Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 07:21
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
580KB
-
MD5
2eb76d4e6e7c584147d0b573573a81e1
-
SHA1
267520fc7483b4932cb2491fd4acf471b137d227
-
SHA256
815481e49866ad19d437c62da9f6dd94761cb0644f19d8e2f5248e52b63edd89
-
SHA512
2a2a6fe5fd63a9deda1963551b47ff0360cc2202d8173e9abf7c8b569e22df1de4a0d8fceae4b423b33e110bd8ab7eabbde5762c3ed7588644a0a9f28271aec5
-
SSDEEP
12288:zMrxy90htVdtsh2w7KnDuAcdr8G2RKnGAzTuvzT16yBm:ayq3tsh2w2nJciRRaGIyvv17U
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a1913767.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1913767.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1913767.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1913767.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1913767.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a1913767.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1913767.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
v5259303.exev7482734.exea1913767.exeb8312136.exepid process 3348 v5259303.exe 4564 v7482734.exe 4520 a1913767.exe 4236 b8312136.exe -
Processes:
a1913767.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1913767.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
file.exev5259303.exev7482734.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5259303.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v5259303.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7482734.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v7482734.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a1913767.exepid process 4520 a1913767.exe 4520 a1913767.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a1913767.exedescription pid process Token: SeDebugPrivilege 4520 a1913767.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
file.exev5259303.exev7482734.exedescription pid process target process PID 4816 wrote to memory of 3348 4816 file.exe v5259303.exe PID 4816 wrote to memory of 3348 4816 file.exe v5259303.exe PID 4816 wrote to memory of 3348 4816 file.exe v5259303.exe PID 3348 wrote to memory of 4564 3348 v5259303.exe v7482734.exe PID 3348 wrote to memory of 4564 3348 v5259303.exe v7482734.exe PID 3348 wrote to memory of 4564 3348 v5259303.exe v7482734.exe PID 4564 wrote to memory of 4520 4564 v7482734.exe a1913767.exe PID 4564 wrote to memory of 4520 4564 v7482734.exe a1913767.exe PID 4564 wrote to memory of 4236 4564 v7482734.exe b8312136.exe PID 4564 wrote to memory of 4236 4564 v7482734.exe b8312136.exe PID 4564 wrote to memory of 4236 4564 v7482734.exe b8312136.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5259303.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5259303.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7482734.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7482734.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1913767.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1913767.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8312136.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8312136.exe4⤵
- Executes dropped EXE
PID:4236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD5f453131bde2b4c462c9384d33dad3159
SHA12b3fa7cc00a3e806f6ecd1463581f159cc1ca01e
SHA2569da27a113f5869dd306f61dcae9d93b35035a5dbcdcf98cb74cee9436e19ae0b
SHA5128f297c691427070b0c9e5b353490059c98af5b0fd757c1a48e713b17b495f3c656661f155a8cb9adca9d000e1ac10e7a3556d29a5aa612a906ef503c4c29efa9
-
Filesize
377KB
MD5f453131bde2b4c462c9384d33dad3159
SHA12b3fa7cc00a3e806f6ecd1463581f159cc1ca01e
SHA2569da27a113f5869dd306f61dcae9d93b35035a5dbcdcf98cb74cee9436e19ae0b
SHA5128f297c691427070b0c9e5b353490059c98af5b0fd757c1a48e713b17b495f3c656661f155a8cb9adca9d000e1ac10e7a3556d29a5aa612a906ef503c4c29efa9
-
Filesize
206KB
MD595255a4afa945ce83cabbab0c3617c3e
SHA196360d8b10da5bb25a5965b9a556a90ba24afea0
SHA256e5c531c343a6b71cb818c0701d5483407e74298b7664817b890e5a992c837171
SHA512ea08b1910f46b4775bea617e92fab86288b27da86ec93c7d4e8df38218bb165ad9474a60c4674e8e912c6e5bb518f84595d5442d6b752bf4994036edead6e1a3
-
Filesize
206KB
MD595255a4afa945ce83cabbab0c3617c3e
SHA196360d8b10da5bb25a5965b9a556a90ba24afea0
SHA256e5c531c343a6b71cb818c0701d5483407e74298b7664817b890e5a992c837171
SHA512ea08b1910f46b4775bea617e92fab86288b27da86ec93c7d4e8df38218bb165ad9474a60c4674e8e912c6e5bb518f84595d5442d6b752bf4994036edead6e1a3
-
Filesize
11KB
MD5ba97a3550b2e12405de53fb87ee74ac3
SHA1c49a8f18ec1f06c81d43105ca9f709633d263b67
SHA25608affa40ce8427a36a74c7389c34b3024154c82a6e99ee28288ee5b2bda10fd8
SHA512ebac208032742df209375fc6645e675782aa9a58aca709c0c90a5a1aecef3d17946d7e2b9d4129d597f701fc63feb6fe6d207d8701b0740686914b5f6b5ea851
-
Filesize
11KB
MD5ba97a3550b2e12405de53fb87ee74ac3
SHA1c49a8f18ec1f06c81d43105ca9f709633d263b67
SHA25608affa40ce8427a36a74c7389c34b3024154c82a6e99ee28288ee5b2bda10fd8
SHA512ebac208032742df209375fc6645e675782aa9a58aca709c0c90a5a1aecef3d17946d7e2b9d4129d597f701fc63feb6fe6d207d8701b0740686914b5f6b5ea851
-
Filesize
172KB
MD583095f87c2ae23a9bb80423aa916762a
SHA1c1908817fbd13fbdf4ed79ef9c4890da1597ecd1
SHA256a0de8fc5fc69de645d31b00b42fa0f7aab1a57234e629c6636fc21fb7137b6b8
SHA51241a56096aeb707df9d04664b966c8b053dc2c22c766f028afdfe0efd2581b39b870ccaa1a06f29ca95bae76faba5526cb1146e516211b9d31de040135ca360ea
-
Filesize
172KB
MD583095f87c2ae23a9bb80423aa916762a
SHA1c1908817fbd13fbdf4ed79ef9c4890da1597ecd1
SHA256a0de8fc5fc69de645d31b00b42fa0f7aab1a57234e629c6636fc21fb7137b6b8
SHA51241a56096aeb707df9d04664b966c8b053dc2c22c766f028afdfe0efd2581b39b870ccaa1a06f29ca95bae76faba5526cb1146e516211b9d31de040135ca360ea