761983.exe 91 PID 4616 wrote to memory of 4084 4616 f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4.exe 92 PID 4616 wrote to memory of 4084 4616 f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4.exe 92 PID 4616 wrote to memory of 4084 4616 f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4.exe 92 PID 4084 wrote to memory of 4316 4084 s7845842.exe 93 PID 4084 wrote to memory of 4316 4084 s7845842.exe 93 PID 4084 wrote to memory of 4316 4084 s7845842.exe 93 PID 4084 wrote to memory of 4316 4084 s7845842.exe 93 PID 4084 wrote to memory of 4316 4084 s7845842.exe 93 PID 4084 wrote to memory of 4316 4084 s7845842.exe 93 PID 4084 wrote to memory of 4316 4084 s7845842.exe 93 PID 4084 wrote to memory of 4316 4084 s7845842.exe 93 PID 4084 wrote to memory of 4316 4084 s7845842.exe 93 PID 4084 wrote to memory of 4316 4084 s7845842.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4.exe"C:\Users\Admin\AppData\Local\Temp\f6eca8c4cb2fab511340570224bdc2ad7ca25e799d06c1c02a1aee98e85967b4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1990114.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1990114.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6522215.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6522215.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4484740.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4484740.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0516930.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0516930.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0761983.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0761983.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7845842.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7845842.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7845842.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7845842.exe3⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 124⤵
- Program crash
PID:3284
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4316 -ip 43161⤵PID:4948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
963KB
MD5caadd060a67d398255af6ec97d5a6d7d
SHA1f1c9b536033ce93ed12ba094720c428214971cb3
SHA25654663be78438cc2fb86e5d95112de9e9d373ed7243028baf18dc325c0ba0eb15
SHA5120084872daf246fa80d6e8baa20e67185783f64eceef3bae50c1fbb375d38cb8435305e5b43bbfdcafb70bd2084590943a8197c930475ce7802b83997ac3a89c1
-
Filesize
963KB
MD5caadd060a67d398255af6ec97d5a6d7d
SHA1f1c9b536033ce93ed12ba094720c428214971cb3
SHA25654663be78438cc2fb86e5d95112de9e9d373ed7243028baf18dc325c0ba0eb15
SHA5120084872daf246fa80d6e8baa20e67185783f64eceef3bae50c1fbb375d38cb8435305e5b43bbfdcafb70bd2084590943a8197c930475ce7802b83997ac3a89c1
-
Filesize
963KB
MD5caadd060a67d398255af6ec97d5a6d7d
SHA1f1c9b536033ce93ed12ba094720c428214971cb3
SHA25654663be78438cc2fb86e5d95112de9e9d373ed7243028baf18dc325c0ba0eb15
SHA5120084872daf246fa80d6e8baa20e67185783f64eceef3bae50c1fbb375d38cb8435305e5b43bbfdcafb70bd2084590943a8197c930475ce7802b83997ac3a89c1
-
Filesize
599KB
