Analysis
-
max time kernel
159s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 03:32
Static task
static1
Behavioral task
behavioral1
Sample
21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exe
Resource
win10v2004-20230220-en
General
-
Target
21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exe
-
Size
735KB
-
MD5
70b52288025114add1c4e6b42f84c0bb
-
SHA1
e7fc0921f0b4443e32903383f775a60269a5f1c3
-
SHA256
21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a
-
SHA512
c59a4c64563b895b88d89618431d3ebf89a22b6bcf1ca0b91d4e969c08883c7d7421f7944c4922a987d94a68ea350805b8ffc091813b907fdc8209e1eec26a43
-
SSDEEP
12288:MMrgy90Fvs8R2S6b65afKr1fd9tFKwbG61As0DUZIeIhBCAEXPJxIHYTuHiuvVW:8yUdR2rMBfdrNiNeIuPfwHYTiw
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a5975713.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5975713.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5975713.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5975713.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a5975713.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5975713.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5975713.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v4144848.exev5476553.exev3022194.exea5975713.exeb8173177.exec4692091.exepid process 3928 v4144848.exe 3384 v5476553.exe 3352 v3022194.exe 4876 a5975713.exe 2468 b8173177.exe 3860 c4692091.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a5975713.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5975713.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exev4144848.exev5476553.exev3022194.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v4144848.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v4144848.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5476553.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5476553.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v3022194.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v3022194.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b8173177.exedescription pid process target process PID 2468 set thread context of 1752 2468 b8173177.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4836 2468 WerFault.exe b8173177.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
a5975713.exeAppLaunch.exec4692091.exepid process 4876 a5975713.exe 4876 a5975713.exe 1752 AppLaunch.exe 1752 AppLaunch.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe 3860 c4692091.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a5975713.exeAppLaunch.exec4692091.exedescription pid process Token: SeDebugPrivilege 4876 a5975713.exe Token: SeDebugPrivilege 1752 AppLaunch.exe Token: SeDebugPrivilege 3860 c4692091.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exev4144848.exev5476553.exev3022194.exeb8173177.exedescription pid process target process PID 1436 wrote to memory of 3928 1436 21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exe v4144848.exe PID 1436 wrote to memory of 3928 1436 21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exe v4144848.exe PID 1436 wrote to memory of 3928 1436 21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exe v4144848.exe PID 3928 wrote to memory of 3384 3928 v4144848.exe v5476553.exe PID 3928 wrote to memory of 3384 3928 v4144848.exe v5476553.exe PID 3928 wrote to memory of 3384 3928 v4144848.exe v5476553.exe PID 3384 wrote to memory of 3352 3384 v5476553.exe v3022194.exe PID 3384 wrote to memory of 3352 3384 v5476553.exe v3022194.exe PID 3384 wrote to memory of 3352 3384 v5476553.exe v3022194.exe PID 3352 wrote to memory of 4876 3352 v3022194.exe a5975713.exe PID 3352 wrote to memory of 4876 3352 v3022194.exe a5975713.exe