redline | b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462 | Triage

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2023, 00:48 UTC

Sharing

Report Analysis Logs

General

Target

b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe
Size

581KB
MD5

52848004ea4103154bb8e43e8a8114a0
SHA1

f0d7daacc37707f6c1c5af28bcb62eb9f5128341
SHA256

b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462
SHA512

d83a6c94aa4ea9fae2a875b50582e2c0633b1153349ff2ffe80f30ed1fd938aaeee8c993800b5020f0a31b8283bae3a7fd9ee41b5f84aed1bdc621d54455111d
SSDEEP

12288:6MrDy90W3w5pCyOqw1HVZSzmIfzRNvxiKl20kVrjvHwT:ByPmXw1H/SiIfzzvxiKl2vf/+

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

Modify Registry

Modify Existing Service

Disabling Security Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5428548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5428548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5428548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5428548.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5428548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5428548.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1132	v8544755.exe
1708	v7546864.exe
668	a5428548.exe
3764	b5824647.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5428548.exe

Adds Run key to start application 2 TTPs 6 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8544755.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8544755.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7546864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7546864.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
668	a5428548.exe
668	a5428548.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	a5428548.exe
Token: SeDebugPrivilege	3764	b5824647.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1132	1788	b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe	84
PID 1788 wrote to memory of 1132	1788	b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe	84
PID 1788 wrote to memory of 1132	1788	b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe	84
PID 1132 wrote to memory of 1708	1132	v8544755.exe	85
PID 1132 wrote to memory of 1708	1132	v8544755.exe	85
PID 1132 wrote to memory of 1708	1132	v8544755.exe	85
PID 1708 wrote to memory of 668	1708	v7546864.exe	86
PID 1708 wrote to memory of 668	1708	v7546864.exe	86
PID 1708 wrote to memory of 3764	1708	v7546864.exe	87
PID 1708 wrote to memory of 3764	1708	v7546864.exe	87
PID 1708 wrote to memory of 3764	1708	v7546864.exe	87

C:\Users\Admin\AppData\Local\Temp\b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe
"C:\Users\Admin\AppData\Local\Temp\b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8544755.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8544755.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7546864.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7546864.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5428548.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5428548.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:668
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5824647.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5824647.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3764

Network

DNS

123.108.74.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

123.108.74.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

14.103.197.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.103.197.20.in-addr.arpa

IN PTR

Response
DNS

126.73.97.83.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.73.97.83.in-addr.arpa

IN PTR

Response
DNS

64.13.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.13.109.52.in-addr.arpa

IN PTR

Response

93.184.220.29:80

322 B
7
83.97.73.126:19046

b5824647.exe

12.0kB
8.1kB
37
37
83.97.73.126:19046

b5824647.exe

260 B
5
13.69.109.130:443

322 B
7
209.197.3.8:80

322 B
7
83.97.73.126:19046

b5824647.exe

9.6kB
7.8kB
34
29
83.97.73.126:19046

b5824647.exe

9.6kB
7.8kB
34
29
209.197.3.8:80

322 B
7
173.223.113.164:443

322 B
7
83.97.73.126:19046

b5824647.exe

9.6kB
7.8kB
33
29
83.97.73.126:19046

b5824647.exe

9.6kB
7.7kB
34
28
83.97.73.126:19046

b5824647.exe

9.6kB
7.8kB
33
29
83.97.73.126:19046

b5824647.exe

9.6kB
7.8kB
33
29
83.97.73.126:19046

b5824647.exe

9.6kB
7.8kB
33
29
83.97.73.126:19046

b5824647.exe

9.6kB
7.8kB
33
29
83.97.73.126:19046

b5824647.exe

9.6kB
7.8kB
34
29
83.97.73.126:19046

b5824647.exe

9.6kB
7.8kB
33
29
83.97.73.126:19046

b5824647.exe

9.6kB
7.7kB
33
27
83.97.73.126:19046

b5824647.exe

467 B
275 B
5
3

8.8.8.8:53

123.108.74.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

123.108.74.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

14.103.197.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.103.197.20.in-addr.arpa
8.8.8.8:53

126.73.97.83.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

126.73.97.83.in-addr.arpa
8.8.8.8:53

64.13.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

64.13.109.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8544755.exe

Filesize
378KB

MD5
6929d888535a6927661c6f9e6c90b915

SHA1
3f153a9bb9ba372639aa974d14c12caeba30b78d

SHA256
c27b92f32e9788a91116f6d7adb2b0b8be60f7d285849c620486f149a5212fc6

SHA512
5f75dde0ef2f83cb1a736bee9d8f1f3d17efeb55e9b697f360ec5269da1188827bcaa7e07c5dcfd781386b4357b12df8ccf87d356414a85090a0318d60c3691c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8544755.exe

Filesize
378KB

MD5
6929d888535a6927661c6f9e6c90b915

SHA1
3f153a9bb9ba372639aa974d14c12caeba30b78d

SHA256
c27b92f32e9788a91116f6d7adb2b0b8be60f7d285849c620486f149a5212fc6

SHA512
5f75dde0ef2f83cb1a736bee9d8f1f3d17efeb55e9b697f360ec5269da1188827bcaa7e07c5dcfd781386b4357b12df8ccf87d356414a85090a0318d60c3691c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7546864.exe

