Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    580KB

  • MD5

    3d33cc4a4007bf7d7e26dae656fab795

  • SHA1

    e908a0268e62aa3cbc70fb40276eccde98455106

  • SHA256

    f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317

  • SHA512

    67e5f38d74a6bdbfcec27519ac441cd576d8537fdc31d52876aedd5c8f415ce042e10b4d45e7bc24c31963f0afcc7c508ac2de5a3991a6aa4a400b44faf9b7b9

  • SSDEEP

    12288:aMrWy90/gB9v1iFA7j8cZMdxSTjRGBsD7FKWvUkxxJI3ZB:MylNSi8cydANGBiAWFxx4

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4640148.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4640148.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5539219.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5539219.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3516
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5581629.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5581629.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4840
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8421290.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8421290.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4640148.exe
    Filesize

    378KB

    MD5

    08310e1252404cb9eb0c95405916b4e6

    SHA1

    a2e753db164b1064f92753ebe43f00cdda5faddb

    SHA256

    e9a223064eb629045c3df2be145cb4e4b87aa4612bb9f516bfab57000b5ed73b

    SHA512

    5d8f9f6ed2aed8d18be191aa1cb69c91fdfc43f8b9f98a0da6f76287276f82ac5682f8fd0ace0ea51631efdb0321c4aa205cc9adb4e012e21bc3a0b29d4dc6a1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4640148.exe
    Filesize

    378KB

    MD5

    08310e1252404cb9eb0c95405916b4e6

    SHA1

    a2e753db164b1064f92753ebe43f00cdda5faddb

    SHA256

    e9a223064eb629045c3df2be145cb4e4b87aa4612bb9f516bfab57000b5ed73b

    SHA512

    5d8f9f6ed2aed8d18be191aa1cb69c91fdfc43f8b9f98a0da6f76287276f82ac5682f8fd0ace0ea51631efdb0321c4aa205cc9adb4e012e21bc3a0b29d4dc6a1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5539219.exe
    Filesize

    206KB

    MD5

    1a59af8cfe51430ba3232b6440be2258

    SHA1

    45981b180827d80e9461c6127e0c4732819c4379

    SHA256

    b3116bcb09056ee96110b042701d78450dac078a8e0383a70b0a5aff4f8309e4

    SHA512

    827219098cc9c702f719b28fb95bdd0a21d12f4ae50e53434dfb2dd32ac6f7432da58cb03c30942111672e84fdb0ae3bda2d1596de5fdc0c932f474b0ca0b724

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5539219.exe
    Filesize

    206KB

    MD5

    1a59af8cfe51430ba3232b6440be2258

    SHA1

    45981b180827d80e9461c6127e0c4732819c4379

    SHA256

    b3116bcb09056ee96110b042701d78450dac078a8e0383a70b0a5aff4f8309e4

    SHA512

    827219098cc9c702f719b28fb95bdd0a21d12f4ae50e53434dfb2dd32ac6f7432da58cb03c30942111672e84fdb0ae3bda2d1596de5fdc0c932f474b0ca0b724

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5581629.exe
    Filesize

    11KB

    MD5

    7718786682a8337d7648a66452f38451

    SHA1

    8c920f18fcba96bf298b6b4fedc106d41bffc15d

    SHA256

    bfaddfa17ef956d9ff60aa9a7e934ceb72aaa5d3fa44f25301dc311cb84f7062

    SHA512

    3b5ebf59a31776f85d2c69d054e67e39643b0953501149559892a09281470458ffbb1791a954b846289490b940e766a573804711fece9c66e1fd496ba1e59106

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5581629.exe
    Filesize

    11KB

    MD5

    7718786682a8337d7648a66452f38451

    SHA1

    8c920f18fcba96bf298b6b4fedc106d41bffc15d

    SHA256

    bfaddfa17ef956d9ff60aa9a7e934ceb72aaa5d3fa44f25301dc311cb84f7062

    SHA512

    3b5ebf59a31776f85d2c69d054e67e39643b0953501149559892a09281470458ffbb1791a954b846289490b940e766a573804711fece9c66e1fd496ba1e59106

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8421290.exe
    Filesize

    172KB

    MD5

    30aa28ce8fe7e0306c6c23f43a8188be

    SHA1

    c5e75ac0d08b223833df143725f403b2f5ad518b

    SHA256

    b6756eac7497c8eaf1f8d0d8860e84ed6c4204a3c061367ea4304c641e2f68f0

    SHA512

    d3b2f2bda8634daf0e1f98ece78e4aefc40ac2d644cdef9ee2d7e71f998f2f70da9e78b14366c25a21cc45714bca832acb0888c21bbc33aabf8c52c0721d0578

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8421290.exe
    Filesize

    172KB

    MD5

    30aa28ce8fe7e0306c6c23f43a8188be

    SHA1

    c5e75ac0d08b223833df143725f403b2f5ad518b

    SHA256

    b6756eac7497c8eaf1f8d0d8860e84ed6c4204a3c061367ea4304c641e2f68f0

    SHA512

    d3b2f2bda8634daf0e1f98ece78e4aefc40ac2d644cdef9ee2d7e71f998f2f70da9e78b14366c25a21cc45714bca832acb0888c21bbc33aabf8c52c0721d0578

    Download Submit
  • memory/4764-160-0x000000000AF40000-0x000000000B558000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4764-165-0x000000000ADD0000-0x000000000AE46000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4764-172-0x0000000005490000-0x00000000054A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4764-161-0x000000000AA30000-0x000000000AB3A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4764-162-0x000000000A960000-0x000000000A972000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4764-163-0x000000000A9C0000-0x000000000A9FC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4764-164-0x0000000005490000-0x00000000054A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4764-159-0x0000000000AA0000-0x0000000000AD0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4764-166-0x000000000B560000-0x000000000B5F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4764-167-0x000000000AE50000-0x000000000AEB6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4764-168-0x000000000BEB0000-0x000000000C454000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4764-169-0x000000000BAF0000-0x000000000BB40000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4764-170-0x000000000C460000-0x000000000C622000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4764-171-0x000000000CB60000-0x000000000D08C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4840-154-0x00000000000D0000-0x00000000000DA000-memory.dmp
    Filesize

    40KB

    Download