Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 03:02
Static task
static1
Behavioral task
behavioral1
Sample
320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exe
Resource
win10v2004-20230220-en
General
-
Target
320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exe
-
Size
580KB
-
MD5
344f0a434e359bc6a06745a78d57e388
-
SHA1
3edd2a8e9b9254da4a5027907a165cdba84790df
-
SHA256
320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377
-
SHA512
0b4267c8632615dad12064acfd86187dcd3ed5126464bb9c871c6915640ab771346b28753d7986b8adcba63453d15e3370a8cf3f6d0d1e5f233cf5aa1436d6a1
-
SSDEEP
12288:pMr/y90DQQ11FxkVje5sEwjkjWW4VKRQ/LwwK66MOM:aysQQ11772n6WJVKRQTweOM
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a5635110.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a5635110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5635110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5635110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5635110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5635110.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5635110.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
v0527811.exev4475342.exea5635110.exeb6197124.exepid process 1432 v0527811.exe 4656 v4475342.exe 4628 a5635110.exe 3808 b6197124.exe -
Processes:
a5635110.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5635110.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
v4475342.exe320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exev0527811.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v4475342.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v4475342.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0527811.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0527811.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a5635110.exepid process 4628 a5635110.exe 4628 a5635110.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a5635110.exedescription pid process Token: SeDebugPrivilege 4628 a5635110.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exev0527811.exev4475342.exedescription pid process target process PID 1924 wrote to memory of 1432 1924 320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exe v0527811.exe PID 1924 wrote to memory of 1432 1924 320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exe v0527811.exe PID 1924 wrote to memory of 1432 1924 320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exe v0527811.exe PID 1432 wrote to memory of 4656 1432 v0527811.exe v4475342.exe PID 1432 wrote to memory of 4656 1432 v0527811.exe v4475342.exe PID 1432 wrote to memory of 4656 1432 v0527811.exe v4475342.exe PID 4656 wrote to memory of 4628 4656 v4475342.exe a5635110.exe PID 4656 wrote to memory of 4628 4656 v4475342.exe a5635110.exe PID 4656 wrote to memory of 3808 4656 v4475342.exe b6197124.exe PID 4656 wrote to memory of 3808 4656 v4475342.exe b6197124.exe PID 4656 wrote to memory of 3808 4656 v4475342.exe b6197124.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exe"C:\Users\Admin\AppData\Local\Temp\320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0527811.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0527811.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4475342.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4475342.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5635110.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5635110.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6197124.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6197124.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0527811.exeFilesize
377KB
MD5878f8df81651618c7e35c01927551b6d
SHA1c1a79fe03a6666bf8a2a3f1a4a05b0a8861db5da
SHA256ddbd7b2892f6e74c0da50d8486ba0346dfde3b61eda85798a243fbcf94321afb
SHA51202727b95e8446ee0eb735df2b138ab7445c85219a47ff58698cb0adb4e26f65699a03444dee572184c89baec92e0a493050a54e76c3b45d2b2c1d5296df69234
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0527811.exeFilesize
377KB
MD5878f8df81651618c7e35c01927551b6d
SHA1c1a79fe03a6666bf8a2a3f1a4a05b0a8861db5da
SHA256ddbd7b2892f6e74c0da50d8486ba0346dfde3b61eda85798a243fbcf94321afb
SHA51202727b95e8446ee0eb735df2b138ab7445c85219a47ff58698cb0adb4e26f65699a03444dee572184c89baec92e0a493050a54e76c3b45d2b2c1d5296df69234
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4475342.exeFilesize
206KB
MD571584bafa3bd041579db8adc5abd7ba4
SHA1b41011685b21716bda2b2a9f6986a5f265dd9f32
SHA25697dbba7d1d29954415bbd3b3d30ac16b8ca4065da6b24e27a4b28f9840aff423
SHA512b4cb839d76bc48d41224dddec2e4bcd095f9a02b5d98ae877be6b63c067a3764c045aa754a2e04b3683fb5a9f77a631667176f61d39d910d32e1d6b0c2fff5e6
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4475342.exeFilesize
206KB
MD571584bafa3bd041579db8adc5abd7ba4
SHA1b41011685b21716bda2b2a9f6986a5f265dd9f32
SHA25697dbba7d1d29954415bbd3b3d30ac16b8ca4065da6b24e27a4b28f9840aff423
SHA512b4cb839d76bc48d41224dddec2e4bcd095f9a02b5d98ae877be6b63c067a3764c045aa754a2e04b3683fb5a9f77a631667176f61d39d910d32e1d6b0c2fff5e6
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5635110.exeFilesize
11KB
MD56f3d82ba66b148340aaed46b2583e1d9
SHA1531bca927a9375e1a0addcdb2fde53b52de5c24d
SHA256816e9cec678fe3557dbb774e91184c35ba80eb5f7a9530350b5bd22013939b92
SHA512801b34bbba36019b8da07cd4136e1ea0a9b034b43cd2e3d6cf86d1a10c522b3fe84062883ec21bdbe56ffe4650b6f45f02ea7dadfdf6589d19031b315d14b93e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5635110.exeFilesize
11KB
MD56f3d82ba66b148340aaed46b2583e1d9
SHA1531bca927a9375e1a0addcdb2fde53b52de5c24d
SHA256816e9cec678fe3557dbb774e91184c35ba80eb5f7a9530350b5bd22013939b92
SHA512801b34bbba36019b8da07cd4136e1ea0a9b034b43cd2e3d6cf86d1a10c522b3fe84062883ec21bdbe56ffe4650b6f45f02ea7dadfdf6589d19031b315d14b93e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6197124.exeFilesize
172KB
MD5dde03324bfbec204927e4a1859629c58
SHA1874e6890fc637758c73d5b71783323f61a172b51
SHA2562eb2230e4ed0793136fbfc14157c1878cce71d199948f4af61a43fb22fe135ea
SHA5123c44e029ae0875c7adaa3cc8085bc4d4ef0ba084d8a961b973840e8146b5848d598b0e4de1dc8ee410ebf850beef742d64d95a0df768eac6ff159f7e11edd708
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6197124.exeFilesize
172KB
MD5dde03324bfbec204927e4a1859629c58
SHA1874e6890fc637758c73d5b71783323f61a172b51
SHA2562eb2230e4ed0793136fbfc14157c1878cce71d199948f4af61a43fb22fe135ea
SHA5123c44e029ae0875c7adaa3cc8085bc4d4ef0ba084d8a961b973840e8146b5848d598b0e4de1dc8ee410ebf850beef742d64d95a0df768eac6ff159f7e11edd708
-
memory/3808-159-0x0000000000D00000-0x0000000000D30000-memory.dmpFilesize
192KB
-
memory/3808-160-0x000000000B160000-0x000000000B778000-memory.dmpFilesize
6.1MB
-
memory/3808-161-0x000000000AC80000-0x000000000AD8A000-memory.dmpFilesize
1.0MB
-
memory/3808-162-0x000000000ABC0000-0x000000000ABD2000-memory.dmpFilesize
72KB
-
memory/3808-163-0x000000000AC20000-0x000000000AC5C000-memory.dmpFilesize
240KB
-
memory/3808-164-0x00000000055B0000-0x00000000055C0000-memory.dmpFilesize
64KB
-
memory/3808-165-0x00000000055B0000-0x00000000055C0000-memory.dmpFilesize
64KB
-
memory/4628-154-0x0000000000B70000-0x0000000000B7A000-memory.dmpFilesize
40KB