Analysis
-
max time kernel
127s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04-06-2023 18:54
Static task
static1
Behavioral task
behavioral1
Sample
02823199.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
02823199.exe
Resource
win10v2004-20230221-en
General
-
Target
02823199.exe
-
Size
580KB
-
MD5
b8a552548110bda4128f4898a2d91880
-
SHA1
f3157dcedfc0225ee4fd27d89aceb38f5755c17e
-
SHA256
c5c0d8259b0179d3893845ee37f6cf226e7b5f5e0f86d89c25f67f25c5111f5d
-
SHA512
cb0d140a0c916364106055cb4a7b8f458d14373d08c510abd6dab889aa821cde139486ae6663c994c016b212fb8bf80cb8318615bb69a4e44e80bc374cebfed2
-
SSDEEP
12288:fMr3y90FMHuYwinCm9AWt7GJLNE789d1CvM:4yHfjCmGU7YLNTCM
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a5670341.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a5670341.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5670341.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5670341.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5670341.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5670341.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5670341.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
v7801997.exev5528468.exea5670341.exeb5107172.exepid process 1144 v7801997.exe 1728 v5528468.exe 1908 a5670341.exe 2008 b5107172.exe -
Loads dropped DLL 7 IoCs
Processes:
02823199.exev7801997.exev5528468.exeb5107172.exepid process 884 02823199.exe 1144 v7801997.exe 1144 v7801997.exe 1728 v5528468.exe 1728 v5528468.exe 1728 v5528468.exe 2008 b5107172.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a5670341.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features a5670341.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5670341.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
v7801997.exev5528468.exe02823199.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7801997.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7801997.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5528468.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5528468.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 02823199.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 02823199.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
a5670341.exeb5107172.exepid process 1908 a5670341.exe 1908 a5670341.exe 2008 b5107172.exe 2008 b5107172.exe 2008 b5107172.exe 2008 b5107172.exe 2008 b5107172.exe 2008 b5107172.exe 2008 b5107172.exe 2008 b5107172.exe 2008 b5107172.exe 2008 b5107172.exe 2008 b5107172.exe 2008 b5107172.exe 2008 b5107172.exe 2008 b5107172.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a5670341.exeb5107172.exedescription pid process Token: SeDebugPrivilege 1908 a5670341.exe Token: SeDebugPrivilege 2008 b5107172.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
02823199.exev7801997.exev5528468.exedescription pid process target process PID 884 wrote to memory of 1144 884 02823199.exe v7801997.exe PID 884 wrote to memory of 1144 884 02823199.exe v7801997.exe PID 884 wrote to memory of 1144 884 02823199.exe v7801997.exe PID 884 wrote to memory of 1144 884 02823199.exe v7801997.exe PID 884 wrote to memory of 1144 884 02823199.exe v7801997.exe PID 884 wrote to memory of 1144 884 02823199.exe v7801997.exe PID 884 wrote to memory of 1144 884 02823199.exe