Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 05:51
Static task
static1
Behavioral task
behavioral1
Sample
1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe
Resource
win10v2004-20230220-en
General
-
Target
1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe
-
Size
580KB
-
MD5
19c711525b964c991eaf9fe8eed69a12
-
SHA1
d7bc63204ad4cc573e0a5ca3c73019dcb487e271
-
SHA256
1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d
-
SHA512
03517ec1afe0625c1509711f455982cf426def548b01880642d0d1b3cc44c128dd4f2c4030241a41531397e5a4a8fdcd70a6a0db63424a8a6e5afc2da1191a46
-
SSDEEP
12288:kMrny90xiMvqGV54haox/6quvWq1g5o/ya0ClA:7y2lPqnoWSx/A
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a8936623.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8936623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8936623.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a8936623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8936623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8936623.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8936623.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
v6117734.exev7654277.exea8936623.exeb4385635.exepid process 3080 v6117734.exe 4960 v7654277.exe 5012 a8936623.exe 1388 b4385635.exe -
Processes:
a8936623.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8936623.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exev6117734.exev7654277.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v6117734.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v6117734.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7654277.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v7654277.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a8936623.exepid process 5012 a8936623.exe 5012 a8936623.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a8936623.exedescription pid process Token: SeDebugPrivilege 5012 a8936623.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exev6117734.exev7654277.exedescription pid process target process PID 4896 wrote to memory of 3080 4896 1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe v6117734.exe PID 4896 wrote to memory of 3080 4896 1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe v6117734.exe PID 4896 wrote to memory of 3080 4896 1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe v6117734.exe PID 3080 wrote to memory of 4960 3080 v6117734.exe v7654277.exe PID 3080 wrote to memory of 4960 3080 v6117734.exe v7654277.exe PID 3080 wrote to memory of 4960 3080 v6117734.exe v7654277.exe PID 4960 wrote to memory of 5012 4960 v7654277.exe a8936623.exe PID 4960 wrote to memory of 5012 4960 v7654277.exe a8936623.exe PID 4960 wrote to memory of 1388 4960 v7654277.exe b4385635.exe PID 4960 wrote to memory of 1388 4960 v7654277.exe b4385635.exe PID 4960 wrote to memory of 1388 4960 v7654277.exe b4385635.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe"C:\Users\Admin\AppData\Local\Temp\1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6117734.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6117734.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7654277.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7654277.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8936623.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8936623.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4385635.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4385635.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6117734.exeFilesize
377KB
MD52656ce02ab97758d4f3261584475def5
SHA15a97fcea90a1742e8765af601651e9c174921a15
SHA256396651fe6e371c338b69dd2b6b1f7d61615fe592c1ed3b0cde167c29ed75772e
SHA51293d1b0ca83d1d8f1c29607d681622c5cdf9e5889a782c2d80823e53fef0c2822afa91cd562c23ba66bf2aa876315c5128f0550e8280d39fa944947d4eb2bb453
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6117734.exeFilesize
377KB
MD52656ce02ab97758d4f3261584475def5
SHA15a97fcea90a1742e8765af601651e9c174921a15
SHA256396651fe6e371c338b69dd2b6b1f7d61615fe592c1ed3b0cde167c29ed75772e
SHA51293d1b0ca83d1d8f1c29607d681622c5cdf9e5889a782c2d80823e53fef0c2822afa91cd562c23ba66bf2aa876315c5128f0550e8280d39fa944947d4eb2bb453
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7654277.exeFilesize
206KB
MD5bd57323dabdb22117c6102710112e7c2
SHA1529093c3265b67a7cda4f6478adeb679baef6c9b
SHA256914888564389e2c56591c3566e43d103e55c30c7bc7c9d551d42c6677111edb3
SHA512e762889f3f3b98bb861f2366ad68f979f089414d718c6b68424bbd8ce008a710c0bd97ccd83d5e4bbe2a013998d944667c3ad9abc9b368683e66df90c48fe1ca
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7654277.exeFilesize
206KB
MD5bd57323dabdb22117c6102710112e7c2
SHA1529093c3265b67a7cda4f6478adeb679baef6c9b
SHA256914888564389e2c56591c3566e43d103e55c30c7bc7c9d551d42c6677111edb3
SHA512e762889f3f3b98bb861f2366ad68f979f089414d718c6b68424bbd8ce008a710c0bd97ccd83d5e4bbe2a013998d944667c3ad9abc9b368683e66df90c48fe1ca
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8936623.exeFilesize
11KB
MD546bc2ec112e6603454761cd76c2be6d6
SHA1199ebea81a631d64f040611b39c740200e7154a9
SHA256a41e61463876c72d1b78617a3757a6ca22f79915223bddf2dc8546b1710e11c7
SHA512ed53a574c7aa346fb92069502ceb8e329b4eb4e3af7ba7f48042db85de26d54281caae09e6c7e50dc2a2774dde80a797e4090739b46d561626ef425bcfaa9988
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8936623.exeFilesize
11KB
MD546bc2ec112e6603454761cd76c2be6d6
SHA1199ebea81a631d64f040611b39c740200e7154a9
SHA256a41e61463876c72d1b78617a3757a6ca22f79915223bddf2dc8546b1710e11c7
SHA512ed53a574c7aa346fb92069502ceb8e329b4eb4e3af7ba7f48042db85de26d54281caae09e6c7e50dc2a2774dde80a797e4090739b46d561626ef425bcfaa9988
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4385635.exeFilesize
172KB
MD5386b283293ed127e2efc5b9791d41bd1
SHA1acfe016cd8ed6b6c98e0d7eec1ccad566a8a1508
SHA256072afaa7e08dc010741848d0487d5c63d8b2ffa8ab860ed1c7dfb584db06437b
SHA5121b21f37491a76b75a183764b6838f641edd8286c6ae2af2e186c4a7cd033a08d5f501bb18edaa7d88f0c7cc115a796aa86c69eaba32266e1c7dc3d2e76141e21
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4385635.exeFilesize
172KB
MD5386b283293ed127e2efc5b9791d41bd1
SHA1acfe016cd8ed6b6c98e0d7eec1ccad566a8a1508
SHA256072afaa7e08dc010741848d0487d5c63d8b2ffa8ab860ed1c7dfb584db06437b
SHA5121b21f37491a76b75a183764b6838f641edd8286c6ae2af2e186c4a7cd033a08d5f501bb18edaa7d88f0c7cc115a796aa86c69eaba32266e1c7dc3d2e76141e21
-
memory/1388-159-0x00000000005A0000-0x00000000005D0000-memory.dmpFilesize
192KB
-
memory/1388-160-0x000000000AA20000-0x000000000B038000-memory.dmpFilesize
6.1MB
-
memory/1388-161-0x000000000A520000-0x000000000A62A000-memory.dmpFilesize
1.0MB
-
memory/1388-162-0x000000000A460000-0x000000000A472000-memory.dmpFilesize
72KB
-
memory/1388-163-0x000000000A4C0000-0x000000000A4FC000-memory.dmpFilesize
240KB
-
memory/1388-164-0x0000000005070000-0x0000000005080000-memory.dmpFilesize
64KB
-
memory/1388-165-0x0000000005070000-0x0000000005080000-memory.dmpFilesize
64KB
-
memory/5012-154-0x00000000007A0000-0x00000000007AA000-memory.dmpFilesize
40KB