Analysis
-
max time kernel
135s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 00:23
Static task
static1
Behavioral task
behavioral1
Sample
6621366ab968c96b05b12850e5bd603f060c887d8e66ddd6085b2398941279aa.exe
Resource
win10v2004-20230220-en
General
-
Target
6621366ab968c96b05b12850e5bd603f060c887d8e66ddd6085b2398941279aa.exe
-
Size
853KB
-
MD5
45ce9ab5e1c02fc9dfed753454dba905
-
SHA1
cf7eb56d9193ea8e36d9c48e76bb9a01286a82eb
-
SHA256
6621366ab968c96b05b12850e5bd603f060c887d8e66ddd6085b2398941279aa
-
SHA512
ceadf967436a0962ee8e7a7e0d73d0ae9d40cc01f54a9de8b23397c01f1de1dc3f136fdb8a4f7aabde545a4bd2dcc99aab42a8c9ec1237c23ea33d06d3ebf215
-
SSDEEP
12288:ZMrQy90HkyriyFmOJEOzQa7TPgUSXA+bmw1TbHvCBRmyRMWt7O631PHeW5k:xyYkyKkEtq9GV2Rmyt7J1m
Malware Config
Extracted
redline
lupa
83.97.73.126:19046
-
auth_value
6a764aa41830c77712442516d143bc9c
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection o2874539.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" o2874539.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" o2874539.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" o2874539.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" o2874539.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" o2874539.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 3356 z4742761.exe 4432 z0626599.exe 3704 o2874539.exe 1684 p1863095.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" o2874539.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z0626599.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 6621366ab968c96b05b12850e5bd603f060c887d8e66ddd6085b2398941279aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6621366ab968c96b05b12850e5bd603f060c887d8e66ddd6085b2398941279aa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z4742761.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z4742761.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z0626599.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3704 o2874539.exe 3704 o2874539.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe 1684 p1863095.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3704 o2874539.exe Token: SeDebugPrivilege 1684 p1863095.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4812 wrote to memory of 3356 4812 6621366ab968c96b05b12850e5bd603f060c887d8e66ddd6085b2398941279aa.exe 81 PID 4812 wrote to memory of 3356 4812 6621366ab968c96b05b12850e5bd603f060c887d8e66ddd6085b2398941279aa.exe 81 PID 4812 wrote to memory of 3356 4812 6621366ab968c96b05b12850e5bd603f060c887d8e66ddd6085b2398941279aa.exe 81 PID 3356 wrote to memory of 4432 3356 z4742761.exe 82 PID 3356 wrote to memory of 4432 3356 z4742761.exe 82 PID 3356 wrote to memory of 4432 3356 z4742761.exe 82 PID 4432 wrote to memory of 3704 4432 z0626599.exe 83 PID 4432 wrote to memory of 3704 4432 z0626599.exe 83 PID 4432 wrote to memory of 1684 4432 z0626599.exe 84 PID 4432 wrote to memory of 1684 4432 z0626599.exe 84 PID 4432 wrote to memory of 1684 4432 z0626599.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\6621366ab968c96b05b12850e5bd603f060c887d8e66ddd6085b2398941279aa.exe"C:\Users\Admin\AppData\Local\Temp\6621366ab968c96b05b12850e5bd603f060c887d8e66ddd6085b2398941279aa.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4742761.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4742761.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0626599.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0626599.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2874539.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2874539.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1863095.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1863095.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
409KB
MD5f6d7e6676401c3bc313cc1043bece4aa
SHA1d7d514e2ab15e42eaab7a66225a5f57f0c7d8527
SHA25620c74213c2254c8a1a504608d89d65cce8e8ba1b93b6f0db3c534997fa920def
SHA512ff683ccd08058c25227146178e48da0e69e2592921cad442017bbeb57ff4506e7e68cd3fd5c59e5a39bc3eabe0f237a5f8b87b05e00873e8ee49b9c9d4c2b167
-
Filesize
409KB
MD5f6d7e6676401c3bc313cc1043bece4aa
SHA1d7d514e2ab15e42eaab7a66225a5f57f0c7d8527
SHA25620c74213c2254c8a1a504608d89d65cce8e8ba1b93b6f0db3c534997fa920def
SHA512ff683ccd08058c25227146178e48da0e69e2592921cad442017bbeb57ff4506e7e68cd3fd5c59e5a39bc3eabe0f237a5f8b87b05e00873e8ee49b9c9d4c2b167
-
Filesize
206KB
MD507979015b29b4ed45f4d9066ef672b95
SHA157282acf150660cd337124c45f6171492ff1ff86
SHA256921f8184317ea14bba331133fab5ebec2c8579960528f3740a8c4e424f5cd477
SHA5129c96eee89177bff6034b2c30bb4fde8bebc1b3f38ec7be257f7bc129f211775047c85f134fd85113045b2de2b7d50312496579745bcdf65a4a5a21fddf832dce
-
Filesize
206KB
MD507979015b29b4ed45f4d9066ef672b95
SHA157282acf150660cd337124c45f6171492ff1ff86
SHA256921f8184317ea14bba331133fab5ebec2c8579960528f3740a8c4e424f5cd477
SHA5129c96eee89177bff6034b2c30bb4fde8bebc1b3f38ec7be257f7bc129f211775047c85f134fd85113045b2de2b7d50312496579745bcdf65a4a5a21fddf832dce
-
Filesize
11KB
MD5c7cdb50197ee7e3e316cdcb2a76dd6a5
SHA11234b0652abbf6f2b7ecad11e33f1572fcb88912
SHA256692ae1219a40b861b45d57a7a55f32a85da5ae6cce8cebbcb5211cd95e25fe59
SHA512b750849be58c2562c29e774478a9a47e5a93855b29403ae029524a1c80d9a077370ff295abb2ba1c5654183bc5e755a70d3c90be17553ea61165d34627c14048
-
Filesize
11KB
MD5c7cdb50197ee7e3e316cdcb2a76dd6a5
SHA11234b0652abbf6f2b7ecad11e33f1572fcb88912
SHA256692ae1219a40b861b45d57a7a55f32a85da5ae6cce8cebbcb5211cd95e25fe59
SHA512b750849be58c2562c29e774478a9a47e5a93855b29403ae029524a1c80d9a077370ff295abb2ba1c5654183bc5e755a70d3c90be17553ea61165d34627c14048
-
Filesize
172KB
MD57f1976ab9e57517dbdaa7890160a4dc8
SHA1760f9d6dda78ab8d04c8c440ec7fcacb5a7a33a2
SHA25635a994e0bba944145896871708e081c5df22f6576fde2702f174c716b10effb4
SHA512523f897f668d2d30b3fe2c42c16323f98b11a44a70270b986416b3a5ae184ff82e3293291d978ac07fec674a121459c6d77a6e234a280a9d03bb039f6fad63c1
-
Filesize
172KB
MD57f1976ab9e57517dbdaa7890160a4dc8
SHA1760f9d6dda78ab8d04c8c440ec7fcacb5a7a33a2
SHA25635a994e0bba944145896871708e081c5df22f6576fde2702f174c716b10effb4
SHA512523f897f668d2d30b3fe2c42c16323f98b11a44a70270b986416b3a5ae184ff82e3293291d978ac07fec674a121459c6d77a6e234a280a9d03bb039f6fad63c1