Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 00:48
Static task
static1
Behavioral task
behavioral1
Sample
b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe
Resource
win10v2004-20230220-en
General
-
Target
b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe
-
Size
581KB
-
MD5
52848004ea4103154bb8e43e8a8114a0
-
SHA1
f0d7daacc37707f6c1c5af28bcb62eb9f5128341
-
SHA256
b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462
-
SHA512
d83a6c94aa4ea9fae2a875b50582e2c0633b1153349ff2ffe80f30ed1fd938aaeee8c993800b5020f0a31b8283bae3a7fd9ee41b5f84aed1bdc621d54455111d
-
SSDEEP
12288:6MrDy90W3w5pCyOqw1HVZSzmIfzRNvxiKl20kVrjvHwT:ByPmXw1H/SiIfzzvxiKl2vf/+
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a5428548.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5428548.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5428548.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5428548.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5428548.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a5428548.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5428548.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
v8544755.exev7546864.exea5428548.exeb5824647.exepid process 1132 v8544755.exe 1708 v7546864.exe 668 a5428548.exe 3764 b5824647.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a5428548.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5428548.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
v8544755.exev7546864.exeb32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v8544755.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v8544755.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7546864.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v7546864.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
a5428548.exeb5824647.exepid process 668 a5428548.exe 668 a5428548.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe 3764 b5824647.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a5428548.exeb5824647.exedescription pid process Token: SeDebugPrivilege 668 a5428548.exe Token: SeDebugPrivilege 3764 b5824647.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exev8544755.exev7546864.exedescription pid process target process PID 1788 wrote to memory of 1132 1788 b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe v8544755.exe PID 1788 wrote to memory of 1132 1788 b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe v8544755.exe PID 1788 wrote to memory of 1132 1788 b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe v8544755.exe PID 1132 wrote to memory of 1708 1132 v8544755.exe v7546864.exe PID 1132 wrote to memory of 1708 1132 v8544755.exe v7546864.exe PID 1132 wrote to memory of 1708 1132 v8544755.exe v7546864.exe PID 1708 wrote to memory of 668 1708 v7546864.exe a5428548.exe PID 1708 wrote to memory of 668 1708 v7546864.exe a5428548.exe PID 1708 wrote to memory of 3764 1708 v7546864.exe b5824647.exe PID 1708 wrote to memory of 3764 1708 v7546864.exe b5824647.exe PID 1708 wrote to memory of 3764 1708 v7546864.exe b5824647.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe"C:\Users\Admin\AppData\Local\Temp\b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8544755.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8544755.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7546864.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7546864.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5428548.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5428548.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5824647.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5824647.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD56929d888535a6927661c6f9e6c90b915
SHA13f153a9bb9ba372639aa974d14c12caeba30b78d
SHA256c27b92f32e9788a91116f6d7adb2b0b8be60f7d285849c620486f149a5212fc6
SHA5125f75dde0ef2f83cb1a736bee9d8f1f3d17efeb55e9b697f360ec5269da1188827bcaa7e07c5dcfd781386b4357b12df8ccf87d356414a85090a0318d60c3691c
-
Filesize
378KB
MD56929d888535a6927661c6f9e6c90b915
SHA13f153a9bb9ba372639aa974d14c12caeba30b78d
SHA256c27b92f32e9788a91116f6d7adb2b0b8be60f7d285849c620486f149a5212fc6
SHA5125f75dde0ef2f83cb1a736bee9d8f1f3d17efeb55e9b697f360ec5269da1188827bcaa7e07c5dcfd781386b4357b12df8ccf87d356414a85090a0318d60c3691c
-
Filesize
206KB
MD595d0c37ead5df733dcc7889a61fc80b2
SHA144c3a7d92c81ccbcd35529557b3eaf706c19c562
SHA2564689e12479f7c0cb41be73b6a148894361d737005a391ed02434ee6b3495fa53
SHA512b8ed165175d29cbcb36526c1288ab27d8239bc386ec35f84c9ebdddaa6499b4bd3c324f58ecd73ea1dde8a0d2d847ef051fd64f0bf102ff645afa56f52dc4fc0
-
Filesize
206KB
MD595d0c37ead5df733dcc7889a61fc80b2
SHA144c3a7d92c81ccbcd35529557b3eaf706c19c562
SHA2564689e12479f7c0cb41be73b6a148894361d737005a391ed02434ee6b3495fa53
SHA512b8ed165175d29cbcb36526c1288ab27d8239bc386ec35f84c9ebdddaa6499b4bd3c324f58ecd73ea1dde8a0d2d847ef051fd64f0bf102ff645afa56f52dc4fc0
-
Filesize
11KB
MD5d40d25877fc2e532a92dec2f42cc746b
SHA1a7bc67d783582d65825a6a3f9974f54e4a087ac0
SHA2567ba065644bec11de641557876b2fa2f7cf2b905b5d5982b5af03b3dd5b070728
SHA5120766974f5b7c2cf86d8b68daceb6bf5e0978d17d403caf682029eab87ace30d963e870fc9121022a2ebdbd2495a3dc3b2e5b96730b3d6adfe5a387198add5860
-
Filesize
11KB
MD5d40d25877fc2e532a92dec2f42cc746b
SHA1a7bc67d783582d65825a6a3f9974f54e4a087ac0
SHA2567ba065644bec11de641557876b2fa2f7cf2b905b5d5982b5af03b3dd5b070728
SHA5120766974f5b7c2cf86d8b68daceb6bf5e0978d17d403caf682029eab87ace30d963e870fc9121022a2ebdbd2495a3dc3b2e5b96730b3d6adfe5a387198add5860
-
Filesize
172KB
MD567fa8ab50752b1087103560b2cd19f7f
SHA17949d594400cc3e61ec5a6dcc915ac1e5678fa0b
SHA256cc43bcb4a58797e65ba198c1d01cd4a23fb1e106f9b3916d75b3c2bf9f83916b
SHA512984d129f1ec41da7f5225085c1ce9a75333d6de0e1625bb0c9c634af80395d936d1a2d621c9fae2d9d5db8c38957e569d81b7e54ef7e3c7a5e7557d435dfe2f0
-
Filesize
172KB
MD567fa8ab50752b1087103560b2cd19f7f
SHA17949d594400cc3e61ec5a6dcc915ac1e5678fa0b
SHA256cc43bcb4a58797e65ba198c1d01cd4a23fb1e106f9b3916d75b3c2bf9f83916b
SHA512984d129f1ec41da7f5225085c1ce9a75333d6de0e1625bb0c9c634af80395d936d1a2d621c9fae2d9d5db8c38957e569d81b7e54ef7e3c7a5e7557d435dfe2f0