Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 10:59
Static task
static1
Behavioral task
behavioral1
Sample
fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exe
Resource
win10v2004-20230220-en
General
-
Target
fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exe
-
Size
738KB
-
MD5
7d6d01b7c3df47a2a39be56193817755
-
SHA1
7e9ca287926b479f1f8eae2e3868dbad49536e51
-
SHA256
fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a
-
SHA512
ec806cf71621ae75927e4199a8be3c366adf311a5d65071101c73881c6a1d990fc72a021fbdb30e9a7984d503245ee29166591fc17c49372cb9c3d12d085e2d0
-
SSDEEP
12288:ZMrYy90L8oZeYoRGMwo3D8gvLrYw2Api257LxV8GUBD1jeIOQ4NYjRu+R:pya8ouE03pvLrYVq/eGID16I10+R
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a1183090.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1183090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1183090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a1183090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1183090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1183090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1183090.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v1934255.exev1811017.exev6061350.exea1183090.exeb9439976.exec9037711.exepid process 4640 v1934255.exe 3112 v1811017.exe 1680 v6061350.exe 2904 a1183090.exe 100 b9439976.exe 560 c9037711.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a1183090.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1183090.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v6061350.exefd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exev1934255.exev1811017.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v6061350.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v6061350.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1934255.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1934255.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1811017.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v1811017.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b9439976.exedescription pid process target process PID 100 set thread context of 1328 100 b9439976.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1272 100 WerFault.exe b9439976.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
a1183090.exeAppLaunch.exec9037711.exepid process 2904 a1183090.exe 2904 a1183090.exe 1328 AppLaunch.exe 1328 AppLaunch.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe 560 c9037711.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a1183090.exeAppLaunch.exec9037711.exedescription pid process Token: SeDebugPrivilege 2904 a1183090.exe Token: SeDebugPrivilege 1328 AppLaunch.exe Token: SeDebugPrivilege 560 c9037711.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exev1934255.exev1811017.exev6061350.exeb9439976.exedescription pid process target process PID 4500 wrote to memory of 4640 4500 fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exe v1934255.exe PID 4500 wrote to memory of 4640 4500 fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exe v1934255.exe PID 4500 wrote to memory of 4640 4500 fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exe v1934255.exe PID 4640 wrote to memory of 3112 4640 v1934255.exe v1811017.exe PID 4640 wrote to memory of 3112 4640 v1934255.exe v1811017.exe PID 4640 wrote to memory of 3112 4640 v1934255.exe v1811017.exe PID 3112 wrote to memory of 1680 3112 v1811017.exe v6061350.exe PID 3112 wrote to memory of 1680 3112 v1811017.exe v6061350.exe PID 3112 wrote to memory of 1680 3112 v1811017.exe v6061350.exe PID 1680 wrote to memory of 2904 1680 v6061350.exe a1183090.exe PID 1680 wrote to memory of 2904 1680 