Overview

overview

10

Static

static

3

05200499.exe

windows7-x64

10

05200499.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2023 18:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05200499.exe

  • Size

    580KB

  • MD5

    4ec4e3c61d59d98c654bb9a2e5853000

  • SHA1

    29cebf9a339cfad22262e80c387ffcb874a5eb4e

  • SHA256

    f4b092f5f134e9cfce7e29d2f9774092e408d8b20a619a63010872c24e1f8484

  • SHA512

    07afd2ed9bbfdf803e2aade5629fb71accefcd4ba419dbda9abdb51e0d0bdfbdf4449fb429bf501834729dcd70b120c3bb8f40b038ccf86c20ecd56ae5b2bfe9

  • SSDEEP

    12288:EMrpy90rQvZPEO1ia64hTVT0hTUtn85x/OXPcVNQCUkFMHGdHQ:NyHvBvTV9h8XmXkVW3Iw

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05200499.exe
    "C:\Users\Admin\AppData\Local\Temp\05200499.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8439075.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8439075.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4259363.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4259363.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3287928.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3287928.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1928
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4399455.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4399455.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8439075.exe
    Filesize

    377KB

    MD5

    5a3e1866e73e16e80b37ef07782973f7

    SHA1

    1786ce717abf6778a67270d89762a6543c80318b

    SHA256

    0ceb68105f8795b01ee04116550eaad2553de110a01663c53b76c91916b4c3bd

    SHA512

    1eab9b575794f9f5f7fe957284effe02961ef7dfca9ea5f97fbe8978f4b669ccdee7d71729f2c81079e1d47107d1c6ba936ff815ee73373e94898f92d0ea6aa3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8439075.exe
    Filesize

    377KB

    MD5

    5a3e1866e73e16e80b37ef07782973f7

    SHA1

    1786ce717abf6778a67270d89762a6543c80318b

    SHA256

    0ceb68105f8795b01ee04116550eaad2553de110a01663c53b76c91916b4c3bd

    SHA512

    1eab9b575794f9f5f7fe957284effe02961ef7dfca9ea5f97fbe8978f4b669ccdee7d71729f2c81079e1d47107d1c6ba936ff815ee73373e94898f92d0ea6aa3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4259363.exe
    Filesize

    206KB

    MD5

    5cd308363f08d6a9e2ae305899f0236a

    SHA1

    6d34f84ee8416b2958330551a56be1353912b9dd

    SHA256

    73ef92a6f8549874518c562ba11a73118b41f5a2d0ae3bffa58e6d39d82d84a7

    SHA512

    b0f2859ae70c2b8b6f996afcb8568f9af215ed36245905d7f29a0ffe7d037c7171d1d0370208bafb13616096a85678faddcd59f41eaebc2618ec9aa54fc01409

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4259363.exe
    Filesize

    206KB

    MD5

    5cd308363f08d6a9e2ae305899f0236a

    SHA1

    6d34f84ee8416b2958330551a56be1353912b9dd

    SHA256

    73ef92a6f8549874518c562ba11a73118b41f5a2d0ae3bffa58e6d39d82d84a7

    SHA512

    b0f2859ae70c2b8b6f996afcb8568f9af215ed36245905d7f29a0ffe7d037c7171d1d0370208bafb13616096a85678faddcd59f41eaebc2618ec9aa54fc01409

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3287928.exe
    Filesize

    11KB

    MD5

    cec0215e8f370c6969f24f91194d18ec

    SHA1

    dae040da5a86cb571feaaa4d7a21e7404472872d

    SHA256

    a9aa81b192926e158307b7a99eaeacefde3b3c612fa8f049a798162c90176738

    SHA512

    16c5e4bcb91626646346091da3f2da7d006494c354d673c8377b15b672b2037946cfa6a855e45c1e84a58576c1243d00667561bae26011151e910b699c92db7e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3287928.exe
    Filesize

    11KB

    MD5

    cec0215e8f370c6969f24f91194d18ec

    SHA1

    dae040da5a86cb571feaaa4d7a21e7404472872d

    SHA256

    a9aa81b192926e158307b7a99eaeacefde3b3c612fa8f049a798162c90176738

    SHA512

    16c5e4bcb91626646346091da3f2da7d006494c354d673c8377b15b672b2037946cfa6a855e45c1e84a58576c1243d00667561bae26011151e910b699c92db7e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4399455.exe
    Filesize

    172KB

    MD5

    7b201c7a5e60033523a08b3196d80383

    SHA1

    4b768f0a8625f48da2c1376ce440d6f01fe40794

    SHA256

    8b823d5708f966498e5d312ac22c1e28fc4446012480ee53b421bf527b197893

    SHA512

    021db1dee0c34ef040c7bc4272ce53c86b18b5b42ee1c2e69702877d737897aacdb3181ecce458fadd2ce0d01778c6df88ce220568b5a2180c01a11cccc3a029

