Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05-06-2023 00:53
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
581KB
-
MD5
e70e8dd2f2a949f1a73438c0f498de1c
-
SHA1
40ce5995dd5cffd9d698a448d426552e97222f0a
-
SHA256
28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545
-
SHA512
c25c2d67e6170e9ede05ba67d81a6c6bcc6b58f3015a577a09e35786373276adeaecc1958ea600614b2fc260bf052e022e723f1e1430b7695b5e9cecf492e6f5
-
SSDEEP
12288:RMrFy90LNRlNsFmw633onPfQGpMvr6Rt6f2VwerUzGd3JmMh3t:8ymDNF33onpMvr5uL448Mh3t
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4503013.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4503013.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4503013.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4503013.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a4503013.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4503013.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 1992 v0163337.exe 788 v5262794.exe 556 a4503013.exe 1320 b1864269.exe -
Loads dropped DLL 7 IoCs
pid Process 2044 file.exe 1992 v0163337.exe 1992 v0163337.exe 788 v5262794.exe 788 v5262794.exe 788 v5262794.exe 1320 b1864269.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features a4503013.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4503013.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5262794.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5262794.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0163337.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0163337.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 556 a4503013.exe 556 a4503013.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe 1320 b1864269.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 556 a4503013.exe Token: SeDebugPrivilege 1320 b1864269.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1992 2044 file.exe 28 PID 2044 wrote to memory of 1992 2044 file.exe 28 PID 2044 wrote to memory of 1992 2044 file.exe 28 PID 2044 wrote to memory of 1992 2044 file.exe 28 PID 2044 wrote to memory of 1992 2044 file.exe 28 PID 2044 wrote to memory of 1992 2044 file.exe 28 PID 2044 wrote to memory of 1992 2044 file.exe 28 PID 1992 wrote to memory of 788 1992 v0163337.exe 29 PID 1992 wrote to memory of 788 1992 v0163337.exe 29 PID 1992 wrote to memory of 788 1992 v0163337.exe 29 PID 1992 wrote to memory of 788 1992 v0163337.exe 29 PID 1992 wrote to memory of 788 1992 v0163337.exe 29 PID 1992 wrote to memory of 788 1992 v0163337.exe 29 PID 1992 wrote to memory of 788 1992 v0163337.exe 29 PID 788 wrote to memory of 556 788 v5262794.exe 30 PID 788 wrote to memory of 556 788 v5262794.exe 30 PID 788 wrote to memory of 556 788 v5262794.exe 30 PID 788 wrote to memory of 556 788 v5262794.exe 30 PID 788 wrote to memory of 556 788 v5262794.exe 30 PID 788 wrote to memory of 556 788 v5262794.exe 30 PID 788 wrote to memory of 556 788 v5262794.exe 30 PID 788 wrote to memory of 1320 788 v5262794.exe 31 PID 788 wrote to memory of 1320 788 v5262794.exe 31 PID 788 wrote to memory of 1320 788 v5262794.exe 31 PID 788 wrote to memory of 1320 788 v5262794.exe 31 PID 788 wrote to memory of 1320 788 v5262794.exe 31 PID 788 wrote to memory of 1320 788 v5262794.exe 31 PID 788 wrote to memory of 1320 788 v5262794.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0163337.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0163337.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5262794.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5262794.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4503013.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4503013.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1864269.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1864269.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD5d54f5d86752783d875f97f490ee9c4ee
SHA12d2f410d3385c6ef998e7472f37d3d02d1645a6d
SHA25672c376e5219ba56b7f2e1fd2e4bb7aca990ad559756b2d3a637bcb387f3704f7
SHA512895f2d5be2aa6956aba029e4b5cb0eb5cdfec41157864746b01d125a6803955df708dc9180f8ea17a586f2e0f3bc138e19a2c42132aa6a2daf56ee78464b208b
-
Filesize
377KB
MD5d54f5d86752783d875f97f490ee9c4ee
SHA12d2f410d3385c6ef998e7472f37d3d02d1645a6d
