Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 21:52
Static task
static1
Behavioral task
behavioral1
Sample
5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exe
Resource
win10v2004-20230221-en
General
-
Target
5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exe
-
Size
723KB
-
MD5
c86549610822ae7ef212b0e8787240d3
-
SHA1
a8005989483e998874b66b5d39ae2c17f1fd4f32
-
SHA256
5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4
-
SHA512
8a3fc68a4d682a702af65ccbb483cbda25cc7e1249926b57b2002a27b3614ae9fa5bec2d73ee19f45aa52bb1e888deaab349fae950c90bfe129d33efef9385a6
-
SSDEEP
12288:sMrQy9067K78b+xREk54IdxzjiJrWRFKNZqzA5lik0zQCeq1IWYxTxmv1dDTe:syhW4b+xRP54IniyR8NZAnPQuIhnmbS
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a9185972.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a9185972.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a9185972.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a9185972.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a9185972.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a9185972.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a9185972.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v2475087.exev1357055.exev3170074.exea9185972.exeb7951013.exec1557117.exepid process 4856 v2475087.exe 956 v1357055.exe 2484 v3170074.exe 3904 a9185972.exe 408 b7951013.exe 2328 c1557117.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a9185972.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a9185972.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exev2475087.exev1357055.exev3170074.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v2475087.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v2475087.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1357055.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v1357055.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v3170074.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v3170074.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b7951013.exedescription pid process target process PID 408 set thread context of 2120 408 b7951013.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 924 408 WerFault.exe b7951013.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
a9185972.exeAppLaunch.exec1557117.exepid process 3904 a9185972.exe 3904 a9185972.exe 2120 AppLaunch.exe 2120 AppLaunch.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe 2328 c1557117.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a9185972.exeAppLaunch.exec1557117.exedescription pid process Token: SeDebugPrivilege 3904 a9185972.exe Token: SeDebugPrivilege 2120 AppLaunch.exe Token: SeDebugPrivilege 2328 c1557117.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exev2475087.exev1357055.exev3170074.exeb7951013.exedescription pid process target process PID 1216 wrote to memory of 4856 1216 5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exe v2475087.exe PID 1216 wrote to memory of 4856 1216 5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exe v2475087.exe PID 1216 wrote to memory of 4856 1216 5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exe v2475087.exe PID 4856 wrote to memory of 956 4856 v2475087.exe v1357055.exe PID 4856 wrote to memory of 956 4856 v2475087.exe v1357055.exe PID 4856 wrote to memory of 956 4856 v2475087.exe v1357055.exe PID 956 wrote to memory of 2484 956 v1357055.exe v3170074.exe PID 956 wrote to memory of 2484 956 v1357055.exe v3170074.exe PID 956 wrote to memory of 2484 956 v1357055.exe v3170074.exe PID 2484 wrote to memory of 3904 2484 v3170074.exe a9185972.exe PID 2484 wrote to memory of 3904 2484 v3170074.exe a9185972.exe PID 