v6061350.exe a1183090.exe PID 1680 wrote to memory of 100 1680 v6061350.exe b9439976.exe PID 1680 wrote to memory of 100 1680 v6061350.exe b9439976.exe PID 1680 wrote to memory of 100 1680 v6061350.exe b9439976.exe PID 100 wrote to memory of 1328 100 b9439976.exe AppLaunch.exe PID 100 wrote to memory of 1328 100 b9439976.exe AppLaunch.exe PID 100 wrote to memory of 1328 100 b9439976.exe AppLaunch.exe PID 100 wrote to memory of 1328 100 b9439976.exe AppLaunch.exe PID 100 wrote to memory of 1328 100 b9439976.exe AppLaunch.exe PID 3112 wrote to memory of 560 3112 v1811017.exe c9037711.exe PID 3112 wrote to memory of 560 3112 v1811017.exe c9037711.exe PID 3112 wrote to memory of 560 3112 v1811017.exe c9037711.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exe"C:\Users\Admin\AppData\Local\Temp\fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1934255.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1934255.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1811017.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1811017.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6061350.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6061350.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1183090.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1183090.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9439976.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9439976.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1526⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9037711.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9037711.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 100 -ip 1001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1934255.exeFilesize
531KB
MD5e38542dbc634e1c9cc932901142166c8
SHA1924db07c74addd4d3efac85491f29b66545d0e43
SHA2562a7d4cf9010bee1a75e7378ab03365bc5a1550f4bb8a5a11ef767c423e6f373b
SHA512d7dc5e291d6fb25cee9b63dca3c42d27425afc35d8062404a9ce06793c31d89efd83e63a0948f73cd73fad3fba7603bbbb06601e5feb501d90bc11830e33ff52
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1934255.exeFilesize
531KB
MD5e38542dbc634e1c9cc932901142166c8
SHA1924db07c74addd4d3efac85491f29b66545d0e43
SHA2562a7d4cf9010bee1a75e7378ab03365bc5a1550f4bb8a5a11ef767c423e6f373b
SHA512d7dc5e291d6fb25cee9b63dca3c42d27425afc35d8062404a9ce06793c31d89efd83e63a0948f73cd73fad3fba7603bbbb06601e5feb501d90bc11830e33ff52
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1811017.exeFilesize
359KB
MD5013fd9ff7f426d4d7e4edff0aa363669
SHA17f53a5a5462748cdcbfaf8a7a8a064444d6969b1
SHA256ab0857d7e28d001e47b9960ef249b084873ad2add5f71bff19a94ce990fe77af
SHA51238706aa58f232f60bfd5ba9c9fef2a6ba4933464d403a0e28d448bd03a5965185b6094799823375fed533f310a41f11b5de1375254c221a7e465790a1e4865e3
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1811017.exeFilesize
359KB
MD5013fd9ff7f426d4d7e4edff0aa363669
SHA17f53a5a5462748cdcbfaf8a7a8a064444d6969b1
SHA256ab0857d7e28d001e47b9960ef249b084873ad2add5f71bff19a94ce990fe77af
SHA51238706aa58f232f60bfd5ba9c9fef2a6ba4933464d403a0e28d448bd03a5965185b6094799823375fed533f310a41f11b5de1375254c221a7e465790a1e4865e3
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9037711.exeFilesize
172KB
MD5ebdf0f9c5cb81a62ce9c7347ba1fc812
SHA15b84fc80114b912057b45a50134cc23e983238db
SHA256f05bea1fdd45456e5140492a2cc1855d8ef8b4bcc0105f1b80baa60f8c73e9e9
SHA512aed76b52509676eac8b2d99d9054ab8febd510af08472b0fca4f93bf408b955ba2b155f21a6742b533d35a43732227046f36f79b0c7503055f4b56ebea356453
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9037711.exeFilesize
172KB
MD5ebdf0f9c5cb81a62ce9c7347ba1fc812
SHA15b84fc80114b912057b45a50134cc23e983238db
