Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 22:02
Static task
static1
Behavioral task
behavioral1
Sample
1d6b0e940f7b36bf6b05be50ac932c7f105362f8beea72d3c2e164ed2e31de28.exe
Resource
win10v2004-20230220-en
General
-
Target
1d6b0e940f7b36bf6b05be50ac932c7f105362f8beea72d3c2e164ed2e31de28.exe
-
Size
725KB
-
MD5
65147028cbd2fb76483618a895dfcfab
-
SHA1
0c778ba9334ddeb7b264e5ed70d55e131e000e21
-
SHA256
1d6b0e940f7b36bf6b05be50ac932c7f105362f8beea72d3c2e164ed2e31de28
-
SHA512
3619e2d604ffe31932afb03f3403be13a0e37a22212be8c64f071ab315a8d30f706f9ec43092ea8d543a5095470feb14ff36d8e322982eae94b8ba1f0c7f4756
-
SSDEEP
12288:VMrcy90xOQLIlbALJTrSGNRCfsSbQnddtcDWuSRh4MQn8EMEwZW/09VGyY:dySL9NvNRCUSbQDtcjSRhXAloQ
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a3028796.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3028796.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3028796.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a3028796.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3028796.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3028796.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3028796.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v1281252.exev9014398.exev9902533.exea3028796.exeb4207974.exec6527552.exepid process 3564 v1281252.exe 4620 v9014398.exe 2296 v9902533.exe 3440 a3028796.exe 1528 b4207974.exe 2732 c6527552.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a3028796.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a3028796.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
1d6b0e940f7b36bf6b05be50ac932c7f105362f8beea72d3c2e164ed2e31de28.exev1281252.exev9014398.exev9902533.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1d6b0e940f7b36bf6b05be50ac932c7f105362f8beea72d3c2e164ed2e31de28.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1281252.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1281252.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9014398.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v9014398.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9902533.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v9902533.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 1d6b0e940f7b36bf6b05be50ac932c7f105362f8beea72d3c2e164ed2e31de28.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b4207974.exedescription pid process target process PID 1528 set thread context of 3520 1528 b4207974.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2896 1528 WerFault.exe b4207974.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
a3028796.exeAppLaunch.exec6527552.exepid process 3440 a3028796.exe 3440 a3028796.exe 3520 AppLaunch.exe 3520 AppLaunch.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe 2732 c6527552.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a3028796.exeAppLaunch.exec6527552.exedescription pid process Token: SeDebugPrivilege 3440 a3028796.exe Token: SeDebugPrivilege 3520 AppLaunch.exe Token: SeDebugPrivilege 2732 c6527552.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
1d6b0e940f7b36bf6b05be50ac932c7f105362f8beea72d3c2e164ed2e31de28.exev1281252.exev9014398.exev9902533.exeb4207974.exedescription pid process target process PID 852 wrote to memory of 3564 852 1d6b0e940f7b36bf6b05be50ac932c7f105362f8beea72d3c2e164ed2e31de28.exe v1281252.exe PID 852 wrote to memory of 3564 852 1d6b0e940f7b36bf6b05be50ac932c7f105362f8beea72d3c2e164ed2e31de28.exe v1281252.exe PID 852 wrote to memory of 3564 852 1d6b0e940f7b36bf6b05be50ac932c7f105362f8beea72d3c2e164ed2e31de28.exe v1281252.exe PID 3564 wrote to memory of 4620 3564 v1281252.exe v9014398.exe PID 3564 wrote to memory of 4620 3564 v1281252.exe v9014398.exe PID 3564 wrote to memory of 4620 3564 v1281252.exe v9014398.exe PID 4620 wrote to memory of 2296 4620 v9014398.exe v9902533.exe PID 4620 wrote to memory of 2296 