Filesize
206KB

MD5
95d0c37ead5df733dcc7889a61fc80b2

SHA1
44c3a7d92c81ccbcd35529557b3eaf706c19c562

SHA256
4689e12479f7c0cb41be73b6a148894361d737005a391ed02434ee6b3495fa53

SHA512
b8ed165175d29cbcb36526c1288ab27d8239bc386ec35f84c9ebdddaa6499b4bd3c324f58ecd73ea1dde8a0d2d847ef051fd64f0bf102ff645afa56f52dc4fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7546864.exe

Filesize
206KB

MD5
95d0c37ead5df733dcc7889a61fc80b2

SHA1
44c3a7d92c81ccbcd35529557b3eaf706c19c562

SHA256
4689e12479f7c0cb41be73b6a148894361d737005a391ed02434ee6b3495fa53

SHA512
b8ed165175d29cbcb36526c1288ab27d8239bc386ec35f84c9ebdddaa6499b4bd3c324f58ecd73ea1dde8a0d2d847ef051fd64f0bf102ff645afa56f52dc4fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5428548.exe

Filesize
11KB

MD5
d40d25877fc2e532a92dec2f42cc746b

SHA1
a7bc67d783582d65825a6a3f9974f54e4a087ac0

SHA256
7ba065644bec11de641557876b2fa2f7cf2b905b5d5982b5af03b3dd5b070728

SHA512
0766974f5b7c2cf86d8b68daceb6bf5e0978d17d403caf682029eab87ace30d963e870fc9121022a2ebdbd2495a3dc3b2e5b96730b3d6adfe5a387198add5860

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5428548.exe

Filesize
11KB

MD5
d40d25877fc2e532a92dec2f42cc746b

SHA1
a7bc67d783582d65825a6a3f9974f54e4a087ac0

SHA256
7ba065644bec11de641557876b2fa2f7cf2b905b5d5982b5af03b3dd5b070728

SHA512
0766974f5b7c2cf86d8b68daceb6bf5e0978d17d403caf682029eab87ace30d963e870fc9121022a2ebdbd2495a3dc3b2e5b96730b3d6adfe5a387198add5860

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5824647.exe

Filesize
172KB

MD5
67fa8ab50752b1087103560b2cd19f7f

SHA1
7949d594400cc3e61ec5a6dcc915ac1e5678fa0b

SHA256
cc43bcb4a58797e65ba198c1d01cd4a23fb1e106f9b3916d75b3c2bf9f83916b

SHA512
984d129f1ec41da7f5225085c1ce9a75333d6de0e1625bb0c9c634af80395d936d1a2d621c9fae2d9d5db8c38957e569d81b7e54ef7e3c7a5e7557d435dfe2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5824647.exe

Filesize
172KB

MD5
67fa8ab50752b1087103560b2cd19f7f

SHA1
7949d594400cc3e61ec5a6dcc915ac1e5678fa0b

SHA256
cc43bcb4a58797e65ba198c1d01cd4a23fb1e106f9b3916d75b3c2bf9f83916b

SHA512
984d129f1ec41da7f5225085c1ce9a75333d6de0e1625bb0c9c634af80395d936d1a2d621c9fae2d9d5db8c38957e569d81b7e54ef7e3c7a5e7557d435dfe2f0

Download Submit
memory/668-154-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/3764-160-0x000000000AD20000-0x000000000B338000-memory.dmp

Filesize
6.1MB

Download
memory/3764-166-0x000000000AC70000-0x000000000AD02000-memory.dmp

Filesize
584KB

Download
memory/3764-161-0x000000000A8A0000-0x000000000A9AA000-memory.dmp

Filesize
1.0MB

Download
memory/3764-162-0x000000000A7E0000-0x000000000A7F2000-memory.dmp

Filesize
72KB

Download
memory/3764-163-0x000000000A840000-0x000000000A87C000-memory.dmp

Filesize
240KB

Download
memory/3764-164-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/3764-165-0x000000000AB50000-0x000000000ABC6000-memory.dmp

Filesize
472KB

Download
memory/3764-159-0x0000000000920000-0x0000000000950000-memory.dmp

Filesize
192KB

Download
memory/3764-167-0x000000000B8F0000-0x000000000BE94000-memory.dmp

Filesize
5.6MB

Download
memory/3764-168-0x000000000B340000-0x000000000B3A6000-memory.dmp

Filesize
408KB

Download
memory/3764-169-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/3764-170-0x000000000B8A0000-0x000000000B8F0000-memory.dmp

Filesize
320KB

Download
memory/3764-171-0x000000000C170000-0x000000000C332000-memory.dmp

Filesize
1.8MB

Download
memory/3764-172-0x000000000C870000-0x000000000CD9C000-memory.dmp

Filesize
5.2MB

Download