SHA25672c376e5219ba56b7f2e1fd2e4bb7aca990ad559756b2d3a637bcb387f3704f7
SHA512895f2d5be2aa6956aba029e4b5cb0eb5cdfec41157864746b01d125a6803955df708dc9180f8ea17a586f2e0f3bc138e19a2c42132aa6a2daf56ee78464b208b
-
Filesize
206KB
MD56bf27e6ba7e468255f00253cda2e6555
SHA154d1b0f418b6213f07bdb1ff9db0227f100661c5
SHA25639e48736209532427294c3d9d981a95bbdebd0cb733f913d8e9ab913cde3ad50
SHA512fe5853001f1b4f163a4c10d51be33b28e9306e9f4f2ee23b8e144842a774e3362faccddd1b6a02b8d98b594248e3c512f269947976b4f0bf7a81d670bff6dce3
-
Filesize
206KB
MD56bf27e6ba7e468255f00253cda2e6555
SHA154d1b0f418b6213f07bdb1ff9db0227f100661c5
SHA25639e48736209532427294c3d9d981a95bbdebd0cb733f913d8e9ab913cde3ad50
SHA512fe5853001f1b4f163a4c10d51be33b28e9306e9f4f2ee23b8e144842a774e3362faccddd1b6a02b8d98b594248e3c512f269947976b4f0bf7a81d670bff6dce3
-
Filesize
11KB
MD5544e4d6d23e9db6da1b8753cfc5b9775
SHA10191aa084984865635388d451d5369efaa28ad2b
SHA25671dcd99212242a8d684df4ad27a98f03c256dc9e0294d6a848091249fc22b517
SHA512ba827a17c670991d64dbc75b12e42a5961f6238b21aa80f788c89ef4c52e2c4de14377977340f9e583fac6f3aec9d38d589b74315072f1e2f0602c638566c15b
-
Filesize
11KB
MD5544e4d6d23e9db6da1b8753cfc5b9775
SHA10191aa084984865635388d451d5369efaa28ad2b
SHA25671dcd99212242a8d684df4ad27a98f03c256dc9e0294d6a848091249fc22b517
SHA512ba827a17c670991d64dbc75b12e42a5961f6238b21aa80f788c89ef4c52e2c4de14377977340f9e583fac6f3aec9d38d589b74315072f1e2f0602c638566c15b
-
Filesize
172KB
MD5b32047d717888012646378aa1cb85150
SHA129a00294ffee7acda851aec1f688d5f1bbd0735b
SHA256f0e11578c56fa3ed2a95790a329b9fc215966581b756013d10225b0f0e85a5c6
SHA512c9d7479c99ebcb863a2161251e801172a98d8311b24faaab82ee22d5aa55ca7344c2e028429bda0f5473d4d302213ee53789624ff6a268ae0fc5e98fb7d95bfc
-
Filesize
172KB
MD5b32047d717888012646378aa1cb85150
SHA129a00294ffee7acda851aec1f688d5f1bbd0735b
SHA256f0e11578c56fa3ed2a95790a329b9fc215966581b756013d10225b0f0e85a5c6
SHA512c9d7479c99ebcb863a2161251e801172a98d8311b24faaab82ee22d5aa55ca7344c2e028429bda0f5473d4d302213ee53789624ff6a268ae0fc5e98fb7d95bfc
-
Filesize
377KB
MD5d54f5d86752783d875f97f490ee9c4ee
SHA12d2f410d3385c6ef998e7472f37d3d02d1645a6d
SHA25672c376e5219ba56b7f2e1fd2e4bb7aca990ad559756b2d3a637bcb387f3704f7
SHA512895f2d5be2aa6956aba029e4b5cb0eb5cdfec41157864746b01d125a6803955df708dc9180f8ea17a586f2e0f3bc138e19a2c42132aa6a2daf56ee78464b208b
-
Filesize
377KB
MD5d54f5d86752783d875f97f490ee9c4ee
SHA12d2f410d3385c6ef998e7472f37d3d02d1645a6d
SHA25672c376e5219ba56b7f2e1fd2e4bb7aca990ad559756b2d3a637bcb387f3704f7
SHA512895f2d5be2aa6956aba029e4b5cb0eb5cdfec41157864746b01d125a6803955df708dc9180f8ea17a586f2e0f3bc138e19a2c42132aa6a2daf56ee78464b208b
-
Filesize
206KB
MD56bf27e6ba7e468255f00253cda2e6555
SHA154d1b0f418b6213f07bdb1ff9db0227f100661c5
SHA25639e48736209532427294c3d9d981a95bbdebd0cb733f913d8e9ab913cde3ad50
SHA512fe5853001f1b4f163a4c10d51be33b28e9306e9f4f2ee23b8e144842a774e3362faccddd1b6a02b8d98b594248e3c512f269947976b4f0bf7a81d670bff6dce3
-
Filesize
206KB
MD56bf27e6ba7e468255f00253cda2e6555
SHA154d1b0f418b6213f07bdb1ff9db0227f100661c5
SHA25639e48736209532427294c3d9d981a95bbdebd0cb733f913d8e9ab913cde3ad50
SHA512fe5853001f1b4f163a4c10d51be33b28e9306e9f4f2ee23b8e144842a774e3362faccddd1b6a02b8d98b594248e3c512f269947976b4f0bf7a81d670bff6dce3
-
Filesize
11KB
MD5544e4d6d23e9db6da1b8753cfc5b9775
SHA10191aa084984865635388d451d5369efaa28ad2b
SHA25671dcd99212242a8d684df4ad27a98f03c256dc9e0294d6a848091249fc22b517
SHA512ba827a17c670991d64dbc75b12e42a5961f6238b21aa80f788c89ef4c52e2c4de14377977340f9e583fac6f3aec9d38d589b74315072f1e2f0602c638566c15b
-
Filesize
172KB
MD5b32047d717888012646378aa1cb85150
SHA129a00294ffee7acda851aec1f688d5f1bbd0735b
SHA256f0e11578c56fa3ed2a95790a329b9fc215966581b756013d10225b0f0e85a5c6
SHA512c9d7479c99ebcb863a2161251e801172a98d8311b24faaab82ee22d5aa55ca7344c2e028429bda0f5473d4d302213ee53789624ff6a268ae0fc5e98fb7d95bfc
-
Filesize
172KB
MD5b32047d717888012646378aa1cb85150
SHA129a00294ffee7acda851aec1f688d5f1bbd0735b
SHA256f0e11578c56fa3ed2a95790a329b9fc215966581b756013d10225b0f0e85a5c6
SHA512c9d7479c99ebcb863a2161251e801172a98d8311b24faaab82ee22d5aa55ca7344c2e028429bda0f5473d4d302213ee53789624ff6a268ae0fc5e98fb7d95bfc