v7801997.exe PID 1144 wrote to memory of 1728 1144 v7801997.exe v5528468.exe PID 1144 wrote to memory of 1728 1144 v7801997.exe v5528468.exe PID 1144 wrote to memory of 1728 1144 v7801997.exe v5528468.exe PID 1144 wrote to memory of 1728 1144 v7801997.exe v5528468.exe PID 1144 wrote to memory of 1728 1144 v7801997.exe v5528468.exe PID 1144 wrote to memory of 1728 1144 v7801997.exe v5528468.exe PID 1144 wrote to memory of 1728 1144 v7801997.exe v5528468.exe PID 1728 wrote to memory of 1908 1728 v5528468.exe a5670341.exe PID 1728 wrote to memory of 1908 1728 v5528468.exe a5670341.exe PID 1728 wrote to memory of 1908 1728 v5528468.exe a5670341.exe PID 1728 wrote to memory of 1908 1728 v5528468.exe a5670341.exe PID 1728 wrote to memory of 1908 1728 v5528468.exe a5670341.exe PID 1728 wrote to memory of 1908 1728 v5528468.exe a5670341.exe PID 1728 wrote to memory of 1908 1728 v5528468.exe a5670341.exe PID 1728 wrote to memory of 2008 1728 v5528468.exe b5107172.exe PID 1728 wrote to memory of 2008 1728 v5528468.exe b5107172.exe PID 1728 wrote to memory of 2008 1728 v5528468.exe b5107172.exe PID 1728 wrote to memory of 2008 1728 v5528468.exe b5107172.exe PID 1728 wrote to memory of 2008 1728 v5528468.exe b5107172.exe PID 1728 wrote to memory of 2008 1728 v5528468.exe b5107172.exe PID 1728 wrote to memory of 2008 1728 v5528468.exe b5107172.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02823199.exe"C:\Users\Admin\AppData\Local\Temp\02823199.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7801997.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7801997.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5528468.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5528468.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5670341.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5670341.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5107172.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5107172.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD5be4d981dd2929502bb640d0de9ad2a2a
SHA10b5cbaa734dd8b20927f116dc0ae25ef475a9ba2
SHA25640af033d1371abced7086f5d26cba872cd35f51acf913ebc016e8806eb997c8a
SHA512b1a3ae76a63e1f79d747a53e2e003c1321ef1dd14ec206a44600c49456852943db3aeee5b5dd26b9aa74ce758977fc1dda2a314e3ca9ce91b48fc354225f61e8
-
Filesize
377KB
MD5be4d981dd2929502bb640d0de9ad2a2a
SHA10b5cbaa734dd8b20927f116dc0ae25ef475a9ba2
SHA25640af033d1371abced7086f5d26cba872cd35f51acf913ebc016e8806eb997c8a
SHA512b1a3ae76a63e1f79d747a53e2e003c1321ef1dd14ec206a44600c49456852943db3aeee5b5dd26b9aa74ce758977fc1dda2a314e3ca9ce91b48fc354225f61e8
-
Filesize
206KB
MD5881be49873e76e896dcd922f756fb4e6
SHA1e1e11d256ddb75932eafcf2f313085d360d20547
SHA25658fe7ffe2e6f947bc63703f23b89f8bada8f6907399935792ec6fd0d955619c9
SHA512c6871e2223669107d69b0f71a1ed68316869016f3d39e77463ef13fb8c4305101418cb6cee79260ee14c9bfeddd588d6f8cbd00e5c1d1b98cb6542926b37b802
-
Filesize
206KB
MD5881be49873e76e896dcd922f756fb4e6
SHA1e1e11d256ddb75932eafcf2f313085d360d20547
SHA25658fe7ffe2e6f947bc63703f23b89f8bada8f6907399935792ec6fd0d955619c9
SHA512c6871e2223669107d69b0f71a1ed68316869016f3d39e77463ef13fb8c4305101418cb6cee79260ee14c9bfeddd588d6f8cbd00e5c1d1b98cb6542926b37b802
-
Filesize
11KB
MD5fd9683ec29c78745ed8fd3373c804bd2
