Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 03:18
Static task
static1
Behavioral task
behavioral1
Sample
3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705.exe
Resource
win10v2004-20230220-en
General
-
Target
3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705.exe
-
Size
736KB
-
MD5
4636d9e8bcc1a6d371204c04cc95ae18
-
SHA1
7a6e6ca9b8983baf372a07e9de40454d91445101
-
SHA256
3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705
-
SHA512
525d992de081c45b2e6ac26968ac3967615cb74dce91972a38f88c2d3673e9ecb57ce4dbd0887fa99e02b7740589ab7fce48725136cfc9de16f9567d7e7ab429
-
SSDEEP
12288:TMrOy904y0hFYF6cnF27059C4Iy0EVqrTQv5s0qBNFk8O/T9/lV1T0LJH/hYmdX:By2OYF6cns6tVST85LqBy/ThlPTcpd9
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
AppLaunch.exea2491201.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a2491201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a2491201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a2491201.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a2491201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a2491201.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a2491201.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v1096638.exev5483198.exev4340298.exea2491201.exeb9001994.exec7889074.exepid process 2332 v1096638.exe 1312 v5483198.exe 4368 v4340298.exe 4640 a2491201.exe 896 b9001994.exe 5008 c7889074.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a2491201.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a2491201.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v5483198.exev4340298.exe3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705.exev1096638.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5483198.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v4340298.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v4340298.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1096638.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1096638.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5483198.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b9001994.exedescription pid process target process PID 896 set thread context of 4504 896 b9001994.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 448 896 WerFault.exe b9001994.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
a2491201.exeAppLaunch.exec7889074.exepid process 4640 a2491201.exe 4640 a2491201.exe 4504 AppLaunch.exe 4504 AppLaunch.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe 5008 c7889074.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a2491201.exeAppLaunch.exec7889074.exedescription pid process Token: SeDebugPrivilege 4640 a2491201.exe Token: SeDebugPrivilege 4504 AppLaunch.exe Token: SeDebugPrivilege 5008 c7889074.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705.exev1096638.exev5483198.exev4340298.exeb9001994.exedescription pid process target process PID 2900 wrote to memory of 2332 2900 3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705.exe v1096638.exe PID 2900 wrote to memory of 2332 2900 3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705.exe v1096638.exe PID 2900 wrote to memory of 2332 2900 3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705.exe v1096638.exe PID 2332 wrote to memory of 1312 2332 v1096638.exe v5483198.exe PID 2332 wrote to memory of 1312 2332 v1096638.exe v5483198.exe PID 2332 wrote to memory of 1312 2332 v1096638.exe v5483198.exe PID 1312 wrote to memory of 4368 1312 v5483198.exe v4340298.exe PID 1312 wrote to memory of 4368 1312 v5483198.exe v4340298.exe PID 1312 wrote to memory of 4368 1312 v5483198.exe v4340298.exe PID 4368 wrote to memory of 4640 4368 v4340298.exe a2491201.exe PID 4368 wrote to memory of 