Overview

overview

10

Static

static

3

01617599.exe

windows7-x64

10

01617599.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01617599.exe

  • Size

    735KB

  • MD5

    57e9a2f139811a7d7c681a5f6498bdc6

  • SHA1

    db8f3271f5d9d7b762c1ccd9621c46e40c7c8be3

  • SHA256

    f979c3ad640974fa3e5b64bcb9cb9c02d61476b8b1855930dfdea45f879059c4

  • SHA512

    df16a534d1fa2a9ddd0240b038891f990fbfe5a61e87ad00669c46566ffc3c6e826890da2954213d2733059a3b2435a3ae6ddf15e79168edab02037c8b279c7b

  • SSDEEP

    12288:nMrgy905eUFEETWFOh6njyM7VTNYd4I8tHP2znIRyX3c9zg0G1IVN6KI:vy+i3WMxTNYSjlUTX3ce0LTI

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01617599.exe
    "C:\Users\Admin\AppData\Local\Temp\01617599.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1132758.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1132758.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1273129.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1273129.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4892
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5683016.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5683016.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5375617.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5375617.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4680
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2049210.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2049210.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4980
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:436
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 152
              6⤵
              • Program crash
              PID:1624
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4189397.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4189397.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4592
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4980 -ip 4980
    1⤵
      PID:2344

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1132758.exe
      Filesize

      532KB

      MD5

      a66457c197433fd924f3772a19317778

      SHA1

      af03349e2d3fe075d68415ca04fc75ca543b1a8b

      SHA256

      ca82a9197f35e6c276c2d3878f982df03bbe2b93eb4ba9607f924741dde4a091

      SHA512

      23b0bb3df9c26db0bbb18151eb0bc224a7c6e1a6dff7ad7d76b9179797cd0e0c662a08c750a941759e3887bde939de9c3a5640ae20bc22230ccefdf1413f992d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1132758.exe
      Filesize

      532KB

      MD5

      a66457c197433fd924f3772a19317778

      SHA1

      af03349e2d3fe075d68415ca04fc75ca543b1a8b

      SHA256

      ca82a9197f35e6c276c2d3878f982df03bbe2b93eb4ba9607f924741dde4a091

      SHA512

      23b0bb3df9c26db0bbb18151eb0bc224a7c6e1a6dff7ad7d76b9179797cd0e0c662a08c750a941759e3887bde939de9c3a5640ae20bc22230ccefdf1413f992d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1273129.exe
      Filesize

      359KB

      MD5

      2cd02464adebffc760345e84d163c0e4

      SHA1

      75eaff25dbba4ee0aea1bfcf4631ee5cf3bc3a9e

      SHA256

      bc2ecff2590011ba7c2a6f042c0a2222a45d41c258ad2c3aeefc3487315565b4

      SHA512

      96060dedec69e741137394175f8e688bb64304d45865bc7667e0537b9b63bd47fc4a1390034aa1045a4c63be3e656ceefcb07b3566fa83f72e701641343f45ff

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1273129.exe
      Filesize

      359KB

      MD5

      2cd02464adebffc760345e84d163c0e4

      SHA1

      75eaff25dbba4ee0aea1bfcf4631ee5cf3bc3a9e

      SHA256

      bc2ecff2590011ba7c2a6f042c0a2222a45d41c258ad2c3aeefc3487315565b4

      SHA512

      96060dedec69e741137394175f8e688bb64304d45865bc7667e0537b9b63bd47fc4a1390034aa1045a4c63be3e656ceefcb07b3566fa83f72e701641343f45ff

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4189397.exe
      Filesize

      172KB

      MD5

      23f206b50f60690a383ce7a0f51556ea

      SHA1

      27935a3a0f8eab965d69303c4301afaf7883cf05

      SHA256

      e8ccfd769c0767b0b990515cd118bb79c6b604ff5b17363aeb0aa4461b5fcc0f

      SHA512

      4cf99256bb08873be8329d5dcd3ca3950d708f64b3f69ae58562c70e6b217e561afc0ff4e1f74db99cfed4cc06caed90354f94c1b8edf2a7935d931b7dfeb046

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4189397.exe
      Filesize

      172KB

      MD5

      23f206b50f60690a383ce7a0f51556ea

      SHA1

      27935a3a0f8eab965d69303c4301afaf7883cf05

      SHA256

      e8ccfd769c0767b0b990515cd118bb79c6b604ff5b17363aeb0aa4461b5fcc0f

      SHA512

      4cf99256bb08873be8329d5dcd3ca3950d708f64b3f69ae58562c70e6b217e561afc0ff4e1f74db99cfed4cc06caed90354f94c1b8edf2a7935d931b7dfeb046