SHA101294920799cb1e7ed2595f618b2b6e16b5fd551
SHA256e6e75520e77cb413bb91253a69aed590b4e43606b1a51c28da1d120f3bd8af35
SHA5129ee71ae591b5bd2a7e2e2c767b2b361772ff8d162f0077faa1821258e6c4bf44a6934b54cd5e7de26241ec512fbfebb800b4a3df092c866a0f6bbbc5fc346b52
-
Filesize
11KB
MD5fd9683ec29c78745ed8fd3373c804bd2
SHA101294920799cb1e7ed2595f618b2b6e16b5fd551
SHA256e6e75520e77cb413bb91253a69aed590b4e43606b1a51c28da1d120f3bd8af35
SHA5129ee71ae591b5bd2a7e2e2c767b2b361772ff8d162f0077faa1821258e6c4bf44a6934b54cd5e7de26241ec512fbfebb800b4a3df092c866a0f6bbbc5fc346b52
-
Filesize
172KB
MD545da8a914cedfeab596ef8651b33599b
SHA1be96c30cc9952c337f15ba9db86810595917ce13
SHA256fbdaf66fa8507628efaa88ba789c14ffb3c3fc83d03e7184a73e7f8fa0b6734e
SHA5120ade6977b1c95effcabce1e7bb1be1f5ca7e4dab1feacfd3ebffa2e827fd2fb5f5b4164a52559f2813b0eabc8f12461d1e79956a80df4d87bf2db92ded8cf1b5
-
Filesize
172KB
MD545da8a914cedfeab596ef8651b33599b
SHA1be96c30cc9952c337f15ba9db86810595917ce13
SHA256fbdaf66fa8507628efaa88ba789c14ffb3c3fc83d03e7184a73e7f8fa0b6734e
SHA5120ade6977b1c95effcabce1e7bb1be1f5ca7e4dab1feacfd3ebffa2e827fd2fb5f5b4164a52559f2813b0eabc8f12461d1e79956a80df4d87bf2db92ded8cf1b5
-
Filesize
377KB
MD5be4d981dd2929502bb640d0de9ad2a2a
SHA10b5cbaa734dd8b20927f116dc0ae25ef475a9ba2
SHA25640af033d1371abced7086f5d26cba872cd35f51acf913ebc016e8806eb997c8a
SHA512b1a3ae76a63e1f79d747a53e2e003c1321ef1dd14ec206a44600c49456852943db3aeee5b5dd26b9aa74ce758977fc1dda2a314e3ca9ce91b48fc354225f61e8
-
Filesize
377KB
MD5be4d981dd2929502bb640d0de9ad2a2a
SHA10b5cbaa734dd8b20927f116dc0ae25ef475a9ba2
SHA25640af033d1371abced7086f5d26cba872cd35f51acf913ebc016e8806eb997c8a
SHA512b1a3ae76a63e1f79d747a53e2e003c1321ef1dd14ec206a44600c49456852943db3aeee5b5dd26b9aa74ce758977fc1dda2a314e3ca9ce91b48fc354225f61e8
-
Filesize
206KB
MD5881be49873e76e896dcd922f756fb4e6
SHA1e1e11d256ddb75932eafcf2f313085d360d20547
SHA25658fe7ffe2e6f947bc63703f23b89f8bada8f6907399935792ec6fd0d955619c9
SHA512c6871e2223669107d69b0f71a1ed68316869016f3d39e77463ef13fb8c4305101418cb6cee79260ee14c9bfeddd588d6f8cbd00e5c1d1b98cb6542926b37b802
-
Filesize
206KB
MD5881be49873e76e896dcd922f756fb4e6
SHA1e1e11d256ddb75932eafcf2f313085d360d20547
SHA25658fe7ffe2e6f947bc63703f23b89f8bada8f6907399935792ec6fd0d955619c9
SHA512c6871e2223669107d69b0f71a1ed68316869016f3d39e77463ef13fb8c4305101418cb6cee79260ee14c9bfeddd588d6f8cbd00e5c1d1b98cb6542926b37b802
-
Filesize
11KB
MD5fd9683ec29c78745ed8fd3373c804bd2
SHA101294920799cb1e7ed2595f618b2b6e16b5fd551
SHA256e6e75520e77cb413bb91253a69aed590b4e43606b1a51c28da1d120f3bd8af35
SHA5129ee71ae591b5bd2a7e2e2c767b2b361772ff8d162f0077faa1821258e6c4bf44a6934b54cd5e7de26241ec512fbfebb800b4a3df092c866a0f6bbbc5fc346b52
-
Filesize
172KB
MD545da8a914cedfeab596ef8651b33599b
SHA1be96c30cc9952c337f15ba9db86810595917ce13
SHA256fbdaf66fa8507628efaa88ba789c14ffb3c3fc83d03e7184a73e7f8fa0b6734e
SHA5120ade6977b1c95effcabce1e7bb1be1f5ca7e4dab1feacfd3ebffa2e827fd2fb5f5b4164a52559f2813b0eabc8f12461d1e79956a80df4d87bf2db92ded8cf1b5
-
Filesize
172KB
MD545da8a914cedfeab596ef8651b33599b
SHA1be96c30cc9952c337f15ba9db86810595917ce13
SHA256fbdaf66fa8507628efaa88ba789c14ffb3c3fc83d03e7184a73e7f8fa0b6734e
SHA5120ade6977b1c95effcabce1e7bb1be1f5ca7e4dab1feacfd3ebffa2e827fd2fb5f5b4164a52559f2813b0eabc8f12461d1e79956a80df4d87bf2db92ded8cf1b5