4640 4368 v4340298.exe a2491201.exe PID 4368 wrote to memory of 896 4368 v4340298.exe b9001994.exe PID 4368 wrote to memory of 896 4368 v4340298.exe b9001994.exe PID 4368 wrote to memory of 896 4368 v4340298.exe b9001994.exe PID 896 wrote to memory of 4504 896 b9001994.exe AppLaunch.exe PID 896 wrote to memory of 4504 896 b9001994.exe AppLaunch.exe PID 896 wrote to memory of 4504 896 b9001994.exe AppLaunch.exe PID 896 wrote to memory of 4504 896 b9001994.exe AppLaunch.exe PID 896 wrote to memory of 4504 896 b9001994.exe AppLaunch.exe PID 1312 wrote to memory of 5008 1312 v5483198.exe c7889074.exe PID 1312 wrote to memory of 5008 1312 v5483198.exe c7889074.exe PID 1312 wrote to memory of 5008 1312 v5483198.exe c7889074.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705.exe"C:\Users\Admin\AppData\Local\Temp\3ad0123690b3f59924c82ff86fde6ca90474b8ee8e395f7b9a4902922efd2705.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1096638.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1096638.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5483198.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5483198.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4340298.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4340298.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2491201.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2491201.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9001994.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9001994.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1526⤵
- Program crash
PID:448 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7889074.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7889074.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 896 -ip 8961⤵PID:400
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1096638.exeFilesize
530KB
MD57179856d32a9d26d9426187401050294
SHA1f100ac866f41f93ff4a9fd8b44ae888f682606ce
SHA25698b03f25ed337e61366385eb3cbd4d02827cf80b8ed323967077146db9527a90
SHA5126f2c78b9d03cc9ad4399e8c561a30b1371dc73345cf812aed3b5186d4bbe7ed2ac7d575d1ec742ecafdcbd467987ce53c040f948636abb210a8b1ae063a0efb9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1096638.exeFilesize
530KB
MD57179856d32a9d26d9426187401050294
SHA1f100ac866f41f93ff4a9fd8b44ae888f682606ce
SHA25698b03f25ed337e61366385eb3cbd4d02827cf80b8ed323967077146db9527a90
SHA5126f2c78b9d03cc9ad4399e8c561a30b1371dc73345cf812aed3b5186d4bbe7ed2ac7d575d1ec742ecafdcbd467987ce53c040f948636abb210a8b1ae063a0efb9
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5483198.exeFilesize
357KB
MD57c49e2eb13035c55c7bde330bf9d3f04
SHA123d5d1ae19d3e5b2ea0d4d8670cf7afe1d42fb01
SHA256fbb2aff50173f1cb5d58a85ca8c2095ee630c7750d5e11b4c457bf2f5dbbeb8f
SHA51236d08c356963d824bafbc858abd1ffde2810d5afdb0cfb9a8df0c5d4e8cadef82b011ec8814e7ee61504e98d8790493bfffbbd599517635e9f937b2a94e442cd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5483198.exeFilesize
357KB
MD57c49e2eb13035c55c7bde330bf9d3f04
SHA123d5d1ae19d3e5b2ea0d4d8670cf7afe1d42fb01
SHA256fbb2aff50173f1cb5d58a85ca8c2095ee630c7750d5e11b4c457bf2f5dbbeb8f
SHA51236d08c356963d824bafbc858abd1ffde2810d5afdb0cfb9a8df0c5d4e8cadef82b011ec8814e7ee61504e98d8790493bfffbbd599517635e9f937b2a94e442cd
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7889074.exeFilesize
172KB
MD5a00b8e09d601e2be389c79e33538bc4d
SHA10764c9d856c27b269d2ca45369166bf1c9bd3882
SHA256f3e05793df33e9daf6761090008bd1cd009039063978fd9e0313e79221d581f7
SHA512ec71a2b62005cbc7395b7f1f0b56446ba3e268a47059ddf681fad858a397b681221c90cae57c2223c178ef3b0feaa344a0e9edea0e5de0655d37b3519234b919
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7889074.exeFilesize
172KB
MD5a00b8e09d601e2be389c79e33538bc4d
