Overview

overview

10

Static

static

3

02092399.exe

windows7-x64

10

02092399.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 11:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02092399.exe

  • Size

    739KB

  • MD5

    06175aac59bea0835a3e7ae09f14487f

  • SHA1

    1faf1010c7555edda759bd414d17764f2263bd3c

  • SHA256

    104d35b73948ce44867e406b874f6dba72c7d01a5bf0f296f470f8d076247bf8

  • SHA512

    e44fba882fcab750235b1ce0a4beeb4862239be1ca3241b6cc4499d75c7e64997b8120e975a8fad7e52f77ed7557ee2eaf712ac19b7a4f845f8d792b8c7ddaf1

  • SSDEEP

    12288:HMrDy90ptej0fd+/KpjQzqYcTL447fgdNRZ6APGyS+3BMkL1V8R2piNqm:My2s0fo/Kpj3TL4GfKRZ6tzkL12RqiNp

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02092399.exe
    "C:\Users\Admin\AppData\Local\Temp\02092399.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1551926.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1551926.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1844
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8709820.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8709820.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8664465.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8664465.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4468
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7622483.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7622483.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1500
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5175321.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5175321.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4900
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3032
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 204
              6⤵
              • Program crash
              PID:4708
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5398723.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5398723.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:348
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4900 -ip 4900
    1⤵
      PID:3656

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1551926.exe
      Filesize

      532KB

      MD5

      220b4bd402d58f888d713ad40aa6908a

      SHA1

      8059f4cd911c5fa321db5986f1629128f0766181

      SHA256

      5b66352760e0ec19a84c6aa0085e3bbdcd333c29b090865296ca9229026fb692

      SHA512

      2d2ab5859330563f0cf614aaaf74fa35904eb7768623785fa92105eab7d5e3e62f6c24efbdb99b9fddc465a62a673bb61bf8d7df146eff8b9c3b62d273d645ac

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1551926.exe
      Filesize

      532KB

      MD5

      220b4bd402d58f888d713ad40aa6908a

      SHA1

      8059f4cd911c5fa321db5986f1629128f0766181

      SHA256

      5b66352760e0ec19a84c6aa0085e3bbdcd333c29b090865296ca9229026fb692

      SHA512

      2d2ab5859330563f0cf614aaaf74fa35904eb7768623785fa92105eab7d5e3e62f6c24efbdb99b9fddc465a62a673bb61bf8d7df146eff8b9c3b62d273d645ac

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8709820.exe
      Filesize

      359KB

      MD5

      0639a63da76133774b5cc41d044c06ce

      SHA1

      6bfcaf320d640bac98f400ce43ec09f7293b0b16

      SHA256

      cd1b2e8c7a73ee936d7def07d5b7f94ad7f3db15c22148b8eb2488b31972e687

      SHA512

      cf37b57ea7b8460feda6f7c8411ba386575b70fde0ad8029acb35c2c71450ec272df718b02497de9b12c29f13ae3e637d2e8ddca17e0100dc5109a2585db16f7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8709820.exe
      Filesize

      359KB

      MD5

      0639a63da76133774b5cc41d044c06ce

      SHA1

      6bfcaf320d640bac98f400ce43ec09f7293b0b16

      SHA256

      cd1b2e8c7a73ee936d7def07d5b7f94ad7f3db15c22148b8eb2488b31972e687

      SHA512

      cf37b57ea7b8460feda6f7c8411ba386575b70fde0ad8029acb35c2c71450ec272df718b02497de9b12c29f13ae3e637d2e8ddca17e0100dc5109a2585db16f7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5398723.exe
      Filesize

      172KB

      MD5

      0f4c1c71f22f9f85ebd8d90642c01567

      SHA1

      34d6ae3d3006cea438c6e2d978fd2871729a7946

      SHA256

      2b0f10f5f3f91fbda216e25f60ad91de4c93171da390ecae94f7db7f8cb956a0

      SHA512

      f976ac7589285c16e3d8a1261035269152091de777c0875589e6b31f39db006dab07a944cf2f712fb4133509546cdf4c92a13ef4e62a59c32efbde53005c0ace

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5398723.exe
      Filesize

      172KB

      MD5

      0f4c1c71f22f9f85ebd8d90642c01567

      SHA1

      34d6ae3d3006cea438c6e2d978fd2871729a7946

      SHA256

      2b0f10f5f3f91fbda216e25f60ad91de4c93171da390ecae94f7db7f8cb956a0

      SHA512

      f976ac7589285c16e3d8a1261035269152091de777c0875589e6b31f39db006dab07a944cf2f712fb4133509546cdf4c92a13ef4e62a59c32efbde53005c0ace

