Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 05:07
Static task
static1
Behavioral task
behavioral1
Sample
f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe
Resource
win10v2004-20230220-en
General
-
Target
f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe
-
Size
580KB
-
MD5
7a95d8176babc8d4001f66751970388e
-
SHA1
310ef01c2818c268356aba406e4734a37fb1de74
-
SHA256
f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413
-
SHA512
90e2f77f59452a32e1df44404e46b06c183d0032ca73adb72a260b68fc81ed3ee944b9b69bea93cb2e5575bb5ed29bf6dde35fe9f10992bd56ae0c6b25f16906
-
SSDEEP
6144:K3y+bnr+lp0yN90QElvZZ8PvdYJXuyLxyfD+zT7qk6S5z3zfd5IQqLVDTdfJAZs+:pMrpy90km9u6yb+X7/WVD/3EVQfMwa
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a7265545.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a7265545.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a7265545.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a7265545.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a7265545.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a7265545.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a7265545.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
v6716526.exev7821638.exea7265545.exeb5051535.exepid process 5112 v6716526.exe 684 v7821638.exe 812 a7265545.exe 1344 b5051535.exe -
Processes:
a7265545.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7265545.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exev6716526.exev7821638.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v6716526.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v6716526.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7821638.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v7821638.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a7265545.exepid process 812 a7265545.exe 812 a7265545.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a7265545.exedescription pid process Token: SeDebugPrivilege 812 a7265545.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exev6716526.exev7821638.exedescription pid process target process PID 2088 wrote to memory of 5112 2088 f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe v6716526.exe PID 2088 wrote to memory of 5112 2088 f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe v6716526.exe PID 2088 wrote to memory of 5112 2088 f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe v6716526.exe PID 5112 wrote to memory of 684 5112 v6716526.exe v7821638.exe PID 5112 wrote to memory of 684 5112 v6716526.exe v7821638.exe PID 5112 wrote to memory of 684 5112 v6716526.exe v7821638.exe PID 684 wrote to memory of 812 684 v7821638.exe a7265545.exe PID 684 wrote to memory of 812 684 v7821638.exe a7265545.exe PID 684 wrote to memory of 1344 684 v7821638.exe b5051535.exe PID 684 wrote to memory of 1344 684 v7821638.exe b5051535.exe PID 684 wrote to memory of 1344 684 v7821638.exe b5051535.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe"C:\Users\Admin\AppData\Local\Temp\f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6716526.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6716526.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7821638.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7821638.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7265545.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7265545.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5051535.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5051535.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6716526.exeFilesize
377KB
MD57177a061535db2bac66e1cb08466a712
SHA14917d700b3571ed7c105a094e105e48815ea86d6
SHA256d33a0ff6d6d88152a648117509ea99707bc527eeb0e9e77745e04d11925c633b
SHA512ff6ec17a1056fd0eb70c6946ac0dbf84d100ca3d4d11dfc6d0a6284c7e1fd63095f8db8ae9fe61a3aa0718d7dfb216842a900bb2158a1b68f1a814e8ba0786fb
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6716526.exeFilesize
377KB
MD57177a061535db2bac66e1cb08466a712
SHA14917d700b3571ed7c105a094e105e48815ea86d6
SHA256d33a0ff6d6d88152a648117509ea99707bc527eeb0e9e77745e04d11925c633b
SHA512ff6ec17a1056fd0eb70c6946ac0dbf84d100ca3d4d11dfc6d0a6284c7e1fd63095f8db8ae9fe61a3aa0718d7dfb216842a900bb2158a1b68f1a814e8ba0786fb
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7821638.exeFilesize
206KB
MD532b8e33eb4661a1ae77f79c9222d7f6e
SHA10a6bbeb5d86e293f789993e1adb2ddaef57769ef
SHA256fa8face846204f1e36fad8c4c4b50b04322e463da9da14cfa8fe42fc2532ff7c
SHA512ca454efd8d1f120b9be2d00eb1369d84a0fb902b86408eb7ad595dcaa6cc928df39126e704e95f739c4f040af68f8ab598f010e300ab3b12ac22471144539b26
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7821638.exeFilesize
206KB
MD532b8e33eb4661a1ae77f79c9222d7f6e
SHA10a6bbeb5d86e293f789993e1adb2ddaef57769ef
SHA256fa8face846204f1e36fad8c4c4b50b04322e463da9da14cfa8fe42fc2532ff7c
SHA512ca454efd8d1f120b9be2d00eb1369d84a0fb902b86408eb7ad595dcaa6cc928df39126e704e95f739c4f040af68f8ab598f010e300ab3b12ac22471144539b26
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7265545.exeFilesize
11KB
MD5e3d7138cfc827d8e118dc9cd38ebe29f
SHA1114737f21a5ad482ea4622c64643139805b5dd4e
SHA256110592072c1ec7230e3b37d9aa59f99e04a64540a015d42903d5f96c3b354492
SHA512d8df79d01af58228c4ffba79b6e74ff1621a8558be8f25106422fb235ff9455aa02a11b90846032d1403c9431f9a185709eef900f8f82a6139c978e8d4346303
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7265545.exeFilesize
11KB
MD5e3d7138cfc827d8e118dc9cd38ebe29f
SHA1114737f21a5ad482ea4622c64643139805b5dd4e
SHA256110592072c1ec7230e3b37d9aa59f99e04a64540a015d42903d5f96c3b354492
SHA512d8df79d01af58228c4ffba79b6e74ff1621a8558be8f25106422fb235ff9455aa02a11b90846032d1403c9431f9a185709eef900f8f82a6139c978e8d4346303
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5051535.exeFilesize
172KB
MD583b56b018a9e3dd6b00dcdca3c79713f
SHA18744e463c42ad3625f42c7348622fed5cc76cdfa
SHA25689ec01e0cf956f01c3252a04ee5158438888ef239635215ab5ebb5f222e83343
SHA5123f0800c3a8320fa454e9b82763f2abb3d76ddefba0747c6a9131db7d62c88a8017abd0087f9699861c3981929c05dd3e01c038326dae2e31478c1980f2d32ed5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5051535.exeFilesize
172KB
MD583b56b018a9e3dd6b00dcdca3c79713f
SHA18744e463c42ad3625f42c7348622fed5cc76cdfa
SHA25689ec01e0cf956f01c3252a04ee5158438888ef239635215ab5ebb5f222e83343
SHA5123f0800c3a8320fa454e9b82763f2abb3d76ddefba0747c6a9131db7d62c88a8017abd0087f9699861c3981929c05dd3e01c038326dae2e31478c1980f2d32ed5
-
memory/812-154-0x0000000000C40000-0x0000000000C4A000-memory.dmpFilesize
40KB
-
memory/1344-159-0x0000000000E90000-0x0000000000EC0000-memory.dmpFilesize
192KB
-
memory/1344-160-0x000000000B1F0000-0x000000000B808000-memory.dmpFilesize
6.1MB
-
memory/1344-161-0x000000000ACE0000-0x000000000ADEA000-memory.dmpFilesize
1.0MB
-
memory/1344-162-0x000000000AC10000-0x000000000AC22000-memory.dmpFilesize
72KB
-
memory/1344-163-0x000000000AC70000-0x000000000ACAC000-memory.dmpFilesize
240KB
-
memory/1344-164-0x0000000005840000-0x0000000005850000-memory.dmpFilesize
64KB
-
memory/1344-165-0x0000000005840000-0x0000000005850000-memory.dmpFilesize
64KB