Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2023, 03:39
Static task
static1
Behavioral task
behavioral1
Sample
4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe
Resource
win10v2004-20230220-en
General
-
Target
4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe
-
Size
584KB
-
MD5
9a55454aa112cc2522e77b8501c865a9
-
SHA1
b09e7b80f19bb430838895a23b60fd4712ec3c63
-
SHA256
4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9
-
SHA512
9c16e37bb0c9fe2500e46f6d543e248b3c8f6980fc9e3737288205c29f9c20ef9484272cb106b68755f5af87ef94b1279615c21e35363fa2bc00e2ab2e5d38c8
-
SSDEEP
12288:2Mray90E4+izMtuaIe2ZQaILczDLlZbOTbdvlUDBO86bTaRWouF:YyrrcaIPMQrbKjUDt6b1R
Malware Config
Extracted
redline
diza
83.97.73.126:19048
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 2940 x8694819.exe 4300 x1114244.exe 1780 f3355630.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x8694819.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8694819.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x1114244.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x1114244.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe 1780 f3355630.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1780 f3355630.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 444 wrote to memory of 2940 444 4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe 83 PID 444 wrote to memory of 2940 444 4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe 83 PID 444 wrote to memory of 2940 444 4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe 83 PID 2940 wrote to memory of 4300 2940 x8694819.exe 84 PID 2940 wrote to memory of 4300 2940 x8694819.exe 84 PID 2940 wrote to memory of 4300 2940 x8694819.exe 84 PID 4300 wrote to memory of 1780 4300 x1114244.exe 85 PID 4300 wrote to memory of 1780 4300 x1114244.exe 85 PID 4300 wrote to memory of 1780 4300 x1114244.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe"C:\Users\Admin\AppData\Local\Temp\4ae0fb21287875e7552b748c479f60d9bd0aba9ff815fe41413aa9e4440af2c9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8694819.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8694819.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1114244.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1114244.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3355630.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3355630.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD5e325fc72bbfbad30b78ed9d159f0a058
SHA1657f7006c058d7782d8c464d89a27a59a19aeefa
SHA25609a51802b57d7e0436e6a7a6e07cfdd0024923ddd1efe8b9188ce8824420518c
SHA512b518138440096496b1207b8416dabb5f0a1138a1fd4f2b6f4dac6644f56f777e49bae6302c94cd35888e73ff73143a257f28491583d32de52b1e693227141eb3
-
Filesize
377KB
MD5e325fc72bbfbad30b78ed9d159f0a058
SHA1657f7006c058d7782d8c464d89a27a59a19aeefa
SHA25609a51802b57d7e0436e6a7a6e07cfdd0024923ddd1efe8b9188ce8824420518c
SHA512b518138440096496b1207b8416dabb5f0a1138a1fd4f2b6f4dac6644f56f777e49bae6302c94cd35888e73ff73143a257f28491583d32de52b1e693227141eb3
-
Filesize
206KB
MD5dd01c7c42bdbedf64bd67441428cba3c
SHA1804c69685ca77f8de008b496d18264a43037404e
SHA25661409ea97cf037082a67220b86ee000f7b4d63e776f779669556e0da1b3ff7cc
SHA5121e61261fb33326d68e69a8a7b5c90ddad85b9be715e368f68b4e9e1ea77db0f134832addf91e5c218b2c7c1f49ff1e9ad4e44305ec78a63fe2dbd04dc638e8ba
-
Filesize
206KB
MD5dd01c7c42bdbedf64bd67441428cba3c
SHA1804c69685ca77f8de008b496d18264a43037404e
SHA25661409ea97cf037082a67220b86ee000f7b4d63e776f779669556e0da1b3ff7cc
SHA5121e61261fb33326d68e69a8a7b5c90ddad85b9be715e368f68b4e9e1ea77db0f134832addf91e5c218b2c7c1f49ff1e9ad4e44305ec78a63fe2dbd04dc638e8ba
-
Filesize
172KB
MD530a765529edaa6de4fe4c13cffc26b86
SHA152b6f59535009e880788cff62bf8afc4af2b52a2
SHA2565ead8c6c53f03e6035057121d4233b7774d6ae12aa60cddb5dfc959bea491668
SHA512b0c1ce0026b2e232236d2e8a8c8b3763240f09f8aa9303dcebb751ca12f7a129bbb997ba1452436fd542a5b57c9f8f5d09a2267e5e074f51d3be0872deb4c22e
-
Filesize
172KB
MD530a765529edaa6de4fe4c13cffc26b86
SHA152b6f59535009e880788cff62bf8afc4af2b52a2
SHA2565ead8c6c53f03e6035057121d4233b7774d6ae12aa60cddb5dfc959bea491668
SHA512b0c1ce0026b2e232236d2e8a8c8b3763240f09f8aa9303dcebb751ca12f7a129bbb997ba1452436fd542a5b57c9f8f5d09a2267e5e074f51d3be0872deb4c22e