2484 wrote to memory of 408 2484 v3170074.exe b7951013.exe PID 2484 wrote to memory of 408 2484 v3170074.exe b7951013.exe PID 2484 wrote to memory of 408 2484 v3170074.exe b7951013.exe PID 408 wrote to memory of 2120 408 b7951013.exe AppLaunch.exe PID 408 wrote to memory of 2120 408 b7951013.exe AppLaunch.exe PID 408 wrote to memory of 2120 408 b7951013.exe AppLaunch.exe PID 408 wrote to memory of 2120 408 b7951013.exe AppLaunch.exe PID 408 wrote to memory of 2120 408 b7951013.exe AppLaunch.exe PID 956 wrote to memory of 2328 956 v1357055.exe c1557117.exe PID 956 wrote to memory of 2328 956 v1357055.exe c1557117.exe PID 956 wrote to memory of 2328 956 v1357055.exe c1557117.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exe"C:\Users\Admin\AppData\Local\Temp\5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2475087.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2475087.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1357055.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1357055.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3170074.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3170074.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9185972.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9185972.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7951013.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7951013.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1406⤵
- Program crash
PID:924 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1557117.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1557117.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 408 -ip 4081⤵PID:3016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2475087.exeFilesize
523KB
MD57078de8f4b0aef3fe57c363b69bd08a1
SHA196f3efb3338b74f41d1c5eed0d0bc655cc7feb88
SHA2560567994c78abfdd58207ac7ca5c309bc27727729619af58279e006ef2e151e88
SHA5122c8500c22754e809011738c2fe821071f6783666201a98ad1bc5fe4368826bfbbb1a7ee4d27ba0affb7a9ea2e310c11ef575a2895858622269b292c6678f8d52
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2475087.exeFilesize
523KB
MD57078de8f4b0aef3fe57c363b69bd08a1
SHA196f3efb3338b74f41d1c5eed0d0bc655cc7feb88
SHA2560567994c78abfdd58207ac7ca5c309bc27727729619af58279e006ef2e151e88
SHA5122c8500c22754e809011738c2fe821071f6783666201a98ad1bc5fe4368826bfbbb1a7ee4d27ba0affb7a9ea2e310c11ef575a2895858622269b292c6678f8d52
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1357055.exeFilesize
351KB
MD58d59c327969a4c788af5e2eebb3e28f1
SHA16d805f49f93a5833f0f736713d4ef041b08da39e
SHA256792323d38d8047c36b344260cd66edb7e38a9ba2cc848317bf5c50c69ffc6a25
SHA5128046709f902097e18fe175296e53712a3532f21273eeb347db552a58db45e84b7775cbd1450e8b59715598a04ef4fc8554593da1450af8eadb1e88fb26938007
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1357055.exeFilesize
351KB
MD58d59c327969a4c788af5e2eebb3e28f1
SHA16d805f49f93a5833f0f736713d4ef041b08da39e
SHA256792323d38d8047c36b344260cd66edb7e38a9ba2cc848317bf5c50c69ffc6a25
SHA5128046709f902097e18fe175296e53712a3532f21273eeb347db552a58db45e84b7775cbd1450e8b59715598a04ef4fc8554593da1450af8eadb1e88fb26938007
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1557117.exeFilesize
172KB
MD5f31b7094529b6ddd9618bcb09a11219b
SHA1721bfcfca35d6bc8f474651117d87922ed73db8d
SHA256eeec80f1f1170f7f645ee90c737244779d1734271de1b0a044b02edf804e869c
SHA512bdb37a9df1287f01b4cd450159b430ad37b04f89318ddafbb32f952963d47158e6dd087d216a4784c0e92a11a631d970bb2a9d1c51446ab5e86457d52adaf590
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1557117.exeFilesize
172KB
MD5f31b7094529b6ddd9618bcb09a11219b
SHA1721bfcfca35d6bc8f474651117d87922ed73db8d