PID 3352 wrote to memory of 2468 3352 v3022194.exe b8173177.exe PID 3352 wrote to memory of 2468 3352 v3022194.exe b8173177.exe PID 3352 wrote to memory of 2468 3352 v3022194.exe b8173177.exe PID 2468 wrote to memory of 1752 2468 b8173177.exe AppLaunch.exe PID 2468 wrote to memory of 1752 2468 b8173177.exe AppLaunch.exe PID 2468 wrote to memory of 1752 2468 b8173177.exe AppLaunch.exe PID 2468 wrote to memory of 1752 2468 b8173177.exe AppLaunch.exe PID 2468 wrote to memory of 1752 2468 b8173177.exe AppLaunch.exe PID 3384 wrote to memory of 3860 3384 v5476553.exe c4692091.exe PID 3384 wrote to memory of 3860 3384 v5476553.exe c4692091.exe PID 3384 wrote to memory of 3860 3384 v5476553.exe c4692091.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exe"C:\Users\Admin\AppData\Local\Temp\21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4144848.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4144848.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5476553.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5476553.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3022194.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3022194.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5975713.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5975713.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8173177.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8173177.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1406⤵
- Program crash
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4692091.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4692091.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2468 -ip 24681⤵PID:2524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4144848.exeFilesize
529KB
MD5f4d77473cb99178ae89b51f75363e2a4
SHA1805b5b92a372144af14c5174bf3da224c2df15ff
SHA256c67804f9f5932c9c8e054447a0ba3a1af130a5e9a73cb1a9e4d5015bb3e8ba3d
SHA512dfa25b4595c4af030d86fa4c99c6d8b5d8e10a7b83187cce5efbc65fb4a9278d0133d7015624ad6eede20707035e97d311cf93d33fd9ecce93f49ef1febf669a
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4144848.exeFilesize
529KB
MD5f4d77473cb99178ae89b51f75363e2a4
SHA1805b5b92a372144af14c5174bf3da224c2df15ff
SHA256c67804f9f5932c9c8e054447a0ba3a1af130a5e9a73cb1a9e4d5015bb3e8ba3d
SHA512dfa25b4595c4af030d86fa4c99c6d8b5d8e10a7b83187cce5efbc65fb4a9278d0133d7015624ad6eede20707035e97d311cf93d33fd9ecce93f49ef1febf669a
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5476553.exeFilesize
357KB
MD554cce095b6582596d828607081f17e56
SHA1351810afae4f9f2b9cf8d38b6b11193a579486c5
SHA2563ae22335a18d293348ba94bb0090854bcba4d6724b445497d833ec68eb4d8c06
SHA512696de3dc1a1634323d78fad88cf1a173159929a8d861464adcda9fa8dd07135637531e2898d146f927813f8e600ab240b000d23488e140fa91edb94851acf6e3
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5476553.exeFilesize
357KB
MD554cce095b6582596d828607081f17e56
SHA1351810afae4f9f2b9cf8d38b6b11193a579486c5
SHA2563ae22335a18d293348ba94bb0090854bcba4d6724b445497d833ec68eb4d8c06
SHA512696de3dc1a1634323d78fad88cf1a173159929a8d861464adcda9fa8dd07135637531e2898d146f927813f8e600ab240b000d23488e140fa91edb94851acf6e3
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4692091.exeFilesize
172KB
MD59689ddcedf6c06b1dadff507da031b16
SHA1ba7ae4dd9462ef95f8f85c43858607b1c3494aa3
SHA2562114b71e12dc4271617819ad8c8555ad1f9290e662bf7f267172c3c3494effc8
SHA5125a44d8873217de26cfc76712f8383291b7a9e95979e64e21476ab9294cc81dc03c0a512faf8b7ce0650197d61ba622f801bba3a490855a1db1cc49fbc5da327e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4692091.exeFilesize
172KB
MD59689ddcedf6c06b1dadff507da031b16
SHA1ba7ae4dd9462ef95f8f85c43858607b1c3494aa3
