Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
28-05-2023 16:33
Static task
static1
Behavioral task
behavioral1
Sample
29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe
Resource
win10-20230220-en
General
-
Target
29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe
-
Size
1.1MB
-
MD5
701c559b105166088198d4934cf50504
-
SHA1
333298acff8117f6fa45e08aaad03fd8c50614f9
-
SHA256
29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109
-
SHA512
6a46a05a15dc8e6dce183ffa1e0344492d05e3acddfaae7eefc1956553acf91d1b93b105485e32097b35490c01bd1efcd3e05d7ec77b8020469c3e37894cfe6d
-
SSDEEP
24576:hybsA+oyrENtJUBNzBmqxL7THqBBkjWmLkC/hO4X3PbsRcok6o:U4V4NtJg3mq1qLkjWmIShVXacF6
Malware Config
Extracted
redline
liza
83.97.73.127:19045
-
auth_value
198e3e9b188d6cfab0a2b0fb100bb7c5
Signatures
-
Processes:
AppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
z3630711.exez7725606.exeo6178286.exep5072287.exepid process 4236 z3630711.exe 4208 z7725606.exe 2140 o6178286.exe 4156 p5072287.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exez3630711.exez7725606.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z3630711.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z3630711.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z7725606.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z7725606.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
o6178286.exedescription pid process target process PID 2140 set thread context of 2644 2140 o6178286.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1976 4156 WerFault.exe p5072287.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 2644 AppLaunch.exe 2644 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 2644 AppLaunch.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exez3630711.exez7725606.exeo6178286.exedescription pid process target process PID 4064 wrote to memory of 4236 4064 29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe z3630711.exe PID 4064 wrote to memory of 4236 4064 29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe z3630711.exe PID 4064 wrote to memory of 4236 4064 29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe z3630711.exe PID 4236 wrote to memory of 4208 4236 z3630711.exe z7725606.exe PID 4236 wrote to memory of 4208 4236 z3630711.exe z7725606.exe PID 4236 wrote to memory of 4208 4236 z3630711.exe z7725606.exe PID 4208 wrote to memory of 2140 4208 z7725606.exe o6178286.exe PID 4208 wrote to memory of 2140 4208 z7725606.exe o6178286.exe PID 4208 wrote to memory of 2140 4208 z7725606.exe o6178286.exe PID 2140 wrote to memory of 2644 2140 o6178286.exe AppLaunch.exe PID 2140 wrote to memory of 2644 2140 o6178286.exe AppLaunch.exe PID 2140 wrote to memory of 2644 2140 o6178286.exe AppLaunch.exe PID 2140 wrote to memory of 2644 2140 o6178286.exe AppLaunch.exe PID 2140 wrote to memory of 2644 2140 o6178286.exe AppLaunch.exe PID 4208 wrote to memory of 4156 4208 z7725606.exe p5072287.exe PID 4208 wrote to memory of 4156 4208 z7725606.exe p5072287.exe PID 4208 wrote to memory of 4156 4208 z7725606.exe p5072287.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe"C:\Users\Admin\AppData\Local\Temp\29b0fbd82071e22ed666abdbf413880345c3acef5187e10209871bba06430109.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3630711.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3630711.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7725606.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7725606.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6178286.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6178286.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5072287.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5072287.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 9485⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3630711.exeFilesize
633KB
MD5b81f5a9b769e4e2e1716f5b3078f4ae2
SHA10f58a1d8dc262ff88fe078ad0e7d067af78a3170
SHA2563dfca8e0913c2d0c0212f004f7dfdb575cc586309300649d0975d169a4e3732b
SHA51296b58478a9c8cca6a2de2bc2644527e0a45e421578e2c045128cfa580b7ca29d468ce5a1137a93a4ac958996011ffb80a93c718269e5dedaf47f5bec09c00e81
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3630711.exeFilesize
633KB
MD5b81f5a9b769e4e2e1716f5b3078f4ae2
SHA10f58a1d8dc262ff88fe078ad0e7d067af78a3170
SHA2563dfca8e0913c2d0c0212f004f7dfdb575cc586309300649d0975d169a4e3732b
SHA51296b58478a9c8cca6a2de2bc2644527e0a45e421578e2c045128cfa580b7ca29d468ce5a1137a93a4ac958996011ffb80a93c718269e5dedaf47f5bec09c00e81
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7725606.exeFilesize
290KB
MD51c4e2e3195d7a7cb7613be69f056e41e
SHA183b6dcf1ada3094c44eb2bf07ff78c477037457d
SHA256e5fabe55b2a19b40d20cad9dbad233edc963bafd6bfd9d01c6005693b7f424c0
SHA5129282978567b701207d3c3372c5252a13e1da88f5494d6216fd2dc9534e8da7a0137e20a5d0e14221be7cb6095701a80d1ed94c76bf96da083b50be4edbb435bf
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7725606.exeFilesize
290KB
MD51c4e2e3195d7a7cb7613be69f056e41e
SHA183b6dcf1ada3094c44eb2bf07ff78c477037457d
SHA256e5fabe55b2a19b40d20cad9dbad233edc963bafd6bfd9d01c6005693b7f424c0
SHA5129282978567b701207d3c3372c5252a13e1da88f5494d6216fd2dc9534e8da7a0137e20a5d0e14221be7cb6095701a80d1ed94c76bf96da083b50be4edbb435bf
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6178286.exeFilesize
193KB
MD5b1189f1a2092b86e601314c326c26d1d
SHA1fcfd6f49ba376b43d701a830d5371daaa56a6f53
SHA256d2bf1ee84950b59cf9533a78a2cda72487ef85544f89826b850c25580802094c
SHA512d546c2949fe394bd89eb974bf52c52f0343a4d79911600b5096f2d8665619e93cd9aea3f016c46b8a28de0336bbf1aca508d275fc6403d3f5fbd4c8743bc6187
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6178286.exeFilesize
193KB
MD5b1189f1a2092b86e601314c326c26d1d
SHA1fcfd6f49ba376b43d701a830d5371daaa56a6f53
SHA256d2bf1ee84950b59cf9533a78a2cda72487ef85544f89826b850c25580802094c
SHA512d546c2949fe394bd89eb974bf52c52f0343a4d79911600b5096f2d8665619e93cd9aea3f016c46b8a28de0336bbf1aca508d275fc6403d3f5fbd4c8743bc6187
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5072287.exeFilesize
168KB
MD584356a738ea53c3589d12337adbc67fd
SHA1403c40466af39c00a9e81c94d0190b603b9c3a0b
SHA256a44bf82bb541f3c17176913b963ad6eb84842b6b7eb11f6bab381652a35dd41d
SHA5129c0200675ffcb7b903cecafed5f13a00a65c5029ad9054d39a6088fcda0c9c3db004fc897b0431d061d56029d958251646883be42476c1a359728cf91dcc5aba
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5072287.exeFilesize
168KB
MD584356a738ea53c3589d12337adbc67fd
SHA1403c40466af39c00a9e81c94d0190b603b9c3a0b
SHA256a44bf82bb541f3c17176913b963ad6eb84842b6b7eb11f6bab381652a35dd41d
SHA5129c0200675ffcb7b903cecafed5f13a00a65c5029ad9054d39a6088fcda0c9c3db004fc897b0431d061d56029d958251646883be42476c1a359728cf91dcc5aba
-
memory/2644-140-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4156-151-0x0000000000860000-0x000000000088E000-memory.dmpFilesize
184KB