Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 03:30
Static task
static1
Behavioral task
behavioral1
Sample
f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exe
Resource
win10v2004-20230220-en
General
-
Target
f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exe
-
Size
580KB
-
MD5
71be2fdd0bf1806a5e1f62ca79cb9af7
-
SHA1
3d4366d35d36d02d41a9b661f9fb9d2a70668328
-
SHA256
f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80
-
SHA512
9e68402183016f200a3b3e9fbd0a9f8285b228f6c968a5bcb78111b02cb4d8ff9af762a499d3b46797236d480f2d715fe9545b0f2a6f58733bb704b1897fca84
-
SSDEEP
12288:/MrDy90dfv7RfXp+f7idwquN6Vy/8s2PIV4UiYk+T:EyYfv7qidw76Vy/8sqIV4Gk0
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a7812375.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a7812375.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a7812375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a7812375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a7812375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a7812375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a7812375.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
v0978782.exev8478812.exea7812375.exeb9650140.exepid process 4892 v0978782.exe 5108 v8478812.exe 4432 a7812375.exe 2392 b9650140.exe -
Processes:
a7812375.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7812375.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
v0978782.exev8478812.exef0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0978782.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v8478812.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v8478812.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0978782.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a7812375.exepid process 4432 a7812375.exe 4432 a7812375.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a7812375.exedescription pid process Token: SeDebugPrivilege 4432 a7812375.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exev0978782.exev8478812.exedescription pid process target process PID 4896 wrote to memory of 4892 4896 f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exe v0978782.exe PID 4896 wrote to memory of 4892 4896 f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exe v0978782.exe PID 4896 wrote to memory of 4892 4896 f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exe v0978782.exe PID 4892 wrote to memory of 5108 4892 v0978782.exe v8478812.exe PID 4892 wrote to memory of 5108 4892 v0978782.exe v8478812.exe PID 4892 wrote to memory of 5108 4892 v0978782.exe v8478812.exe PID 5108 wrote to memory of 4432 5108 v8478812.exe a7812375.exe PID 5108 wrote to memory of 4432 5108 v8478812.exe a7812375.exe PID 5108 wrote to memory of 2392 5108 v8478812.exe b9650140.exe PID 5108 wrote to memory of 2392 5108 v8478812.exe b9650140.exe PID 5108 wrote to memory of 2392 5108 v8478812.exe b9650140.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exe"C:\Users\Admin\AppData\Local\Temp\f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0978782.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0978782.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8478812.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8478812.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7812375.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7812375.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9650140.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9650140.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0978782.exeFilesize
378KB
MD55092433a8373818af00bd9788e1633f2
SHA1bdd824a1607d6d3a4acea3483f6a86e311f05050
SHA256b4df5062fbc1c508314f26831cb2d9c26bca82f0c2c457742612e8b84378d82b
SHA512818cf3f355e1e87947337288b64db3dbc3d5edefcbf4cb8d21b43e032f9b83daadb62da47d755ef9cb4ff08b3442d409648f4bff90321fe21bf590b2c199b2a5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0978782.exeFilesize
378KB
MD55092433a8373818af00bd9788e1633f2
SHA1bdd824a1607d6d3a4acea3483f6a86e311f05050
SHA256b4df5062fbc1c508314f26831cb2d9c26bca82f0c2c457742612e8b84378d82b
SHA512818cf3f355e1e87947337288b64db3dbc3d5edefcbf4cb8d21b43e032f9b83daadb62da47d755ef9cb4ff08b3442d409648f4bff90321fe21bf590b2c199b2a5
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8478812.exeFilesize
206KB
MD53c62ae167baa459a861ab2e558ddfb9c
SHA1de92a1c929788dee87fcf91369f9d61e3014e6a2
SHA256111f298de439e7632b1d6c7e81e0cd9e5da3704b3e9f5715588de5e213bb7bb9
SHA512c3498c8955cdde4d4e7061bb1e7744de965331c2ac7d0bc66001ccb52af79b326c77e88af9cb668c0b05225721ac21cf3e976e37752a4ab76b9323864cf5d7b0
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8478812.exeFilesize
206KB
MD53c62ae167baa459a861ab2e558ddfb9c
SHA1de92a1c929788dee87fcf91369f9d61e3014e6a2
SHA256111f298de439e7632b1d6c7e81e0cd9e5da3704b3e9f5715588de5e213bb7bb9
SHA512c3498c8955cdde4d4e7061bb1e7744de965331c2ac7d0bc66001ccb52af79b326c77e88af9cb668c0b05225721ac21cf3e976e37752a4ab76b9323864cf5d7b0
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7812375.exeFilesize
11KB
MD5358b10b8d6f2c9200d41831749fd9d5f
SHA1ab05f699702079c0695e8fd841117cc4ab96bdd9
SHA256674bf59171810555eada8aa33cfe73c62906ff184dbefd6ddec51a12c27e4be9
SHA512e62f405e92be9dfc98cf0ac0e78cddc254aa186d3aa2d88ceb8f76f93cf71796e8a9ff8469a68206646c82b485a2cd68c42e35593742fadc6fa3c82d3a17299e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7812375.exeFilesize
11KB
MD5358b10b8d6f2c9200d41831749fd9d5f
SHA1ab05f699702079c0695e8fd841117cc4ab96bdd9
SHA256674bf59171810555eada8aa33cfe73c62906ff184dbefd6ddec51a12c27e4be9
SHA512e62f405e92be9dfc98cf0ac0e78cddc254aa186d3aa2d88ceb8f76f93cf71796e8a9ff8469a68206646c82b485a2cd68c42e35593742fadc6fa3c82d3a17299e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9650140.exeFilesize
172KB
MD5454ee287b453b7a46265b37895f4e0d6
SHA1c1a07b403f3fead20b2844e1472bd72cde14324b
SHA2567fa93f39a6ed67985ddec971d904a29a529cd4b6063d3e15b7703edf611c75e3
SHA512a1014932af8263e365bf106cea478ca91ecd7ea739c66d5d93e89f8eb14c81394832194bb99d8f1b4ababebe18e85ce812adb283602480fcc7e364e7ae378143
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9650140.exeFilesize
172KB
MD5454ee287b453b7a46265b37895f4e0d6
SHA1c1a07b403f3fead20b2844e1472bd72cde14324b
SHA2567fa93f39a6ed67985ddec971d904a29a529cd4b6063d3e15b7703edf611c75e3
SHA512a1014932af8263e365bf106cea478ca91ecd7ea739c66d5d93e89f8eb14c81394832194bb99d8f1b4ababebe18e85ce812adb283602480fcc7e364e7ae378143
-
memory/2392-159-0x0000000000DF0000-0x0000000000E20000-memory.dmpFilesize
192KB
-
memory/2392-160-0x000000000B0C0000-0x000000000B6D8000-memory.dmpFilesize
6.1MB
-
memory/2392-161-0x000000000AC30000-0x000000000AD3A000-memory.dmpFilesize
1.0MB
-
memory/2392-162-0x000000000AB70000-0x000000000AB82000-memory.dmpFilesize
72KB
-
memory/2392-163-0x000000000ABD0000-0x000000000AC0C000-memory.dmpFilesize
240KB
-
memory/2392-164-0x00000000055D0000-0x00000000055E0000-memory.dmpFilesize
64KB
-
memory/2392-165-0x00000000055D0000-0x00000000055E0000-memory.dmpFilesize
64KB
-
memory/4432-154-0x0000000000270000-0x000000000027A000-memory.dmpFilesize
40KB