Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
03-06-2023 10:00
General
-
Target
5cfda34a3c160d5aa74f28ff24a7327aa4777c20200d048887ac175bffa902e9.exe
-
Size
779KB
-
MD5
11585a9cc93902a33fe449b389a10e32
-
SHA1
38ded9d1fe49abf6ae49a8fadb4d850a5c977b49
-
SHA256
5cfda34a3c160d5aa74f28ff24a7327aa4777c20200d048887ac175bffa902e9
-
SHA512
98ba1247355157ac159520dc543b28904a03dca747b5dddf3db2e8e69ec21184b831380d39414f0a4ea83e4f60cac7baab0642c3cd0f1bdfbf10aaf03a096747
-
SSDEEP
12288:eMrly90xXAhkDms+YskooWsLSR/cqHpe/hexKmji6l2VwaOLR+0VlPopWqV:ryWAhQXDSlc8peRmji6lAwJLBVljqV
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Extracted
redline
metro
83.97.73.126:19046
-
auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cfda34a3c160d5aa74f28ff24a7327aa4777c20200d048887ac175bffa902e9.exe"C:\Users\Admin\AppData\Local\Temp\5cfda34a3c160d5aa74f28ff24a7327aa4777c20200d048887ac175bffa902e9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6345013.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6345013.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4016632.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4016632.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9862367.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9862367.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1198190.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1198190.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2745705.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2745705.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metado.exe" /P "Admin:N"&&CACLS "metado.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "metado.exe" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "metado.exe" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\a9e2a16078" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\a9e2a16078" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8761617.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8761617.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeC:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeC:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeC:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
304KB
MD5ec84656889dc7fdd1d7333cf99a6b2ed
SHA12ce966283d0119043acf383b05e702c25995b89a
SHA2569796fb5032eb7706b059d3a93757d36c0bedd9827c1cf221ecfefa7b1c3e1fa8
SHA512219385fc4602f9380597df4ad08a62cd765939623b15f354a5b7d4dabe1d6374eb18fdf0a5142ddaef55fc18c918647cd72486333263d2cbf1a864690c9265f6
-
Filesize
304KB
MD5ec84656889dc7fdd1d7333cf99a6b2ed
SHA12ce966283d0119043acf383b05e702c25995b89a
SHA2569796fb5032eb7706b059d3a93757d36c0bedd9827c1cf221ecfefa7b1c3e1fa8
SHA512219385fc4602f9380597df4ad08a62cd765939623b15f354a5b7d4dabe1d6374eb18fdf0a5142ddaef55fc18c918647cd72486333263d2cbf1a864690c9265f6
-
Filesize
448KB
MD5af0823a4f9f3c8f00ab68a4ac6031548
SHA1e91334ec39874b1a759be8112061025d20cc28f3
SHA256f30bdbe7fe4914b318759f1d2c762242713355c010cc7402cb06a98c4fb4add8
SHA512bb181c0cb2587817ef8cadadbe2841edff7e736c623c2cc066b1dd3a8d0b8e64a064fdc91606dee5e039241b34c473b9d110c3ecf241bab7caab6954f27c40d0
-
Filesize
448KB
MD5af0823a4f9f3c8f00ab68a4ac6031548
SHA1e91334ec39874b1a759be8112061025d20cc28f3
SHA256f30bdbe7fe4914b318759f1d2c762242713355c010cc7402cb06a98c4fb4add8
SHA512bb181c0cb2587817ef8cadadbe2841edff7e736c623c2cc066b1dd3a8d0b8e64a064fdc91606dee5e039241b34c473b9d110c3ecf241bab7caab6954f27c40d0
-
Filesize
216KB
MD587c40ba25df7538954240a2b424aa5ed
SHA1310333d9675aa61c15622bcec78b93ce4279c1fb
SHA256ccc27c705714abd0c7bae1df8910f3e8f585f69c1b97a87548857a0c70346eaa
SHA512348c9789f8a3489d7ad17cfb3a3e5d40ab96af89d125d97d1823be2246835a981d76ec1ba37ac70e6b4aab5deee306d21d379108655e22e5db6c523b0446ce74
-
Filesize
216KB
MD587c40ba25df7538954240a2b424aa5ed
SHA1310333d9675aa61c15622bcec78b93ce4279c1fb
SHA256ccc27c705714abd0c7bae1df8910f3e8f585f69c1b97a87548857a0c70346eaa
SHA512348c9789f8a3489d7ad17cfb3a3e5d40ab96af89d125d97d1823be2246835a981d76ec1ba37ac70e6b4aab5deee306d21d379108655e22e5db6c523b0446ce74
-
Filesize
277KB
MD52b02c0577306a5ab38510cf250cb72fd
SHA168775ab6b5749f696fa9e5e9bee1aaabaee986fb
SHA256220c2336220309afc59c0605791d3d5d2b8a0e73ca0d417749a841d793e3a63a
SHA51233e4fd736cf6d55f4708c5b306f0b8eb1c210266c8a706b7350ce244ed05af1cc408ea4d1d1f9fc316c1e14051fc9a6e9be61cff34e6aae03971c44bf1653dc6