SHA256f05bea1fdd45456e5140492a2cc1855d8ef8b4bcc0105f1b80baa60f8c73e9e9
SHA512aed76b52509676eac8b2d99d9054ab8febd510af08472b0fca4f93bf408b955ba2b155f21a6742b533d35a43732227046f36f79b0c7503055f4b56ebea356453
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6061350.exeFilesize
204KB
MD512c77008c7e8d7bd9cca8f1205258da3
SHA175bf95fb3df76edeec28d421f034cfce60b42dee
SHA25609d20c3d61899b2d4bf62acfdb0ad4a4e0236cc928c8903a8ad35b35b87543e5
SHA512e5048c3ceddfac254a7359951291f4c4d5074edfc79be03daa7c73c06dadd78b52c09a846f61236fc8716cb762f16b45f768f252f3dc293d2c55b0938725d0de
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6061350.exeFilesize
204KB
MD512c77008c7e8d7bd9cca8f1205258da3
SHA175bf95fb3df76edeec28d421f034cfce60b42dee
SHA25609d20c3d61899b2d4bf62acfdb0ad4a4e0236cc928c8903a8ad35b35b87543e5
SHA512e5048c3ceddfac254a7359951291f4c4d5074edfc79be03daa7c73c06dadd78b52c09a846f61236fc8716cb762f16b45f768f252f3dc293d2c55b0938725d0de
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1183090.exeFilesize
13KB
MD5cf639a22ff6a665c3a8adc3c9a2a2818
SHA1fd4c929c1e1e21d805a3a773072481fbf065f8c8
SHA256ac85bb2291afe96a0f8aedc7a6898481da3af0ab083d3877d6b0c2c22209339f
SHA5120896751b8efd55b27cf83d0ed0796528e5bd4e1e4f25e25a48cd724ad391289f360ceb86b0706b0da67aeb0f20b40b747b714ef5ac7af79c642d39e155bd77e7
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1183090.exeFilesize
13KB
MD5cf639a22ff6a665c3a8adc3c9a2a2818
SHA1fd4c929c1e1e21d805a3a773072481fbf065f8c8
SHA256ac85bb2291afe96a0f8aedc7a6898481da3af0ab083d3877d6b0c2c22209339f
SHA5120896751b8efd55b27cf83d0ed0796528e5bd4e1e4f25e25a48cd724ad391289f360ceb86b0706b0da67aeb0f20b40b747b714ef5ac7af79c642d39e155bd77e7
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9439976.exeFilesize
120KB
MD55a9682af2a44eb7b2fe84b5804e3d1cd
SHA1d6d15f9193baff6148ea83e7580f4f84e35902ae
SHA25635c918845b44d2cf746b5cd94a115fd4848dc811cd596c8ac03d06ce40947854
SHA512436978dc35a29864d8d2a7a02d12af69e37054855ccf017585121ad3e2c64fef71946213397f0eefc294c12e1b849b31f772cad5fbe9612c0b0413d344947057
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9439976.exeFilesize
120KB
MD55a9682af2a44eb7b2fe84b5804e3d1cd
SHA1d6d15f9193baff6148ea83e7580f4f84e35902ae
SHA25635c918845b44d2cf746b5cd94a115fd4848dc811cd596c8ac03d06ce40947854
SHA512436978dc35a29864d8d2a7a02d12af69e37054855ccf017585121ad3e2c64fef71946213397f0eefc294c12e1b849b31f772cad5fbe9612c0b0413d344947057
-
memory/560-175-0x0000000000410000-0x0000000000440000-memory.dmpFilesize
192KB
-
memory/560-180-0x0000000004D70000-0x0000000004D80000-memory.dmpFilesize
64KB
-
memory/560-189-0x000000000C210000-0x000000000C73C000-memory.dmpFilesize
5.2MB
-
memory/560-176-0x000000000A720000-0x000000000AD38000-memory.dmpFilesize
6.1MB
-
memory/560-177-0x000000000A250000-0x000000000A35A000-memory.dmpFilesize
1.0MB
-
memory/560-178-0x000000000A190000-0x000000000A1A2000-memory.dmpFilesize
72KB
-
memory/560-179-0x000000000A1F0000-0x000000000A22C000-memory.dmpFilesize
240KB
-
memory/560-188-0x000000000BB10000-0x000000000BCD2000-memory.dmpFilesize
1.8MB
-
memory/560-181-0x000000000A500000-0x000000000A576000-memory.dmpFilesize
472KB
-
memory/560-182-0x000000000AD40000-0x000000000ADD2000-memory.dmpFilesize
584KB
-
memory/560-183-0x000000000B390000-0x000000000B934000-memory.dmpFilesize
5.6MB
-
memory/560-184-0x000000000ADE0000-0x000000000AE46000-memory.dmpFilesize
408KB
-
memory/560-186-0x000000000B210000-0x000000000B260000-memory.dmpFilesize
320KB
-
memory/560-187-0x0000000004D70000-0x0000000004D80000-memory.dmpFilesize
64KB
-
memory/1328-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2904-161-0x00000000001B0000-0x00000000001BA000-memory.dmpFilesize
40KB