4620 v9014398.exe v9902533.exe PID 4620 wrote to memory of 2296 4620 v9014398.exe v9902533.exe PID 2296 wrote to memory of 3440 2296 v9902533.exe a3028796.exe PID 2296 wrote to memory of 3440 2296 v9902533.exe a3028796.exe PID 2296 wrote to memory of 1528 2296 v9902533.exe b4207974.exe PID 2296 wrote to memory of 1528 2296 v9902533.exe b4207974.exe PID 2296 wrote to memory of 1528 2296 v9902533.exe b4207974.exe PID 1528 wrote to memory of 3520 1528 b4207974.exe AppLaunch.exe PID 1528 wrote to memory of 3520 1528 b4207974.exe AppLaunch.exe PID 1528 wrote to memory of 3520 1528 b4207974.exe AppLaunch.exe PID 1528 wrote to memory of 3520 1528 b4207974.exe AppLaunch.exe PID 1528 wrote to memory of 3520 1528 b4207974.exe AppLaunch.exe PID 4620 wrote to memory of 2732 4620 v9014398.exe c6527552.exe PID 4620 wrote to memory of 2732 4620 v9014398.exe c6527552.exe PID 4620 wrote to memory of 2732 4620 v9014398.exe c6527552.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d6b0e940f7b36bf6b05be50ac932c7f105362f8beea72d3c2e164ed2e31de28.exe"C:\Users\Admin\AppData\Local\Temp\1d6b0e940f7b36bf6b05be50ac932c7f105362f8beea72d3c2e164ed2e31de28.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1281252.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1281252.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9014398.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9014398.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9902533.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9902533.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3028796.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3028796.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4207974.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4207974.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1486⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6527552.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6527552.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1528 -ip 15281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1281252.exeFilesize
524KB
MD56047d275890e7e077d22436624843ce7
SHA1bbb4350c589aa21571ac98ad3d404064a62e8d24
SHA256151636a0424ff1527bc3630437fa78a2196f1d1d1eac3f352223c3489f22908c
SHA51241443067ea41a41dc3cdce4a02f56c0f31b3a588dd77641a94534f99cc5216b5c859c2c89367e4c3c7d8804763f69d56f5da726ff2d2dceee0af9667caa19875
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1281252.exeFilesize
524KB
MD56047d275890e7e077d22436624843ce7
SHA1bbb4350c589aa21571ac98ad3d404064a62e8d24
SHA256151636a0424ff1527bc3630437fa78a2196f1d1d1eac3f352223c3489f22908c
SHA51241443067ea41a41dc3cdce4a02f56c0f31b3a588dd77641a94534f99cc5216b5c859c2c89367e4c3c7d8804763f69d56f5da726ff2d2dceee0af9667caa19875
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9014398.exeFilesize
352KB
MD5bdc4692d32838aceeb5c97d9eaf1ec8d
SHA165098ba1905b7ad87f5b7f96bcbe3b8abb096239
SHA25663a4b8ec66e17ee8040fd3104c1c0ef36c273cb2a2599fdb493a36b1abdc86a7
SHA512242cdde071953fc81455db027796332da6a4f690688dae9e01ec9d0049dd19009131c7a912517d1ac39c4bc267acba6b9726b24a496cd563d7dd5da5469e2f50
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9014398.exeFilesize
352KB
MD5bdc4692d32838aceeb5c97d9eaf1ec8d
SHA165098ba1905b7ad87f5b7f96bcbe3b8abb096239
SHA25663a4b8ec66e17ee8040fd3104c1c0ef36c273cb2a2599fdb493a36b1abdc86a7
SHA512242cdde071953fc81455db027796332da6a4f690688dae9e01ec9d0049dd19009131c7a912517d1ac39c4bc267acba6b9726b24a496cd563d7dd5da5469e2f50
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6527552.exeFilesize
172KB
MD5957d55727cf2ecec04bf167b4dbece56
SHA1d4f2e68a548615317846fe48ac0b81c3e113888f
SHA256a9c65301a7dbfed799a0d658289fea604664e8fb02ef383247c3e13928689c86
SHA512d7e2d8c917eca193e8606a5de5e14df3e1be8736a3f532060eeea57f5ed9277f6308e763c303f14fa71c22a771b005d0c8dc8519a79ac4bf42ec8f5b63e9647f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6527552.exeFilesize