MD5df552b6942ef3f5949d9e25f9495eccd
SHA1ad3018e7a012029b963eb7963d00181b844be449
SHA256477409b08c52069aff58f685a51b4361e15874bd754fdc3b5c021374f378db25
SHA512d519865a227642fbb8d2474a7609a07da55cb98f73853cf03967298eb492a8a95983c50bec571a38908c8c49eec85a020f79b0ede5e68f8140bba62f1f5e6561
-
Filesize
599KB
MD5df552b6942ef3f5949d9e25f9495eccd
SHA1ad3018e7a012029b963eb7963d00181b844be449
SHA256477409b08c52069aff58f685a51b4361e15874bd754fdc3b5c021374f378db25
SHA512d519865a227642fbb8d2474a7609a07da55cb98f73853cf03967298eb492a8a95983c50bec571a38908c8c49eec85a020f79b0ede5e68f8140bba62f1f5e6561
-
Filesize
315KB
MD5adb7155c6e29fede4c8ae7c07bebcd5c
SHA1f4cf3dc44e4978c732485a9189804405494cfb7b
SHA256d3378d91560f16cbd0e39dd60199049938c4118e303e17545be49482932dfaec
SHA5121d53d9e60358eaf3918e1a14e0bc1d6c48c8ecb4d885db527213769ce33761f195688cc9f44ca1eeb5bd6362ba17de4f9a1d1dd5c2f2015090a6d6a6b34e9cb2
-
Filesize
315KB
MD5adb7155c6e29fede4c8ae7c07bebcd5c
SHA1f4cf3dc44e4978c732485a9189804405494cfb7b
SHA256d3378d91560f16cbd0e39dd60199049938c4118e303e17545be49482932dfaec
SHA5121d53d9e60358eaf3918e1a14e0bc1d6c48c8ecb4d885db527213769ce33761f195688cc9f44ca1eeb5bd6362ba17de4f9a1d1dd5c2f2015090a6d6a6b34e9cb2
-
Filesize
278KB
MD567296e7dc03e059a3d6c53291a37a61f
SHA1b6294e46356b1beded8e619e613cbd158ca59800
SHA25623eea48e459146922cf56cac4bb8e7a943e9e2ba4985ade79cf7221f39aeebde
SHA5120a9e2eda07933feb7af1ff4d8ede8ae4c9e3f51918665353247b7d12915d0de09f4cf3eb3d81f3b654784691b0364f244a13b89ea5b87f13aaddd5ea222bcdb8
-
Filesize
278KB
MD567296e7dc03e059a3d6c53291a37a61f
SHA1b6294e46356b1beded8e619e613cbd158ca59800
SHA25623eea48e459146922cf56cac4bb8e7a943e9e2ba4985ade79cf7221f39aeebde
SHA5120a9e2eda07933feb7af1ff4d8ede8ae4c9e3f51918665353247b7d12915d0de09f4cf3eb3d81f3b654784691b0364f244a13b89ea5b87f13aaddd5ea222bcdb8
-
Filesize
180KB
MD52ff8353f4c56c93f8cec7b7d6c512c47
SHA11a2d7a4fdf73ade293a4f6f3079407045d75c8a5
SHA256553bfc27dd60cbbf8d1534b7461d0866a0b9bcb18e5e75aa70094cad856ac936
SHA512596a5923414c2e87664aa76466a2149bb8e9ffe195f25aa5406fdf8407bfe3f9044d85a2b276b580c5ce6bcf53cf890e7f542263fd4507fa4c6572f02f3baed5
-
Filesize
180KB
MD52ff8353f4c56c93f8cec7b7d6c512c47
SHA11a2d7a4fdf73ade293a4f6f3079407045d75c8a5
SHA256553bfc27dd60cbbf8d1534b7461d0866a0b9bcb18e5e75aa70094cad856ac936
SHA512596a5923414c2e87664aa76466a2149bb8e9ffe195f25aa5406fdf8407bfe3f9044d85a2b276b580c5ce6bcf53cf890e7f542263fd4507fa4c6572f02f3baed5
-
Filesize
145KB
MD527cab634eac9b1f57719a1b84fdb7548
SHA1ffc634cf23ca063d5edfe341e2d20e063b29cd5b
SHA25622bd3bd2f1775423b076ad9d1c9a750c2e40f1889d1990ef786c78ab882856a7
SHA512012ed60e06324afd29dc19343654696ec1a3f45398ebffaac146dbcfe9610d7a20d8ffbc3b331194f5841b7202c361c8e84ff5981bc795dca8d6b7a283b62d09
-
Filesize
145KB
MD527cab634eac9b1f57719a1b84fdb7548
SHA1ffc634cf23ca063d5edfe341e2d20e063b29cd5b
SHA25622bd3bd2f1775423b076ad9d1c9a750c2e40f1889d1990ef786c78ab882856a7
SHA512012ed60e06324afd29dc19343654696ec1a3f45398ebffaac146dbcfe9610d7a20d8ffbc3b331194f5841b7202c361c8e84ff5981bc795dca8d6b7a283b62d09