Analysis
-
max time kernel
129s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 10:18
Static task
static1
Behavioral task
behavioral1
Sample
139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd.exe
Resource
win10v2004-20230220-en
General
-
Target
139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd.exe
-
Size
738KB
-
MD5
a842c3030b6492acf30649181f693ae9
-
SHA1
21207d067d18b6b506095dd4c40e19877974fe92
-
SHA256
139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd
-
SHA512
2d5d9f77ad35d8311a51ae101cc93126c279c5c18d87bae98641446544843399cc7a262d65bd007f6fff253ded25ba8cd4d5f5b554049cc63b7180ff57f79a89
-
SSDEEP
12288:0Mrly90/CoIST5ws7rZH26GaS4umKAng5Zod475flqrqv2pniQAOATlzr9TPdILq:pyuCoIEZ7SHuKKg5ZoudqrvtkrhPdUkp
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a1858299.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1858299.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a1858299.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1858299.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1858299.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1858299.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1858299.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v7832569.exev0189919.exev0295850.exea1858299.exeb6175107.exec8442695.exepid process 2828 v7832569.exe 3984 v0189919.exe 2196 v0295850.exe 2344 a1858299.exe 524 b6175107.exe 2548 c8442695.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a1858299.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1858299.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd.exev7832569.exev0189919.exev0295850.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7832569.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7832569.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0189919.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v0189919.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0295850.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v0295850.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b6175107.exedescription pid process target process PID 524 set thread context of 2052 524 b6175107.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3140 524 WerFault.exe b6175107.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
a1858299.exeAppLaunch.exec8442695.exepid process 2344 a1858299.exe 2344 a1858299.exe 2052 AppLaunch.exe 2052 AppLaunch.exe 2548 c8442695.exe 2548 c8442695.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a1858299.exeAppLaunch.exec8442695.exedescription pid process Token: SeDebugPrivilege 2344 a1858299.exe Token: SeDebugPrivilege 2052 AppLaunch.exe Token: SeDebugPrivilege 2548 c8442695.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd.exev7832569.exev0189919.exev0295850.exeb6175107.exedescription pid process target process PID 3040 wrote to memory of 2828 3040 139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd.exe v7832569.exe PID 3040 wrote to memory of 2828 3040 139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd.exe v7832569.exe PID 3040 wrote to memory of 2828 3040 139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd.exe v7832569.exe PID 2828 wrote to memory of 3984 2828 v7832569.exe v0189919.exe PID 2828 wrote to memory of 3984 2828 v7832569.exe v0189919.exe PID 2828 wrote to memory of 3984 2828 v7832569.exe v0189919.exe PID 3984 wrote to memory of 2196 3984 v0189919.exe v0295850.exe PID 3984 wrote to memory of 2196 3984 v0189919.exe v0295850.exe PID 3984 wrote to memory of 2196 3984 v0189919.exe v0295850.exe PID 2196 wrote to memory of 2344 2196 v0295850.exe a1858299.exe PID 2196 wrote to memory of 2344 2196 v0295850.exe a1858299.exe PID 2196 wrote to memory of 524 2196 v0295850.exe b6175107.exe PID 2196 wrote to memory of 524 2196 v0295850.exe b6175107.exe PID 2196 wrote to memory of 524 2196 v0295850.exe b6175107.exe PID 524 wrote to memory of 2052 524 b6175107.exe AppLaunch.exe PID 524 wrote to memory of 2052 524 b6175107.exe AppLaunch.exe PID 524 wrote to memory of 2052 524 b6175107.exe AppLaunch.exe PID 524 wrote to memory of 2052 524 b6175107.exe AppLaunch.exe PID 524 wrote to memory of 2052 524 b6175107.exe AppLaunch.exe PID 3984 wrote to memory of 2548 3984 v0189919.exe c8442695.exe PID 3984 wrote to memory of 2548 3984 v0189919.exe c8442695.exe PID 3984 wrote to memory of 2548 3984 v0189919.exe c8442695.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd.exe"C:\Users\Admin\AppData\Local\Temp\139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7832569.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7832569.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0189919.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0189919.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0295850.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0295850.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1858299.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1858299.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6175107.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6175107.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 1526⤵
- Program crash
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8442695.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8442695.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 524 -ip 5241⤵PID:1644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7832569.exeFilesize
531KB
MD5681c953b6697f7d0d12d8e9a9000dd75
SHA1c6d4226ba2c7cf593784a1345ea4aca119111600
SHA2564cac048a4135e96ee648771e062af6b914b5f10366c21b7b4060b2d639f52949
SHA512b610886df0ec53f7c817dc7e277b072674ee274f52e14199ac296cb75f787224b1118e7184a335442006e7f0464152b1bcfe98190323aa2f05142357205f4c06
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7832569.exeFilesize
531KB
MD5681c953b6697f7d0d12d8e9a9000dd75
SHA1c6d4226ba2c7cf593784a1345ea4aca119111600
SHA2564cac048a4135e96ee648771e062af6b914b5f10366c21b7b4060b2d639f52949
SHA512b610886df0ec53f7c817dc7e277b072674ee274f52e14199ac296cb75f787224b1118e7184a335442006e7f0464152b1bcfe98190323aa2f05142357205f4c06
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0189919.exeFilesize
358KB
MD5bfbf64de79ae372969f68a382459b71c
SHA159bb7df697aa7377e21f1182f929632935a91e13
SHA2561b10574b60047b0ced3d5358445461a0fd4485e881cf9c36e55f368fad2b75f1
SHA5122f24754d0a364020e4fecfb7ac7fc808c27f0382aa7d047769586d2033a81f52eefd23ce0092e3a7d04b4f9860dad13272a13b67119d662947b1f028eac8a07a
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0189919.exeFilesize
358KB
MD5bfbf64de79ae372969f68a382459b71c
SHA159bb7df697aa7377e21f1182f929632935a91e13
SHA2561b10574b60047b0ced3d5358445461a0fd4485e881cf9c36e55f368fad2b75f1
SHA5122f24754d0a364020e4fecfb7ac7fc808c27f0382aa7d047769586d2033a81f52eefd23ce0092e3a7d04b4f9860dad13272a13b67119d662947b1f028eac8a07a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8442695.exeFilesize
172KB
MD5fd8c055d23d598045b715fedcf1ad75b
SHA1308253fd658c247cbed17822800e0e16b7be380b
SHA25634cfc8b250e005cd66aaa94b61cd17843b5226372e59f11720995fafda76beca
SHA5121bb2d601dfba09963de6119b75d8e8cd071a534d002884d0e9e5c6992cd814dc36ed97a3dc6f9ab91b3e44e9cd2c4414c12abfc554678c310c3df37a138210e1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8442695.exeFilesize
172KB
MD5fd8c055d23d598045b715fedcf1ad75b
SHA1308253fd658c247cbed17822800e0e16b7be380b
SHA25634cfc8b250e005cd66aaa94b61cd17843b5226372e59f11720995fafda76beca
SHA5121bb2d601dfba09963de6119b75d8e8cd071a534d002884d0e9e5c6992cd814dc36ed97a3dc6f9ab91b3e44e9cd2c4414c12abfc554678c310c3df37a138210e1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0295850.exeFilesize
203KB
MD5317e6c303cee6e17b54001d6d9ac6b72
SHA104904de50c646dc1476dbb28869a8f56ff89b1df
SHA2563e7c041b1b078d774ab9a4d47e09fd7ea058111e49d273daabe997758d78e32b
SHA51236544a4333069b5dd3586c91898bd05852239ab8a9f14fb999918ff9046c947b88f2c738d46676f6732a5f292e91c14d37ce59baab5f9b502bb442d59c20ce2a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0295850.exeFilesize
203KB
MD5317e6c303cee6e17b54001d6d9ac6b72
SHA104904de50c646dc1476dbb28869a8f56ff89b1df
SHA2563e7c041b1b078d774ab9a4d47e09fd7ea058111e49d273daabe997758d78e32b
SHA51236544a4333069b5dd3586c91898bd05852239ab8a9f14fb999918ff9046c947b88f2c738d46676f6732a5f292e91c14d37ce59baab5f9b502bb442d59c20ce2a
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1858299.exeFilesize
13KB
MD5b4d1df44bc2a04fcdc2071f6054c5b09
SHA14c07635f36ea55d7207f492c56af89db48742280
SHA2566a479432c044dc6a35133655df9ae402ab0a282a80e96f44118e9979c418184b
SHA51255710af73eaef6cd40b82d301f1b0e6b950ce79aa147eeaeaf95a4af2187641118a0d57a70912cbb5dbdb6aec9a8aa9e8345ffd13a0054dc1f9fcb27ebdde7a9
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1858299.exeFilesize
13KB
MD5b4d1df44bc2a04fcdc2071f6054c5b09
SHA14c07635f36ea55d7207f492c56af89db48742280
SHA2566a479432c044dc6a35133655df9ae402ab0a282a80e96f44118e9979c418184b
SHA51255710af73eaef6cd40b82d301f1b0e6b950ce79aa147eeaeaf95a4af2187641118a0d57a70912cbb5dbdb6aec9a8aa9e8345ffd13a0054dc1f9fcb27ebdde7a9
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6175107.exeFilesize
120KB
MD5a2d4bad81bc942e91663f23e4bfac242
SHA1292c77a990956df6fcb6646255728bdf4078976b
SHA2562d9606207c27c78a12ad768c69274f5c92bd899a552f488adf37294afb9065e5
SHA512dae14995dec7b7df463d892e644f95b15935d2da0056b1d32d49051472e20d575ef2d4f1c43af4609b80cf37032308e0c819e824895e6151db1466079f9f4f53
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6175107.exeFilesize
120KB
MD5a2d4bad81bc942e91663f23e4bfac242
SHA1292c77a990956df6fcb6646255728bdf4078976b
SHA2562d9606207c27c78a12ad768c69274f5c92bd899a552f488adf37294afb9065e5
SHA512dae14995dec7b7df463d892e644f95b15935d2da0056b1d32d49051472e20d575ef2d4f1c43af4609b80cf37032308e0c819e824895e6151db1466079f9f4f53
-
memory/2052-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2344-161-0x00000000003F0000-0x00000000003FA000-memory.dmpFilesize
40KB
-
memory/2548-175-0x00000000003D0000-0x0000000000400000-memory.dmpFilesize
192KB
-
memory/2548-176-0x000000000A830000-0x000000000AE48000-memory.dmpFilesize
6.1MB
-
memory/2548-177-0x000000000A350000-0x000000000A45A000-memory.dmpFilesize
1.0MB
-
memory/2548-178-0x000000000A290000-0x000000000A2A2000-memory.dmpFilesize
72KB
-
memory/2548-179-0x0000000004C80000-0x0000000004C90000-memory.dmpFilesize
64KB
-
memory/2548-180-0x000000000A2F0000-0x000000000A32C000-memory.dmpFilesize
240KB
-
memory/2548-182-0x0000000004C80000-0x0000000004C90000-memory.dmpFilesize
64KB
-
memory/2548-183-0x0000000000BB0000-0x0000000000C26000-memory.dmpFilesize
472KB
-
memory/2548-184-0x000000000A110000-0x000000000A1A2000-memory.dmpFilesize
584KB
-
memory/2548-185-0x000000000B500000-0x000000000BAA4000-memory.dmpFilesize
5.6MB
-
memory/2548-186-0x0000000000C30000-0x0000000000C96000-memory.dmpFilesize
408KB
-
memory/2548-187-0x000000000BAB0000-0x000000000BC72000-memory.dmpFilesize
1.8MB
-
memory/2548-188-0x000000000C1B0000-0x000000000C6DC000-memory.dmpFilesize
5.2MB
-
memory/2548-189-0x000000000B410000-0x000000000B460000-memory.dmpFilesize
320KB