172KB
MD5957d55727cf2ecec04bf167b4dbece56
SHA1d4f2e68a548615317846fe48ac0b81c3e113888f
SHA256a9c65301a7dbfed799a0d658289fea604664e8fb02ef383247c3e13928689c86
SHA512d7e2d8c917eca193e8606a5de5e14df3e1be8736a3f532060eeea57f5ed9277f6308e763c303f14fa71c22a771b005d0c8dc8519a79ac4bf42ec8f5b63e9647f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9902533.exeFilesize
197KB
MD577c231d3f10994d263bd4dbda4692727
SHA11ec8cfa816fb79253f6bb082d6249cc16787b2ae
SHA256f1d75c2d905ada90a3165b7720adb51d73235b647fcf99c6dacbcdc92b998dbb
SHA5122bfd9826402901bb9469cb6b1629c085b11ca1061f3126ffa3e6e57751b5c2607f1602f8d24d1c90013f1ea04e5917096e65c5f720cb6ae02ad4b6b1e807e01c
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9902533.exeFilesize
197KB
MD577c231d3f10994d263bd4dbda4692727
SHA11ec8cfa816fb79253f6bb082d6249cc16787b2ae
SHA256f1d75c2d905ada90a3165b7720adb51d73235b647fcf99c6dacbcdc92b998dbb
SHA5122bfd9826402901bb9469cb6b1629c085b11ca1061f3126ffa3e6e57751b5c2607f1602f8d24d1c90013f1ea04e5917096e65c5f720cb6ae02ad4b6b1e807e01c
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3028796.exeFilesize
14KB
MD5fdc36cb0073e1c341463117b77a8827b
SHA1ab445e49d3c8e62a33b6712de4bbd4f1534d822a
SHA2566cdbacaf978215d5a6e6bd35560696912a717d79458cf72b07e0e26e51621b6c
SHA5125e99504860b8ae1086b0ab3c7c8dfd3f889eab3184f23472e05bac26d4371ac5d7848856e8fd8ea9f9bdb8ec909d5e071653ccf10ae55d084f1cf0bc2772a529
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3028796.exeFilesize
14KB
MD5fdc36cb0073e1c341463117b77a8827b
SHA1ab445e49d3c8e62a33b6712de4bbd4f1534d822a
SHA2566cdbacaf978215d5a6e6bd35560696912a717d79458cf72b07e0e26e51621b6c
SHA5125e99504860b8ae1086b0ab3c7c8dfd3f889eab3184f23472e05bac26d4371ac5d7848856e8fd8ea9f9bdb8ec909d5e071653ccf10ae55d084f1cf0bc2772a529
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4207974.exeFilesize
100KB
MD5816ef8ec4daa8412fdea36f947ff2773
SHA1cf8459d44dce91cf69ba0bf11d0ec888e45b5d50
SHA256ba376fc6c8eeffd7e79de6cb5d73fcc42688874c55aac262c43672f3c925561a
SHA5127aa7f43e4f42fbaa8c97a4c60bd73d30f6a3ef8a32861fe45d3d643d6d369467977a172c475e93572a2fe0f1b4dd817826cd27fba10d0ae79af563693dac9833
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4207974.exeFilesize
100KB
MD5816ef8ec4daa8412fdea36f947ff2773
SHA1cf8459d44dce91cf69ba0bf11d0ec888e45b5d50
SHA256ba376fc6c8eeffd7e79de6cb5d73fcc42688874c55aac262c43672f3c925561a
SHA5127aa7f43e4f42fbaa8c97a4c60bd73d30f6a3ef8a32861fe45d3d643d6d369467977a172c475e93572a2fe0f1b4dd817826cd27fba10d0ae79af563693dac9833
-
memory/2732-175-0x0000000000F00000-0x0000000000F30000-memory.dmpFilesize
192KB
-
memory/2732-180-0x000000000AE20000-0x000000000AE5C000-memory.dmpFilesize
240KB
-
memory/2732-189-0x0000000005860000-0x0000000005870000-memory.dmpFilesize
64KB
-
memory/2732-176-0x000000000B310000-0x000000000B928000-memory.dmpFilesize
6.1MB
-
memory/2732-177-0x000000000AE80000-0x000000000AF8A000-memory.dmpFilesize
1.0MB
-
memory/2732-178-0x000000000ADC0000-0x000000000ADD2000-memory.dmpFilesize
72KB
-
memory/2732-179-0x0000000005860000-0x0000000005870000-memory.dmpFilesize
64KB
-
memory/2732-188-0x000000000BF30000-0x000000000BF80000-memory.dmpFilesize
320KB
-
memory/2732-181-0x000000000B130000-0x000000000B1A6000-memory.dmpFilesize
472KB
-
memory/2732-182-0x000000000B250000-0x000000000B2E2000-memory.dmpFilesize
584KB
-
memory/2732-183-0x000000000BFE0000-0x000000000C584000-memory.dmpFilesize
5.6MB
-
memory/2732-184-0x000000000BA30000-0x000000000BA96000-memory.dmpFilesize
408KB
-
memory/2732-185-0x000000000C590000-0x000000000C752000-memory.dmpFilesize
1.8MB
-
memory/2732-186-0x000000000CC90000-0x000000000D1BC000-memory.dmpFilesize
5.2MB
-
memory/3440-161-0x0000000000600000-0x000000000060A000-memory.dmpFilesize
40KB
-
memory/3520-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB