Overview

overview

10

Static

static

3

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 06:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    581KB

  • MD5

    c9968ef91ff9712743285c79271a7155

  • SHA1

    b2e293ef8276bd29c9751adabe6742b71735bf81

  • SHA256

    8dae5b41823c4d24ba663ff6141d0354a049ea034c0afaf8da86e66fe6740122

  • SHA512

    e10b439dbd64c2d0b74f1aca639638474d1d96a4310242779e5eab12c74e59faa61709e545d6b222b6da8c3a788550aefb108cde5b0e26e485558763c6566abf

  • SSDEEP

    12288:EMrpy90KdSwdNLtrOHVyUlw2U01gz2ojZbse89mLMQp4rNo9v:dyVdSwzpWJW10untb89oMQp4ri

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3524326.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3524326.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4913060.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4913060.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:912
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1977287.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1977287.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5012
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3898701.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3898701.exe
          4⤵
          • Executes dropped EXE
          PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3524326.exe
    Filesize

    377KB

    MD5

    cbc96be815d1507721794bf6c6ada894

    SHA1

    021ca78fffd47ca86ae797b02863f067a8009f2f

    SHA256

    ba362017ff950c39ebb2242d8ee44a8790557ec926ea8ddcd807a2bdfe6914ac

    SHA512

    14e012f931478314adcc16018433c77b768f1c3292fb85410fcdb5db95859d807e79585325a326daeb6da53157672c033d5007dd3534123bf18df59e3044454b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3524326.exe
    Filesize

    377KB

    MD5

    cbc96be815d1507721794bf6c6ada894

    SHA1

    021ca78fffd47ca86ae797b02863f067a8009f2f

    SHA256

    ba362017ff950c39ebb2242d8ee44a8790557ec926ea8ddcd807a2bdfe6914ac

    SHA512

    14e012f931478314adcc16018433c77b768f1c3292fb85410fcdb5db95859d807e79585325a326daeb6da53157672c033d5007dd3534123bf18df59e3044454b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4913060.exe
    Filesize

    206KB

    MD5

    53a9c4d3aba52eb9218778f09c9a6660

    SHA1

    d383091dffbe0e820a099e3e5cb8a8ceb06731a2

    SHA256

    2bbd1d9cb527447843871a4eb1b350f0de7764f22aa4c199bc8c3f5e11637591

    SHA512

    8a5333624efc8926b10f166272c8824eec75d66785dcf46c61d0c4431935fd24a585a908c1be02374138acd8b0bd2487d73c2c66f71202b00828ccac316f29f3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4913060.exe
    Filesize

    206KB

    MD5

    53a9c4d3aba52eb9218778f09c9a6660

    SHA1

    d383091dffbe0e820a099e3e5cb8a8ceb06731a2

    SHA256

    2bbd1d9cb527447843871a4eb1b350f0de7764f22aa4c199bc8c3f5e11637591

    SHA512

    8a5333624efc8926b10f166272c8824eec75d66785dcf46c61d0c4431935fd24a585a908c1be02374138acd8b0bd2487d73c2c66f71202b00828ccac316f29f3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1977287.exe
    Filesize

    11KB

    MD5

    0b16c5fb31b45cd17a6aee41a9719304

    SHA1

    31fe5b608a2d70b917ad9215acb0ce5e800a66e1

    SHA256

    05823cbe248e7eb0af93e05f7d5c0272ea92b3f2ca130392ade08b9b64d3ca99

    SHA512

    3946fe4691c28fc01ec222367de02b7f3a8ae21e8318dedc3de03636ccafd1fab60ce8d03d7658258011e59cd2f947b4d12732b7a740e0d660c53758601b15ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1977287.exe
    Filesize

    11KB

    MD5

    0b16c5fb31b45cd17a6aee41a9719304

    SHA1

    31fe5b608a2d70b917ad9215acb0ce5e800a66e1

    SHA256

    05823cbe248e7eb0af93e05f7d5c0272ea92b3f2ca130392ade08b9b64d3ca99

    SHA512

    3946fe4691c28fc01ec222367de02b7f3a8ae21e8318dedc3de03636ccafd1fab60ce8d03d7658258011e59cd2f947b4d12732b7a740e0d660c53758601b15ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3898701.exe
    Filesize

    172KB

    MD5

    199812cab0522fdeaf34b6f4bab5d203

    SHA1

    b688002c10482380b801e69ed0523678bf25e550

    SHA256

    a38c467b4c19079e5316e1aaec651d71dadc21b6c70c6a129349305b2c92cd3d

    SHA512

    e2d616b4173f397cfab9d69779b87f8fab175f7a890a07ddb87f2426c7a3ca7eabcf1d01e181f33c852db88270ec1aa265a78c4b3bc9c4bf32adec2788bc025a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3898701.exe
    Filesize

    172KB

    MD5

    199812cab0522fdeaf34b6f4bab5d203

    SHA1

    b688002c10482380b801e69ed0523678bf25e550

    SHA256

    a38c467b4c19079e5316e1aaec651d71dadc21b6c70c6a129349305b2c92cd3d

    SHA512

    e2d616b4173f397cfab9d69779b87f8fab175f7a890a07ddb87f2426c7a3ca7eabcf1d01e181f33c852db88270ec1aa265a78c4b3bc9c4bf32adec2788bc025a

    Download Submit
  • memory/1612-159-0x0000000000A70000-0x0000000000AA0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1612-160-0x000000000AE70000-0x000000000B488000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1612-161-0x000000000A9F0000-0x000000000AAFA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1612-162-0x000000000A930000-0x000000000A942000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1612-163-0x000000000A990000-0x000000000A9CC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1612-164-0x0000000002DE0000-0x0000000002DF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1612-165-0x0000000002DE0000-0x0000000002DF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5012-154-0x00000000003B0000-0x00000000003BA000-memory.dmp
    Filesize

    40KB

    Download