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5683016.exe
      Filesize

      204KB

      MD5

      1cc216115031acff5f95ba5ae5ede605

      SHA1

      5f785e24ba8a6c206f583545ae683466e3d63e57

      SHA256

      099dd80c4e3be2096a5f013289136d746396cc3ffaee17a056aea9a1459c443d

      SHA512

      c9620c0aaf7cb755c12462fca0cfb70985d34524ed0fdc9e37cf3cc256b71502823be31a20f680f3142a95406102e8ea377289dccaf1ee7ff676a4dd5c24e509

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5683016.exe
      Filesize

      204KB

      MD5

      1cc216115031acff5f95ba5ae5ede605

      SHA1

      5f785e24ba8a6c206f583545ae683466e3d63e57

      SHA256

      099dd80c4e3be2096a5f013289136d746396cc3ffaee17a056aea9a1459c443d

      SHA512

      c9620c0aaf7cb755c12462fca0cfb70985d34524ed0fdc9e37cf3cc256b71502823be31a20f680f3142a95406102e8ea377289dccaf1ee7ff676a4dd5c24e509

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5375617.exe
      Filesize

      13KB

      MD5

      6a5f8d8d67730a5d20c4306d53f66ca2

      SHA1

      5645f127049ef4ced9469724117609938fd250c7

      SHA256

      34c237a06d81f1b41dc499a791ea9b41c8e75ddac46247337bf114af256a3a47

      SHA512

      068efc44ec09af899f6646813d8ac4cbb4ca426980f671cbd8791daeed9855d6a54f6f9689bbe0d6aa3cc2cd2632179ba18dcbde6f7eaba869d2d883e7cb18bf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5375617.exe
      Filesize

      13KB

      MD5

      6a5f8d8d67730a5d20c4306d53f66ca2

      SHA1

      5645f127049ef4ced9469724117609938fd250c7

      SHA256

      34c237a06d81f1b41dc499a791ea9b41c8e75ddac46247337bf114af256a3a47

      SHA512

      068efc44ec09af899f6646813d8ac4cbb4ca426980f671cbd8791daeed9855d6a54f6f9689bbe0d6aa3cc2cd2632179ba18dcbde6f7eaba869d2d883e7cb18bf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2049210.exe
      Filesize

      120KB

      MD5

      765ac1e3c70538f9d7b7f48fc7d79bcf

      SHA1

      d78dcb51efb38d5baae2f701a273b6e49d093384

      SHA256

      09a709644e41207462c99bdc1c75e7ff33530d3796ae9a46dbf948b786d23377

      SHA512

      416d04e4137399287b3d56d042f4753d145baa2aa33242f49476bcd7ae6a603b9f30a72c01a5832583b66e6cc52f6212b27f399a1c0bae80abbb6cda789bc68a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2049210.exe
      Filesize

      120KB

      MD5

      765ac1e3c70538f9d7b7f48fc7d79bcf

      SHA1

      d78dcb51efb38d5baae2f701a273b6e49d093384

      SHA256

      09a709644e41207462c99bdc1c75e7ff33530d3796ae9a46dbf948b786d23377

      SHA512

      416d04e4137399287b3d56d042f4753d145baa2aa33242f49476bcd7ae6a603b9f30a72c01a5832583b66e6cc52f6212b27f399a1c0bae80abbb6cda789bc68a

      Download Submit
    • memory/436-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4592-175-0x00000000007F0000-0x0000000000820000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4592-181-0x000000000A8E0000-0x000000000A956000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4592-176-0x000000000AAB0000-0x000000000B0C8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4592-177-0x000000000A630000-0x000000000A73A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4592-178-0x000000000A570000-0x000000000A582000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4592-179-0x000000000A5D0000-0x000000000A60C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4592-180-0x00000000050E0000-0x00000000050F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4592-189-0x00000000050E0000-0x00000000050F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4592-182-0x000000000AA00000-0x000000000AA92000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4592-183-0x000000000B680000-0x000000000BC24000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4592-184-0x000000000B1D0000-0x000000000B236000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4592-186-0x000000000BC30000-0x000000000BC80000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4592-187-0x000000000BE50000-0x000000000C012000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4592-188-0x000000000C550000-0x000000000CA7C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4680-161-0x0000000000EB0000-0x0000000000EBA000-memory.dmp
      Filesize

      40KB

      Download