SHA10764c9d856c27b269d2ca45369166bf1c9bd3882
SHA256f3e05793df33e9daf6761090008bd1cd009039063978fd9e0313e79221d581f7
SHA512ec71a2b62005cbc7395b7f1f0b56446ba3e268a47059ddf681fad858a397b681221c90cae57c2223c178ef3b0feaa344a0e9edea0e5de0655d37b3519234b919
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4340298.exeFilesize
202KB
MD5f3dfcb176639ab5ee630640ffed39f90
SHA107f76c7ca850c4536209249aef5d151672068fce
SHA25645dad72b1f4c5040e6737819398f80fd7a3cb07c72adfc7bc58e2a198842d6c8
SHA512a02d26d252d33817c0fc85bc768ab52e9617911c4b653fe401a669329f6e6b60898af89fd21cef2f081bb6a63a59af9e7f7d0882566127664f5d2af902383f46
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4340298.exeFilesize
202KB
MD5f3dfcb176639ab5ee630640ffed39f90
SHA107f76c7ca850c4536209249aef5d151672068fce
SHA25645dad72b1f4c5040e6737819398f80fd7a3cb07c72adfc7bc58e2a198842d6c8
SHA512a02d26d252d33817c0fc85bc768ab52e9617911c4b653fe401a669329f6e6b60898af89fd21cef2f081bb6a63a59af9e7f7d0882566127664f5d2af902383f46
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2491201.exeFilesize
13KB
MD51f5b40e345bc2490491355f3b4e2a03e
SHA1ab03a56383442f7d8c200c47580f0be51181fdc3
SHA25683dc57e2199b82e3772479fdfc95ed1c7077d2fe39444eb4ec9b45d015961bb1
SHA512f1ac3def74e1cbd9e3d0215099c62d4035922fd6c5f705a27eb56b593cbf84a821ca92b4914688de39bee574885da4b00c937f04d5fe79951c36af32bf32d06a
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2491201.exeFilesize
13KB
MD51f5b40e345bc2490491355f3b4e2a03e
SHA1ab03a56383442f7d8c200c47580f0be51181fdc3
SHA25683dc57e2199b82e3772479fdfc95ed1c7077d2fe39444eb4ec9b45d015961bb1
SHA512f1ac3def74e1cbd9e3d0215099c62d4035922fd6c5f705a27eb56b593cbf84a821ca92b4914688de39bee574885da4b00c937f04d5fe79951c36af32bf32d06a
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9001994.exeFilesize
117KB
MD568575acf17ea8aaf8f4a005d10a03a5b
SHA16e1ce0ab3a0e6700004f1893931ec4f645d97e46
SHA256f1d0e90dca20b7c605cafa9d709863040995249bd6ecf691bb972748d26b3ee4
SHA512c5d7e1bc57a660c44b694cdeabdc585dd89c7010a166eec7fdabb2fec6a72c14d92adb187c69968988b21bcb9042f7e2c8d83bb921c30a1344b47de1ed158b81
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9001994.exeFilesize
117KB
MD568575acf17ea8aaf8f4a005d10a03a5b
SHA16e1ce0ab3a0e6700004f1893931ec4f645d97e46
SHA256f1d0e90dca20b7c605cafa9d709863040995249bd6ecf691bb972748d26b3ee4
SHA512c5d7e1bc57a660c44b694cdeabdc585dd89c7010a166eec7fdabb2fec6a72c14d92adb187c69968988b21bcb9042f7e2c8d83bb921c30a1344b47de1ed158b81
-
memory/4504-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4640-161-0x00000000002F0000-0x00000000002FA000-memory.dmpFilesize
40KB
-
memory/5008-175-0x0000000000110000-0x0000000000140000-memory.dmpFilesize
192KB
-
memory/5008-176-0x000000000A480000-0x000000000AA98000-memory.dmpFilesize
6.1MB
-
memory/5008-177-0x0000000009F70000-0x000000000A07A000-memory.dmpFilesize
1.0MB
-
memory/5008-178-0x0000000009E90000-0x0000000009EA2000-memory.dmpFilesize
72KB
-
memory/5008-179-0x0000000009EF0000-0x0000000009F2C000-memory.dmpFilesize
240KB
-
memory/5008-180-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/5008-181-0x000000000A300000-0x000000000A376000-memory.dmpFilesize
472KB
-
memory/5008-182-0x000000000AAA0000-0x000000000AB32000-memory.dmpFilesize
584KB
-
memory/5008-183-0x000000000B0F0000-0x000000000B694000-memory.dmpFilesize
5.6MB
-
memory/5008-184-0x000000000A3F0000-0x000000000A456000-memory.dmpFilesize
408KB
-
memory/5008-187-0x000000000B870000-0x000000000BA32000-memory.dmpFilesize
1.8MB
-
memory/5008-186-0x0000000004AD0000-0x0000000004AE0000-memory.dmpFilesize
64KB
-
memory/5008-188-0x000000000BF70000-0x000000000C49C000-memory.dmpFilesize
5.2MB
-
memory/5008-189-0x000000000B770000-0x000000000B7C0000-memory.dmpFilesize
320KB