Analysis
-
max time kernel
132s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 04:54
Static task
static1
Behavioral task
behavioral1
Sample
68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe
Resource
win10v2004-20230220-en
General
-
Target
68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe
-
Size
581KB
-
MD5
9e03656968ab066f370c0b2f61f63918
-
SHA1
e909cdbacfc9afecc0952033e04fc437d29c83bb
-
SHA256
68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a
-
SHA512
b097c69429a4358ee4cb6de53c738ae0ef72b1e8959fbae2a108493d4aa4794e6ad25b75cbc7fb89e7378082360051fb07be9a2f264cb56f6d4cae0315e03a99
-
SSDEEP
12288:HMryy90vJpvHjqfRpr+QCIcqIWHO4AR/2AfoAW3GvDg:ZymJpbqbyiIv3R/2Akog
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a0843489.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a0843489.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a0843489.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a0843489.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a0843489.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a0843489.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a0843489.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
v0747121.exev3421983.exea0843489.exeb9710854.exepid process 1724 v0747121.exe 3956 v3421983.exe 2776 a0843489.exe 4440 b9710854.exe -
Processes:
a0843489.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0843489.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exev0747121.exev3421983.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0747121.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0747121.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v3421983.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v3421983.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a0843489.exepid process 2776 a0843489.exe 2776 a0843489.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a0843489.exedescription pid process Token: SeDebugPrivilege 2776 a0843489.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exev0747121.exev3421983.exedescription pid process target process PID 2828 wrote to memory of 1724 2828 68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe v0747121.exe PID 2828 wrote to memory of 1724 2828 68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe v0747121.exe PID 2828 wrote to memory of 1724 2828 68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe v0747121.exe PID 1724 wrote to memory of 3956 1724 v0747121.exe v3421983.exe PID 1724 wrote to memory of 3956 1724 v0747121.exe v3421983.exe PID 1724 wrote to memory of 3956 1724 v0747121.exe v3421983.exe PID 3956 wrote to memory of 2776 3956 v3421983.exe a0843489.exe PID 3956 wrote to memory of 2776 3956 v3421983.exe a0843489.exe PID 3956 wrote to memory of 4440 3956 v3421983.exe b9710854.exe PID 3956 wrote to memory of 4440 3956 v3421983.exe b9710854.exe PID 3956 wrote to memory of 4440 3956 v3421983.exe b9710854.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe"C:\Users\Admin\AppData\Local\Temp\68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0747121.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0747121.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3421983.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3421983.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0843489.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0843489.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9710854.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9710854.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0747121.exeFilesize
377KB
MD5879d9c8111457792b6d443a246002af8
SHA14ef02c783a88f6ae72be0f42317fa77ec567b0e2
SHA256666a8d831670c080986de375ee01e0b76801798cc9c9df63bf7fa4a0d7f8420f
SHA5128827524d6e99475c674c50060cfb1cdaa951565a4b5ddc3023ae60271bab85a13a95536b6622e610edc22cc80a761572d75219d599808abc16aad26585712740
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0747121.exeFilesize
377KB
MD5879d9c8111457792b6d443a246002af8
SHA14ef02c783a88f6ae72be0f42317fa77ec567b0e2
SHA256666a8d831670c080986de375ee01e0b76801798cc9c9df63bf7fa4a0d7f8420f
SHA5128827524d6e99475c674c50060cfb1cdaa951565a4b5ddc3023ae60271bab85a13a95536b6622e610edc22cc80a761572d75219d599808abc16aad26585712740
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3421983.exeFilesize
206KB
MD5e693be6be05e17666a81136784861564
SHA19fde46a71017b39dc4c0d4eb0445cfb55a323a48
SHA25696bc23a76ceb0a1126424acbb1c6838dcce34a56699a6fab7c8058473538e400
SHA5129e070607814b2cebf429a5a95c3093fd7a132c4aeb542cd261ca8f271502656d65ffe56c16b1830a8776b060488cef4110ef1bc1e924ff7bb576242dfbb93a9e
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3421983.exeFilesize
206KB
MD5e693be6be05e17666a81136784861564
SHA19fde46a71017b39dc4c0d4eb0445cfb55a323a48
SHA25696bc23a76ceb0a1126424acbb1c6838dcce34a56699a6fab7c8058473538e400
SHA5129e070607814b2cebf429a5a95c3093fd7a132c4aeb542cd261ca8f271502656d65ffe56c16b1830a8776b060488cef4110ef1bc1e924ff7bb576242dfbb93a9e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0843489.exeFilesize
11KB
MD50c3d377a0c6e48ada16a67496e1fae1a
SHA1cd6e88b40eb74a61c3cc39f2aa571ce9a5dad422
SHA256cfd5f8ce02d6d06bcaa69e1a325696c6e6b5febddfbfccfe58cf51c7d2615ec4
SHA512b650fcc6fb98fa024b1f8a27904f8d1a65bff69e106e3cc48693ab653daa131c2e956933baf67b87f6edab0e50befbd40c3b3885a21d94c009e5ab4c51a75fb2
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0843489.exeFilesize
11KB
MD50c3d377a0c6e48ada16a67496e1fae1a
SHA1cd6e88b40eb74a61c3cc39f2aa571ce9a5dad422
SHA256cfd5f8ce02d6d06bcaa69e1a325696c6e6b5febddfbfccfe58cf51c7d2615ec4
SHA512b650fcc6fb98fa024b1f8a27904f8d1a65bff69e106e3cc48693ab653daa131c2e956933baf67b87f6edab0e50befbd40c3b3885a21d94c009e5ab4c51a75fb2
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9710854.exeFilesize
172KB
MD53ebdd642cb8a6d07a77616327a189e34
SHA1fdb08eb338481697fab10b4dc76c6383ad5d2111
SHA256f6497ebb5b6d074f79235e9b70f1e922b2cd9dca581fb744ddca8d1eb3b5aa1c
SHA5123ee38604d0d98e6798016e87a625111450273fe44bbf255290bd263226ca88b8975006a7f635ceb49b0470266763d77137bf1f6eded8aa324996cd37c2f7c76b
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9710854.exeFilesize
172KB
MD53ebdd642cb8a6d07a77616327a189e34
SHA1fdb08eb338481697fab10b4dc76c6383ad5d2111
SHA256f6497ebb5b6d074f79235e9b70f1e922b2cd9dca581fb744ddca8d1eb3b5aa1c
SHA5123ee38604d0d98e6798016e87a625111450273fe44bbf255290bd263226ca88b8975006a7f635ceb49b0470266763d77137bf1f6eded8aa324996cd37c2f7c76b
-
memory/2776-154-0x00000000002C0000-0x00000000002CA000-memory.dmpFilesize
40KB
-
memory/4440-159-0x0000000000B60000-0x0000000000B90000-memory.dmpFilesize
192KB
-
memory/4440-160-0x000000000AFC0000-0x000000000B5D8000-memory.dmpFilesize
6.1MB
-
memory/4440-161-0x000000000AAE0000-0x000000000ABEA000-memory.dmpFilesize
1.0MB
-
memory/4440-162-0x000000000AA20000-0x000000000AA32000-memory.dmpFilesize
72KB
-
memory/4440-163-0x000000000AA80000-0x000000000AABC000-memory.dmpFilesize
240KB
-
memory/4440-164-0x0000000005410000-0x0000000005420000-memory.dmpFilesize
64KB
-
memory/4440-165-0x0000000005410000-0x0000000005420000-memory.dmpFilesize
64KB