SHA256eeec80f1f1170f7f645ee90c737244779d1734271de1b0a044b02edf804e869c
SHA512bdb37a9df1287f01b4cd450159b430ad37b04f89318ddafbb32f952963d47158e6dd087d216a4784c0e92a11a631d970bb2a9d1c51446ab5e86457d52adaf590
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3170074.exeFilesize
196KB
MD54adcf57613455bd82d4d0eba2280e4a9
SHA1dcae735a2ba43c923cd05ca196ce8c9265a190b6
SHA25604cd21d9152628e6b5dc519fd76113033263fa528952f359826cb543ef18cb6a
SHA51214e164c11b0870faeeb9e232bb577d014c6b15cf62aafa241d628cfe82012c5876b1206e2fa4b6a1ad579394cf27a465656e2d5c75be91428c5fc370a72b9ac3
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3170074.exeFilesize
196KB
MD54adcf57613455bd82d4d0eba2280e4a9
SHA1dcae735a2ba43c923cd05ca196ce8c9265a190b6
SHA25604cd21d9152628e6b5dc519fd76113033263fa528952f359826cb543ef18cb6a
SHA51214e164c11b0870faeeb9e232bb577d014c6b15cf62aafa241d628cfe82012c5876b1206e2fa4b6a1ad579394cf27a465656e2d5c75be91428c5fc370a72b9ac3
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9185972.exeFilesize
14KB
MD5446c3070d46239bcfaed5863052c5fe3
SHA103e97185c296e54176f82d53a2673fbf16d1e2a0
SHA256f9124f1121f65723159ced95c08b1b398d078494724f335d49e6dd151edb2d9d
SHA51237795742d2c6d780ac03d4dcab8ebcfdb742acb3b5599c1add94fcf3a0d31852fb77aeb63ec1e70e9eb57e9cff1b558d2d363f8e15d9fe0fb831f1720160497e
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9185972.exeFilesize
14KB
MD5446c3070d46239bcfaed5863052c5fe3
SHA103e97185c296e54176f82d53a2673fbf16d1e2a0
SHA256f9124f1121f65723159ced95c08b1b398d078494724f335d49e6dd151edb2d9d
SHA51237795742d2c6d780ac03d4dcab8ebcfdb742acb3b5599c1add94fcf3a0d31852fb77aeb63ec1e70e9eb57e9cff1b558d2d363f8e15d9fe0fb831f1720160497e
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7951013.exeFilesize
100KB
MD501b9394ac1a9d519f98e280be5a7e78b
SHA1fdf3e291f10be0b5fef88cbaf469e5b4b8673263
SHA25601dba1d2b8ddc0a6a73c24e600086eb2984c538636f3db600d6a87cc282e2a80
SHA512fd04ce55dc2c500cab49383f45082bacfad96acec9c29be94ab29c8db5a0698db7f9b507b92f430376db3f2d51ee141fca2511ef7519383665eb04c10f9e220f
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7951013.exeFilesize
100KB
MD501b9394ac1a9d519f98e280be5a7e78b
SHA1fdf3e291f10be0b5fef88cbaf469e5b4b8673263
SHA25601dba1d2b8ddc0a6a73c24e600086eb2984c538636f3db600d6a87cc282e2a80
SHA512fd04ce55dc2c500cab49383f45082bacfad96acec9c29be94ab29c8db5a0698db7f9b507b92f430376db3f2d51ee141fca2511ef7519383665eb04c10f9e220f
-
memory/2120-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2328-175-0x0000000000A20000-0x0000000000A50000-memory.dmpFilesize
192KB
-
memory/2328-181-0x00000000056F0000-0x0000000005766000-memory.dmpFilesize
472KB
-
memory/2328-176-0x00000000059E0000-0x0000000005FF8000-memory.dmpFilesize
6.1MB
-
memory/2328-177-0x00000000054D0000-0x00000000055DA000-memory.dmpFilesize
1.0MB
-
memory/2328-178-0x0000000005270000-0x0000000005282000-memory.dmpFilesize
72KB
-
memory/2328-179-0x0000000005400000-0x000000000543C000-memory.dmpFilesize
240KB
-
memory/2328-180-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/2328-189-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/2328-182-0x0000000005910000-0x00000000059A2000-memory.dmpFilesize
584KB
-
memory/2328-183-0x0000000005870000-0x00000000058D6000-memory.dmpFilesize
408KB
-
memory/2328-184-0x0000000006AA0000-0x0000000007044000-memory.dmpFilesize
5.6MB
-
memory/2328-185-0x00000000066F0000-0x00000000068B2000-memory.dmpFilesize
1.8MB
-
memory/2328-187-0x0000000008C70000-0x000000000919C000-memory.dmpFilesize
5.2MB
-
memory/2328-188-0x00000000069C0000-0x0000000006A10000-memory.dmpFilesize
320KB
-
memory/3904-161-0x00000000007D0000-0x00000000007DA000-memory.dmpFilesize
40KB