Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
04-06-2023 18:52
General
-
Target
627bca92413edc5f0e26eda27d0d86ca2d2800bb3249d0d31b28cd4e22df7857.exe
-
Size
581KB
-
MD5
ebea96776bb04d1d0318f0630fda1537
-
SHA1
9761f9d24bb96ebc59ba883d7b22624d33ba1358
-
SHA256
627bca92413edc5f0e26eda27d0d86ca2d2800bb3249d0d31b28cd4e22df7857
-
SHA512
e80a90c10ed3c36ee502768f7bd4c78e2dec3ae467fc441d837f6aa2e62ea10c03423d9b3b7a3a7591cd838ae0ab3a7e19d1e556acb5ed837de668fdd28f0efb
-
SSDEEP
12288:hMrPy90Lj+xtfMyYu3ov1MNT0+DdpK9xJkPdA+:eyCQfMy73oP+Ddpb1v
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\627bca92413edc5f0e26eda27d0d86ca2d2800bb3249d0d31b28cd4e22df7857.exe"C:\Users\Admin\AppData\Local\Temp\627bca92413edc5f0e26eda27d0d86ca2d2800bb3249d0d31b28cd4e22df7857.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5634825.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5634825.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4329087.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4329087.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4370947.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4370947.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3354470.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3354470.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD5bfd50a0a6a0b5ef1af6b805945ab35a0
SHA11c373e6cee9c2f42c345ab11ef75853b26bd15f0
SHA25684bcc98e224ff3d20dcdec5fb5c4ea14ceb951b0bc370f0b4dcd1adc7dbfe890
SHA51212f3514f3f78d595970580fc641a1a5692bb4b2a6963c63e37be19a8a67b4c749a808516a19909d3396812467d3ae27b6c0622e6bc4084b756e378a25b498469
-
Filesize
377KB
MD5bfd50a0a6a0b5ef1af6b805945ab35a0
SHA11c373e6cee9c2f42c345ab11ef75853b26bd15f0
SHA25684bcc98e224ff3d20dcdec5fb5c4ea14ceb951b0bc370f0b4dcd1adc7dbfe890
SHA51212f3514f3f78d595970580fc641a1a5692bb4b2a6963c63e37be19a8a67b4c749a808516a19909d3396812467d3ae27b6c0622e6bc4084b756e378a25b498469
-
Filesize
206KB
MD53b576101b47c7283fb2300fa81aa3e2f
SHA17145fbbfee189f2ce4e05e9684d14f97ffb298e7
SHA2563f611f37dab16f68586b8c802471418495e3889f16c1b3a9c7c8128b87d02256
SHA512f45e87d22bedd4ec236f93ff52e5f7ac651e85912df3c99a38a8963cda854ea9b535b776ed7a1a9bb98b6bf2e8d42cef98f60e06f11ba9061847f4eecba8e0a0
-
Filesize
206KB
MD53b576101b47c7283fb2300fa81aa3e2f
SHA17145fbbfee189f2ce4e05e9684d14f97ffb298e7
SHA2563f611f37dab16f68586b8c802471418495e3889f16c1b3a9c7c8128b87d02256
SHA512f45e87d22bedd4ec236f93ff52e5f7ac651e85912df3c99a38a8963cda854ea9b535b776ed7a1a9bb98b6bf2e8d42cef98f60e06f11ba9061847f4eecba8e0a0
-
Filesize
11KB
MD5fa9bbd1cf1d0202ee547cfb8ca5a1a2f
SHA17a62cfc2dac6bc29843eb1fd0f1ed72d90134bd9
SHA25632d68f3792182c04cb7abd4aeb41dd9e00d0db8207e382df3937964590dc51af
SHA512d017dfd0a29713540ae7a3ef31ca9bac78e3ca68fb7d3cce2e9d082d1a820b68163773ef5bd0604bb58100d58764d07bea5281ef3d2f466cce32c015fb1c717c
-
Filesize
11KB
MD5fa9bbd1cf1d0202ee547cfb8ca5a1a2f
SHA17a62cfc2dac6bc29843eb1fd0f1ed72d90134bd9
SHA25632d68f3792182c04cb7abd4aeb41dd9e00d0db8207e382df3937964590dc51af
SHA512d017dfd0a29713540ae7a3ef31ca9bac78e3ca68fb7d3cce2e9d082d1a820b68163773ef5bd0604bb58100d58764d07bea5281ef3d2f466cce32c015fb1c717c
-
Filesize
172KB
MD557ea65a2fc5cd0ce65bf6fed1375d39a
SHA1012b897de3d5ff623ff7a14e22c30023868b3769
SHA256441c8d59f55e227c3630917318398a576f841451ee05a6ebe2e78c5533b1a9e4
SHA5123d42448167967094416364fab18e8d670ac22b0eb979178d194b794d3bd24d9086090e5a43823cc26c6ed1bd3d773a1ce0e91137d3b536518791fd826d1bf6de
-
Filesize
172KB
MD557ea65a2fc5cd0ce65bf6fed1375d39a
SHA1012b897de3d5ff623ff7a14e22c30023868b3769
SHA256441c8d59f55e227c3630917318398a576f841451ee05a6ebe2e78c5533b1a9e4
SHA5123d42448167967094416364fab18e8d670ac22b0eb979178d194b794d3bd24d9086090e5a43823cc26c6ed1bd3d773a1ce0e91137d3b536518791fd826d1bf6de
-
Filesize
6.1MB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
192KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
40KB