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4399455.exe
    Filesize

    172KB

    MD5

    7b201c7a5e60033523a08b3196d80383

    SHA1

    4b768f0a8625f48da2c1376ce440d6f01fe40794

    SHA256

    8b823d5708f966498e5d312ac22c1e28fc4446012480ee53b421bf527b197893

    SHA512

    021db1dee0c34ef040c7bc4272ce53c86b18b5b42ee1c2e69702877d737897aacdb3181ecce458fadd2ce0d01778c6df88ce220568b5a2180c01a11cccc3a029

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\y8439075.exe
    Filesize

    377KB

    MD5

    5a3e1866e73e16e80b37ef07782973f7

    SHA1

    1786ce717abf6778a67270d89762a6543c80318b

    SHA256

    0ceb68105f8795b01ee04116550eaad2553de110a01663c53b76c91916b4c3bd

    SHA512

    1eab9b575794f9f5f7fe957284effe02961ef7dfca9ea5f97fbe8978f4b669ccdee7d71729f2c81079e1d47107d1c6ba936ff815ee73373e94898f92d0ea6aa3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\y8439075.exe
    Filesize

    377KB

    MD5

    5a3e1866e73e16e80b37ef07782973f7

    SHA1

    1786ce717abf6778a67270d89762a6543c80318b

    SHA256

    0ceb68105f8795b01ee04116550eaad2553de110a01663c53b76c91916b4c3bd

    SHA512

    1eab9b575794f9f5f7fe957284effe02961ef7dfca9ea5f97fbe8978f4b669ccdee7d71729f2c81079e1d47107d1c6ba936ff815ee73373e94898f92d0ea6aa3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\y4259363.exe
    Filesize

    206KB

    MD5

    5cd308363f08d6a9e2ae305899f0236a

    SHA1

    6d34f84ee8416b2958330551a56be1353912b9dd

    SHA256

    73ef92a6f8549874518c562ba11a73118b41f5a2d0ae3bffa58e6d39d82d84a7

    SHA512

    b0f2859ae70c2b8b6f996afcb8568f9af215ed36245905d7f29a0ffe7d037c7171d1d0370208bafb13616096a85678faddcd59f41eaebc2618ec9aa54fc01409

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\y4259363.exe
    Filesize

    206KB

    MD5

    5cd308363f08d6a9e2ae305899f0236a

    SHA1

    6d34f84ee8416b2958330551a56be1353912b9dd

    SHA256

    73ef92a6f8549874518c562ba11a73118b41f5a2d0ae3bffa58e6d39d82d84a7

    SHA512

    b0f2859ae70c2b8b6f996afcb8568f9af215ed36245905d7f29a0ffe7d037c7171d1d0370208bafb13616096a85678faddcd59f41eaebc2618ec9aa54fc01409

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\k3287928.exe
    Filesize

    11KB

    MD5

    cec0215e8f370c6969f24f91194d18ec

    SHA1

    dae040da5a86cb571feaaa4d7a21e7404472872d

    SHA256

    a9aa81b192926e158307b7a99eaeacefde3b3c612fa8f049a798162c90176738

    SHA512

    16c5e4bcb91626646346091da3f2da7d006494c354d673c8377b15b672b2037946cfa6a855e45c1e84a58576c1243d00667561bae26011151e910b699c92db7e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\l4399455.exe
    Filesize

    172KB

    MD5

    7b201c7a5e60033523a08b3196d80383

    SHA1

    4b768f0a8625f48da2c1376ce440d6f01fe40794

    SHA256

    8b823d5708f966498e5d312ac22c1e28fc4446012480ee53b421bf527b197893

    SHA512

    021db1dee0c34ef040c7bc4272ce53c86b18b5b42ee1c2e69702877d737897aacdb3181ecce458fadd2ce0d01778c6df88ce220568b5a2180c01a11cccc3a029

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\l4399455.exe
    Filesize

    172KB

    MD5

    7b201c7a5e60033523a08b3196d80383

    SHA1

    4b768f0a8625f48da2c1376ce440d6f01fe40794

    SHA256

    8b823d5708f966498e5d312ac22c1e28fc4446012480ee53b421bf527b197893

    SHA512

    021db1dee0c34ef040c7bc4272ce53c86b18b5b42ee1c2e69702877d737897aacdb3181ecce458fadd2ce0d01778c6df88ce220568b5a2180c01a11cccc3a029

    Download Submit

  • memory/532-89-0x0000000000ED0000-0x0000000000F00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/532-90-0x0000000000370000-0x0000000000376000-memory.dmp

    Filesize

    24KB

    Download

  • memory/532-91-0x0000000000B00000-0x0000000000B40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/532-92-0x0000000000B00000-0x0000000000B40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1928-82-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

    Filesize

    40KB

    Download