-
Filesize
277KB
MD52b02c0577306a5ab38510cf250cb72fd
SHA168775ab6b5749f696fa9e5e9bee1aaabaee986fb
SHA256220c2336220309afc59c0605791d3d5d2b8a0e73ca0d417749a841d793e3a63a
SHA51233e4fd736cf6d55f4708c5b306f0b8eb1c210266c8a706b7350ce244ed05af1cc408ea4d1d1f9fc316c1e14051fc9a6e9be61cff34e6aae03971c44bf1653dc6
-
Filesize
147KB
MD5c05448ab6f363dd717e01a5fad7d27c1
SHA1b7ec8d8d7b431450a740ac389801f26e6fc61482
SHA2560c6ae08c2bfe5501d750ecc32ff6de21abf2153bddfb45210e0704af94ba590b
SHA5128dd151b3718767cb19d335807250a698f093b3d3cde1670f1be0c79f2b3985d2ce0d4aef3be286237cbcb0c310f663cd7d1409a25512069acc8b36861ce899f1
-
Filesize
147KB
MD5c05448ab6f363dd717e01a5fad7d27c1
SHA1b7ec8d8d7b431450a740ac389801f26e6fc61482
SHA2560c6ae08c2bfe5501d750ecc32ff6de21abf2153bddfb45210e0704af94ba590b
SHA5128dd151b3718767cb19d335807250a698f093b3d3cde1670f1be0c79f2b3985d2ce0d4aef3be286237cbcb0c310f663cd7d1409a25512069acc8b36861ce899f1
-
Filesize
168KB
MD5cf8972d3898cf079e76d4b8ccc8b0004
SHA1f54f9e9233cb482961c2f691d972b1dd414865f7
SHA25697949384043cf3e9f9806121590d92b74554df3a356cb4d5224fcb6c831d4b05
SHA51201129b1aa08af04227ca5564507ca2e8df21d03708643cb45b6137e60ba3bf415c0ee3ee13ac84aa2cb9f8610cf3dfa543416f88a4cb05a6ecdbb5640ffacc59
-
Filesize
168KB
MD5cf8972d3898cf079e76d4b8ccc8b0004
SHA1f54f9e9233cb482961c2f691d972b1dd414865f7
SHA25697949384043cf3e9f9806121590d92b74554df3a356cb4d5224fcb6c831d4b05
SHA51201129b1aa08af04227ca5564507ca2e8df21d03708643cb45b6137e60ba3bf415c0ee3ee13ac84aa2cb9f8610cf3dfa543416f88a4cb05a6ecdbb5640ffacc59
-
Filesize
216KB
MD587c40ba25df7538954240a2b424aa5ed
SHA1310333d9675aa61c15622bcec78b93ce4279c1fb
SHA256ccc27c705714abd0c7bae1df8910f3e8f585f69c1b97a87548857a0c70346eaa
SHA512348c9789f8a3489d7ad17cfb3a3e5d40ab96af89d125d97d1823be2246835a981d76ec1ba37ac70e6b4aab5deee306d21d379108655e22e5db6c523b0446ce74
-
Filesize
216KB
MD587c40ba25df7538954240a2b424aa5ed
SHA1310333d9675aa61c15622bcec78b93ce4279c1fb
SHA256ccc27c705714abd0c7bae1df8910f3e8f585f69c1b97a87548857a0c70346eaa
SHA512348c9789f8a3489d7ad17cfb3a3e5d40ab96af89d125d97d1823be2246835a981d76ec1ba37ac70e6b4aab5deee306d21d379108655e22e5db6c523b0446ce74
-
Filesize
216KB
MD587c40ba25df7538954240a2b424aa5ed
SHA1310333d9675aa61c15622bcec78b93ce4279c1fb
SHA256ccc27c705714abd0c7bae1df8910f3e8f585f69c1b97a87548857a0c70346eaa
SHA512348c9789f8a3489d7ad17cfb3a3e5d40ab96af89d125d97d1823be2246835a981d76ec1ba37ac70e6b4aab5deee306d21d379108655e22e5db6c523b0446ce74
-
Filesize
216KB
MD587c40ba25df7538954240a2b424aa5ed
SHA1310333d9675aa61c15622bcec78b93ce4279c1fb
SHA256ccc27c705714abd0c7bae1df8910f3e8f585f69c1b97a87548857a0c70346eaa
SHA512348c9789f8a3489d7ad17cfb3a3e5d40ab96af89d125d97d1823be2246835a981d76ec1ba37ac70e6b4aab5deee306d21d379108655e22e5db6c523b0446ce74
-
Filesize
216KB
MD587c40ba25df7538954240a2b424aa5ed
SHA1310333d9675aa61c15622bcec78b93ce4279c1fb
SHA256ccc27c705714abd0c7bae1df8910f3e8f585f69c1b97a87548857a0c70346eaa
SHA512348c9789f8a3489d7ad17cfb3a3e5d40ab96af89d125d97d1823be2246835a981d76ec1ba37ac70e6b4aab5deee306d21d379108655e22e5db6c523b0446ce74
-
Filesize
216KB
MD587c40ba25df7538954240a2b424aa5ed
SHA1310333d9675aa61c15622bcec78b93ce4279c1fb
SHA256ccc27c705714abd0c7bae1df8910f3e8f585f69c1b97a87548857a0c70346eaa
SHA512348c9789f8a3489d7ad17cfb3a3e5d40ab96af89d125d97d1823be2246835a981d76ec1ba37ac70e6b4aab5deee306d21d379108655e22e5db6c523b0446ce74
-
Filesize
89KB
MD5547bae937be965d63f61d89e8eafb4a1
SHA185466c95625bcbb7f68aa89a367149d35f80e1fa
SHA256015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5
SHA5121869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f
-
Filesize
89KB
MD5547bae937be965d63f61d89e8eafb4a1
SHA185466c95625bcbb7f68aa89a367149d35f80e1fa
SHA256015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5
SHA5121869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f
-
Filesize
89KB
MD5547bae937be965d63f61d89e8eafb4a1
SHA185466c95625bcbb7f68aa89a367149d35f80e1fa
SHA256015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5
SHA5121869b1cd3dcc09fbf9f965a8f45b647390e8859e6bf476293cbfd8b1122c660eca5db2943f0b1e77d451684fdef34ae503d5f357408e1a4fe5c1237871f5d02f
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
184KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
184KB