Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 05:44
Static task
static1
Behavioral task
behavioral1
Sample
0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe
Resource
win10v2004-20230220-en
General
-
Target
0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe
-
Size
580KB
-
MD5
ccc295c80487159aee8aa637fd6ebdee
-
SHA1
1123e190199f2f7760ff7f046375ba0865202f5d
-
SHA256
0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d
-
SHA512
8664a1dca420a5816788251076818edf47ea2795490fe9e843bf4f5b81fb6046baaa81cbd1a8f3b17fc386b711d92458e6d8e75e7502f1833bf33d6cc5d3d132
-
SSDEEP
12288:MMrjy90HGR2AZK9N7peW6vH7GzeynPo9K4ejwiMPja99L6P:nyrA9udvbGxP1BjPcjaf6P
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a7924477.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a7924477.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a7924477.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a7924477.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a7924477.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a7924477.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a7924477.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
v2881533.exev1904183.exea7924477.exeb0560022.exepid process 2884 v2881533.exe 1564 v1904183.exe 3260 a7924477.exe 4600 b0560022.exe -
Processes:
a7924477.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7924477.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exev2881533.exev1904183.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v2881533.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v2881533.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1904183.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v1904183.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a7924477.exepid process 3260 a7924477.exe 3260 a7924477.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a7924477.exedescription pid process Token: SeDebugPrivilege 3260 a7924477.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exev2881533.exev1904183.exedescription pid process target process PID 1644 wrote to memory of 2884 1644 0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe v2881533.exe PID 1644 wrote to memory of 2884 1644 0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe v2881533.exe PID 1644 wrote to memory of 2884 1644 0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe v2881533.exe PID 2884 wrote to memory of 1564 2884 v2881533.exe v1904183.exe PID 2884 wrote to memory of 1564 2884 v2881533.exe v1904183.exe PID 2884 wrote to memory of 1564 2884 v2881533.exe v1904183.exe PID 1564 wrote to memory of 3260 1564 v1904183.exe a7924477.exe PID 1564 wrote to memory of 3260 1564 v1904183.exe a7924477.exe PID 1564 wrote to memory of 4600 1564 v1904183.exe b0560022.exe PID 1564 wrote to memory of 4600 1564 v1904183.exe b0560022.exe PID 1564 wrote to memory of 4600 1564 v1904183.exe b0560022.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe"C:\Users\Admin\AppData\Local\Temp\0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2881533.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2881533.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1904183.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1904183.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7924477.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7924477.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0560022.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0560022.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2881533.exeFilesize
377KB
MD5c247c64d797d85f624c1aa797b3dd6d8
SHA14496837681ce64fb88cec768ff9e387c1660db28
SHA256a655f0f80001b6432cb9dbd5088a5204111d2f5a5ffb0aa3e2d94361e81dc4a4
SHA51245d09fc1051b94b8197f327dcaa77fe248ced67f8c94bd91c31d72c2a50fa069bd3c4ec3053bc4fd2b43bd45cc9c0152c947515bece8b8b3d31084bcf5ba07cb
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2881533.exeFilesize
377KB
MD5c247c64d797d85f624c1aa797b3dd6d8
SHA14496837681ce64fb88cec768ff9e387c1660db28
SHA256a655f0f80001b6432cb9dbd5088a5204111d2f5a5ffb0aa3e2d94361e81dc4a4
SHA51245d09fc1051b94b8197f327dcaa77fe248ced67f8c94bd91c31d72c2a50fa069bd3c4ec3053bc4fd2b43bd45cc9c0152c947515bece8b8b3d31084bcf5ba07cb
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1904183.exeFilesize
206KB
MD5e3bafea044dc2e31bcbe0b590f10617f
SHA133f940902fcc2a689fc7e5c9e1361c5841722716
SHA25667962d445b4877dc79431f74104ffbdf24335d6dd676ecb3006f22c39b530691
SHA512c29756cfa30388921b6a519d7e3a92498842d6ef975a86401aa0627a071dd59ee08a2e7131e9a8213953997ac88f7091cc08ec0d82b8aadd425472099c8a042a
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1904183.exeFilesize
206KB
MD5e3bafea044dc2e31bcbe0b590f10617f
SHA133f940902fcc2a689fc7e5c9e1361c5841722716
SHA25667962d445b4877dc79431f74104ffbdf24335d6dd676ecb3006f22c39b530691
SHA512c29756cfa30388921b6a519d7e3a92498842d6ef975a86401aa0627a071dd59ee08a2e7131e9a8213953997ac88f7091cc08ec0d82b8aadd425472099c8a042a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7924477.exeFilesize
11KB
MD5fed3fc5119323be877430895793469d1
SHA1754ba2357aa430cb263705ef8e142a1a5c459a69
SHA256c633e8a3f6ceea3aff642f715fe4406d545cc5ac555ed9089eff504559e895a9
SHA5121da905d88db793069220a3491baf869515b6cb73c123e5996d6a33163e8f9e2f31bd9c90b029c4c91a418f90cc8191c35df27a679acbdde4b151bacc3f801bb9
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7924477.exeFilesize
11KB
MD5fed3fc5119323be877430895793469d1
SHA1754ba2357aa430cb263705ef8e142a1a5c459a69
SHA256c633e8a3f6ceea3aff642f715fe4406d545cc5ac555ed9089eff504559e895a9
SHA5121da905d88db793069220a3491baf869515b6cb73c123e5996d6a33163e8f9e2f31bd9c90b029c4c91a418f90cc8191c35df27a679acbdde4b151bacc3f801bb9
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0560022.exeFilesize
172KB
MD5212c8a24c47c593cb8a32ed89cc02204
SHA131d359474b5358002d96c04797c50a9fbd19c964
SHA256a67f254061283cbaf1e433bf16cb05f93d328f2a1ac1a0345b59924943372a89
SHA51228e317637fcd8c6efffc443fa302243bf6cc4f205fcd554d35ed424e7fcd4286c5752d19f9fe4d6b8d8405b7b151d32e996a9b2ba7ff62d59dacee5b031ce56c
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0560022.exeFilesize
172KB
MD5212c8a24c47c593cb8a32ed89cc02204
SHA131d359474b5358002d96c04797c50a9fbd19c964
SHA256a67f254061283cbaf1e433bf16cb05f93d328f2a1ac1a0345b59924943372a89
SHA51228e317637fcd8c6efffc443fa302243bf6cc4f205fcd554d35ed424e7fcd4286c5752d19f9fe4d6b8d8405b7b151d32e996a9b2ba7ff62d59dacee5b031ce56c
-
memory/3260-154-0x0000000000AF0000-0x0000000000AFA000-memory.dmpFilesize
40KB
-
memory/4600-159-0x00000000007B0000-0x00000000007E0000-memory.dmpFilesize
192KB
-
memory/4600-160-0x000000000ABE0000-0x000000000B1F8000-memory.dmpFilesize
6.1MB
-
memory/4600-161-0x000000000A730000-0x000000000A83A000-memory.dmpFilesize
1.0MB
-
memory/4600-162-0x000000000A670000-0x000000000A682000-memory.dmpFilesize
72KB
-
memory/4600-163-0x0000000005230000-0x0000000005240000-memory.dmpFilesize
64KB
-
memory/4600-164-0x000000000A6D0000-0x000000000A70C000-memory.dmpFilesize
240KB
-
memory/4600-165-0x0000000005230000-0x0000000005240000-memory.dmpFilesize
64KB