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8664465.exe
      Filesize

      204KB

      MD5

      81914407a65654354a3f9b24a53374ae

      SHA1

      5e24840abdb85910d9c61542fcfade17b68cd70a

      SHA256

      102ef4e445b46bf08f9bc467db19f4de1c080a9bad54bd0a5296d641b60037f0

      SHA512

      f08442e23abe3a5425a47868301d0257ada2fcdd2614357066ed80c8d07df2c436d6eb6f0f07a9fc500553e31377400ef3b090b77757da83438e8370ecc919ed

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8664465.exe
      Filesize

      204KB

      MD5

      81914407a65654354a3f9b24a53374ae

      SHA1

      5e24840abdb85910d9c61542fcfade17b68cd70a

      SHA256

      102ef4e445b46bf08f9bc467db19f4de1c080a9bad54bd0a5296d641b60037f0

      SHA512

      f08442e23abe3a5425a47868301d0257ada2fcdd2614357066ed80c8d07df2c436d6eb6f0f07a9fc500553e31377400ef3b090b77757da83438e8370ecc919ed

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7622483.exe
      Filesize

      13KB

      MD5

      e01af325ea6d5cd8914066931ed5eec9

      SHA1

      1f64458077f93ab84793fd1496604dac95658284

      SHA256

      8b25265a6e5563ae813a36f8d54c12b64311cd6b84cb0926170ecba50d865683

      SHA512

      1c5e5568e746e9aada2e4e78b565952ec4b716047b2542e1ad1fd2546f1eb862b6421b2cb398498f7ba24e28361be2bbfaac4dfb7b957d516df6aa173f4895e8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7622483.exe
      Filesize

      13KB

      MD5

      e01af325ea6d5cd8914066931ed5eec9

      SHA1

      1f64458077f93ab84793fd1496604dac95658284

      SHA256

      8b25265a6e5563ae813a36f8d54c12b64311cd6b84cb0926170ecba50d865683

      SHA512

      1c5e5568e746e9aada2e4e78b565952ec4b716047b2542e1ad1fd2546f1eb862b6421b2cb398498f7ba24e28361be2bbfaac4dfb7b957d516df6aa173f4895e8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5175321.exe
      Filesize

      120KB

      MD5

      25b74c955b26b1368e856316fb69d33c

      SHA1

      c89c503c552a5dcd268153f9ae86522e4684fcc7

      SHA256

      b3e14bf7fcfea3865f0189e17d3563737ef83f115807dddb87ff58773a438d58

      SHA512

      ffee63f7fbb8d139bc3cf0f46d4dfcea7102b6d5960ad9056e9d74344805b2b4eec44ef38cff683bec5e2e76b46a5f487d43a8996666cdd7c64e9bbe0bb3a111

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5175321.exe
      Filesize

      120KB

      MD5

      25b74c955b26b1368e856316fb69d33c

      SHA1

      c89c503c552a5dcd268153f9ae86522e4684fcc7

      SHA256

      b3e14bf7fcfea3865f0189e17d3563737ef83f115807dddb87ff58773a438d58

      SHA512

      ffee63f7fbb8d139bc3cf0f46d4dfcea7102b6d5960ad9056e9d74344805b2b4eec44ef38cff683bec5e2e76b46a5f487d43a8996666cdd7c64e9bbe0bb3a111

      Download Submit
    • memory/348-175-0x0000000000850000-0x0000000000880000-memory.dmp
      Filesize

      192KB

      Download
    • memory/348-180-0x0000000005170000-0x0000000005180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/348-189-0x000000000BA60000-0x000000000BAB0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/348-176-0x000000000AB20000-0x000000000B138000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/348-177-0x000000000A690000-0x000000000A79A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/348-178-0x000000000A5D0000-0x000000000A5E2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/348-179-0x000000000A630000-0x000000000A66C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/348-188-0x000000000C610000-0x000000000CB3C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/348-181-0x000000000A940000-0x000000000A9B6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/348-182-0x000000000B1E0000-0x000000000B272000-memory.dmp
      Filesize

      584KB

      Download
    • memory/348-183-0x000000000B140000-0x000000000B1A6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/348-184-0x000000000BB30000-0x000000000C0D4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/348-186-0x000000000B890000-0x000000000BA52000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/348-187-0x0000000005170000-0x0000000005180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1500-161-0x00000000008F0000-0x00000000008FA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3032-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download