SHA2562114b71e12dc4271617819ad8c8555ad1f9290e662bf7f267172c3c3494effc8
SHA5125a44d8873217de26cfc76712f8383291b7a9e95979e64e21476ab9294cc81dc03c0a512faf8b7ce0650197d61ba622f801bba3a490855a1db1cc49fbc5da327e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3022194.exeFilesize
202KB
MD5eafd429fb38131604dbd3e4eb765407c
SHA137df1ea55e13779e0da4fedd17a2b67e037734a9
SHA2562ebba14dc3f49c87f9285e69c0ab0a76a2a9394186cbaea882e1cce7435816de
SHA51273a6f7762f7bd6e0515762d3525905073dc5e54a044172d0752f0e30472bfb284ceb86a3672795ddf0eec6e994f77c4f9af2448ee391f72619ae1e12099c8f37
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3022194.exeFilesize
202KB
MD5eafd429fb38131604dbd3e4eb765407c
SHA137df1ea55e13779e0da4fedd17a2b67e037734a9
SHA2562ebba14dc3f49c87f9285e69c0ab0a76a2a9394186cbaea882e1cce7435816de
SHA51273a6f7762f7bd6e0515762d3525905073dc5e54a044172d0752f0e30472bfb284ceb86a3672795ddf0eec6e994f77c4f9af2448ee391f72619ae1e12099c8f37
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5975713.exeFilesize
13KB
MD5ac63fb443a266e25c73186787f4518a4
SHA17f991ca15be08030d98275620663904e17bd2fa3
SHA256eb85c51cde88042561254ef31c73e666ac421b505f41e104eca54b0e716b5f4b
SHA5128ae90e9e394ac3f386ca9d773e1f52cb3cdce1e7c963284cda184b6147738c157d45feae13cf01025b7a59c5c2703dac8318afb6f6c5c6763350e8b581c1f499
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5975713.exeFilesize
13KB
MD5ac63fb443a266e25c73186787f4518a4
SHA17f991ca15be08030d98275620663904e17bd2fa3
SHA256eb85c51cde88042561254ef31c73e666ac421b505f41e104eca54b0e716b5f4b
SHA5128ae90e9e394ac3f386ca9d773e1f52cb3cdce1e7c963284cda184b6147738c157d45feae13cf01025b7a59c5c2703dac8318afb6f6c5c6763350e8b581c1f499
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8173177.exeFilesize
117KB
MD55d2f7a95e523fdd93c3f02a80a72c558
SHA149986e977887312f454c68427837784ad3250f6e
SHA2564e1a09811d9bc779f622ba3b62d59f151a578403a9ad812002d7d0c90fb76da8
SHA5124d44cddcdbd7dd90f59f78dda8164bde3cc76fd3562b8d7b75a8e85153a3963ab83aa1b8a51858db7e39a22b108bafe7031ac65bc56becf24d83d87faee8978a
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8173177.exeFilesize
117KB
MD55d2f7a95e523fdd93c3f02a80a72c558
SHA149986e977887312f454c68427837784ad3250f6e
SHA2564e1a09811d9bc779f622ba3b62d59f151a578403a9ad812002d7d0c90fb76da8
SHA5124d44cddcdbd7dd90f59f78dda8164bde3cc76fd3562b8d7b75a8e85153a3963ab83aa1b8a51858db7e39a22b108bafe7031ac65bc56becf24d83d87faee8978a
-
memory/1752-168-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/3860-176-0x0000000000520000-0x0000000000550000-memory.dmpFilesize
192KB
-
memory/3860-182-0x000000000A610000-0x000000000A686000-memory.dmpFilesize
472KB
-
memory/3860-177-0x000000000A840000-0x000000000AE58000-memory.dmpFilesize
6.1MB
-
memory/3860-178-0x000000000A360000-0x000000000A46A000-memory.dmpFilesize
1.0MB
-
memory/3860-179-0x000000000A2A0000-0x000000000A2B2000-memory.dmpFilesize
72KB
-
memory/3860-180-0x0000000004D90000-0x0000000004DA0000-memory.dmpFilesize
64KB
-
memory/3860-181-0x000000000A300000-0x000000000A33C000-memory.dmpFilesize
240KB
-
memory/3860-190-0x000000000B460000-0x000000000B4B0000-memory.dmpFilesize
320KB
-
memory/3860-183-0x000000000AE60000-0x000000000AEF2000-memory.dmpFilesize
584KB
-
memory/3860-184-0x000000000B4B0000-0x000000000BA54000-memory.dmpFilesize
5.6MB
-
memory/3860-185-0x000000000AF00000-0x000000000AF66000-memory.dmpFilesize
408KB
-
memory/3860-186-0x000000000BA60000-0x000000000BC22000-memory.dmpFilesize
1.8MB
-
memory/3860-188-0x000000000C160000-0x000000000C68C000-memory.dmpFilesize
5.2MB
-
memory/3860-189-0x0000000004D90000-0x0000000004DA0000-memory.dmpFilesize
64KB
-
memory/4876-162-0x0000000000090000-0x000000000009A000-memory.dmpFilesize
40KB