Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
04-06-2023 18:35
Static task
static1
Behavioral task
behavioral1
Sample
53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e.exe
Resource
win10-20230220-en
General
-
Target
53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e.exe
-
Size
581KB
-
MD5
ff5d1e04d3ab7b200989a063c75e2461
-
SHA1
6088ab645636e8e954cbfead71308a6f56052d97
-
SHA256
53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e
-
SHA512
bc04cd141c9a9489234aafc4bd35aaa13a6b43679a8d96079a9e56136506bf3f652117b5e544028c53ae61d7af939f989eab7ffa1ed13146044858ecc3df7b71
-
SSDEEP
12288:8Mrky90O9+7mtSIoKH0XxaIVwomNUXpFs+5B4ZvO+uEs0CIPmsP:Qy1k7WEKMyUXpd5B4ZG+uX0COmsP
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a4012019.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4012019.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4012019.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4012019.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4012019.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4012019.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
v8927430.exev6392619.exea4012019.exeb5184495.exepid process 4556 v8927430.exe 4296 v6392619.exe 3656 a4012019.exe 5112 b5184495.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a4012019.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4012019.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
v6392619.exe53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e.exev8927430.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v6392619.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6392619.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v8927430.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v8927430.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
a4012019.exeb5184495.exepid process 3656 a4012019.exe 3656 a4012019.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe 5112 b5184495.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a4012019.exeb5184495.exedescription pid process Token: SeDebugPrivilege 3656 a4012019.exe Token: SeDebugPrivilege 5112 b5184495.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e.exev8927430.exev6392619.exedescription pid process target process PID 2896 wrote to memory of 4556 2896 53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e.exe v8927430.exe PID 2896 wrote to memory of 4556 2896 53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e.exe v8927430.exe PID 2896 wrote to memory of 4556 2896 53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e.exe v8927430.exe PID 4556 wrote to memory of 4296 4556 v8927430.exe v6392619.exe PID 4556 wrote to memory of 4296 4556 v8927430.exe v6392619.exe PID 4556 wrote to memory of 4296 4556 v8927430.exe v6392619.exe PID 4296 wrote to memory of 3656 4296 v6392619.exe a4012019.exe PID 4296 wrote to memory of 3656 4296 v6392619.exe a4012019.exe PID 4296 wrote to memory of 5112 4296 v6392619.exe b5184495.exe PID 4296 wrote to memory of 5112 4296 v6392619.exe b5184495.exe PID 4296 wrote to memory of 5112 4296 v6392619.exe b5184495.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e.exe"C:\Users\Admin\AppData\Local\Temp\53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8927430.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8927430.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6392619.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6392619.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4012019.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4012019.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5184495.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5184495.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD59e10117012d19841ff3641aa051363ee
SHA1b5add5712375f58966fb01646d0c96e4031dd763
SHA256343a93249c65cbfa0a30518bd5bd3b75353bce94c57aca97a1998d189d909980
SHA512a132f6fc7723f88820de645efb9592a75beeccf84283d1a3668d716ee9754fa320ae66af7197650e186f8dded9b8833716ce7e689c5c7a719dd651a5f3fc7181
-
Filesize
377KB
MD59e10117012d19841ff3641aa051363ee
SHA1b5add5712375f58966fb01646d0c96e4031dd763
SHA256343a93249c65cbfa0a30518bd5bd3b75353bce94c57aca97a1998d189d909980
SHA512a132f6fc7723f88820de645efb9592a75beeccf84283d1a3668d716ee9754fa320ae66af7197650e186f8dded9b8833716ce7e689c5c7a719dd651a5f3fc7181
-
Filesize
206KB
MD545eb4999184fbea0565929468db8b323
SHA1a823c6bd2886a66dc534fdee80ed432b8f87555e
SHA2566138f5763b9fd0a0203bbda64b42e5cae185a40fbd7f28520e16d40cf623c728
SHA5123c77d31eaa5695bb63cd157a7f2a8d6c56b3c09e0ce50d93d9e29c98c1210444660955da0dd5606016c7ee4508ec5e32254f3db1d46b167287020227bf695b15
-
Filesize
206KB
MD545eb4999184fbea0565929468db8b323
SHA1a823c6bd2886a66dc534fdee80ed432b8f87555e
SHA2566138f5763b9fd0a0203bbda64b42e5cae185a40fbd7f28520e16d40cf623c728
SHA5123c77d31eaa5695bb63cd157a7f2a8d6c56b3c09e0ce50d93d9e29c98c1210444660955da0dd5606016c7ee4508ec5e32254f3db1d46b167287020227bf695b15
-
Filesize
11KB
MD5dc60801fd9e0ca4edcaf57ae68675c31
SHA15ad54ba5d8d424a27da7579f3853f5d60a7fcbe3
SHA2567a3e60dbec28e18927d13cbee7784b016d9bdc162a7f25f6f27d19ac466ff05e
SHA51246d8016f01195a6c63ecca7eb92c0d3ed9c06fb57f2411686b7b56def9ae3624789cb9881b47017160439370a86d4c16841ca57744f8fd3e6202e78c258e67f9
-
Filesize
11KB
MD5dc60801fd9e0ca4edcaf57ae68675c31
SHA15ad54ba5d8d424a27da7579f3853f5d60a7fcbe3
SHA2567a3e60dbec28e18927d13cbee7784b016d9bdc162a7f25f6f27d19ac466ff05e
SHA51246d8016f01195a6c63ecca7eb92c0d3ed9c06fb57f2411686b7b56def9ae3624789cb9881b47017160439370a86d4c16841ca57744f8fd3e6202e78c258e67f9
-
Filesize
172KB
MD5f4f7f0244f7044232c558f1f0b90bb62
SHA1ebbe23753f3c661a924c05c6dcab37e486803f93
SHA25673a648d8c6c2af163c8f2f6aa4286959be20b1abd94ab17ca82d78c0970b5f2a
SHA5122029d8a700e41d7771d675033b1ce151ab1a44f69de54b815d00306d55a1ef8513746f179915e7ddd6c780c4076d4b22dfd6bad34a3f784b56fccbe5d11ce284
-
Filesize
172KB
MD5f4f7f0244f7044232c558f1f0b90bb62
SHA1ebbe23753f3c661a924c05c6dcab37e486803f93
SHA25673a648d8c6c2af163c8f2f6aa4286959be20b1abd94ab17ca82d78c0970b5f2a
SHA5122029d8a700e41d7771d675033b1ce151ab1a44f69de54b815d00306d55a1ef8513746f179915e7ddd6c780c4076d4b22dfd6bad34a3f784b56fccbe5d11ce284