Overview

overview

10

Static

static

3

02133799.exe

windows7-x64

10

02133799.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 11:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02133799.exe

  • Size

    738KB

  • MD5

    a842c3030b6492acf30649181f693ae9

  • SHA1

    21207d067d18b6b506095dd4c40e19877974fe92

  • SHA256

    139ca9693042d296a5fe37457aa0e8968113545705ea9d332b6b94abc8332fbd

  • SHA512

    2d5d9f77ad35d8311a51ae101cc93126c279c5c18d87bae98641446544843399cc7a262d65bd007f6fff253ded25ba8cd4d5f5b554049cc63b7180ff57f79a89

  • SSDEEP

    12288:0Mrly90/CoIST5ws7rZH26GaS4umKAng5Zod475flqrqv2pniQAOATlzr9TPdILq:pyuCoIEZ7SHuKKg5ZoudqrvtkrhPdUkp

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02133799.exe
    "C:\Users\Admin\AppData\Local\Temp\02133799.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7832569.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7832569.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0189919.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0189919.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5072
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0295850.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0295850.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4912
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1858299.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1858299.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1568
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6175107.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6175107.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:988
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1684
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 152
              6⤵
              • Program crash
              PID:812
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8442695.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8442695.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:720
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 988 -ip 988
    1⤵
      PID:3240

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7832569.exe
      Filesize

      531KB

      MD5

      681c953b6697f7d0d12d8e9a9000dd75

      SHA1

      c6d4226ba2c7cf593784a1345ea4aca119111600

      SHA256

      4cac048a4135e96ee648771e062af6b914b5f10366c21b7b4060b2d639f52949

      SHA512

      b610886df0ec53f7c817dc7e277b072674ee274f52e14199ac296cb75f787224b1118e7184a335442006e7f0464152b1bcfe98190323aa2f05142357205f4c06

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7832569.exe
      Filesize

      531KB

      MD5

      681c953b6697f7d0d12d8e9a9000dd75

      SHA1

      c6d4226ba2c7cf593784a1345ea4aca119111600

      SHA256

      4cac048a4135e96ee648771e062af6b914b5f10366c21b7b4060b2d639f52949

      SHA512

      b610886df0ec53f7c817dc7e277b072674ee274f52e14199ac296cb75f787224b1118e7184a335442006e7f0464152b1bcfe98190323aa2f05142357205f4c06

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0189919.exe
      Filesize

      358KB

      MD5

      bfbf64de79ae372969f68a382459b71c

      SHA1

      59bb7df697aa7377e21f1182f929632935a91e13

      SHA256

      1b10574b60047b0ced3d5358445461a0fd4485e881cf9c36e55f368fad2b75f1

      SHA512

      2f24754d0a364020e4fecfb7ac7fc808c27f0382aa7d047769586d2033a81f52eefd23ce0092e3a7d04b4f9860dad13272a13b67119d662947b1f028eac8a07a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0189919.exe
      Filesize

      358KB

      MD5

      bfbf64de79ae372969f68a382459b71c

      SHA1

      59bb7df697aa7377e21f1182f929632935a91e13

      SHA256

      1b10574b60047b0ced3d5358445461a0fd4485e881cf9c36e55f368fad2b75f1

      SHA512

      2f24754d0a364020e4fecfb7ac7fc808c27f0382aa7d047769586d2033a81f52eefd23ce0092e3a7d04b4f9860dad13272a13b67119d662947b1f028eac8a07a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8442695.exe
      Filesize

      172KB

      MD5

      fd8c055d23d598045b715fedcf1ad75b

      SHA1

      308253fd658c247cbed17822800e0e16b7be380b

      SHA256

      34cfc8b250e005cd66aaa94b61cd17843b5226372e59f11720995fafda76beca

      SHA512

      1bb2d601dfba09963de6119b75d8e8cd071a534d002884d0e9e5c6992cd814dc36ed97a3dc6f9ab91b3e44e9cd2c4414c12abfc554678c310c3df37a138210e1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8442695.exe
      Filesize

      172KB

      MD5

      fd8c055d23d598045b715fedcf1ad75b

      SHA1

      308253fd658c247cbed17822800e0e16b7be380b

      SHA256

      34cfc8b250e005cd66aaa94b61cd17843b5226372e59f11720995fafda76beca

      SHA512

      1bb2d601dfba09963de6119b75d8e8cd071a534d002884d0e9e5c6992cd814dc36ed97a3dc6f9ab91b3e44e9cd2c4414c12abfc554678c310c3df37a138210e1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0295850.exe
      Filesize

      203KB

      MD5

      317e6c303cee6e17b54001d6d9ac6b72

      SHA1

      04904de50c646dc1476dbb28869a8f56ff89b1df

      SHA256

      3e7c041b1b078d774ab9a4d47e09fd7ea058111e49d273daabe997758d78e32b

      SHA512

      36544a4333069b5dd3586c91898bd05852239ab8a9f14fb999918ff9046c947b88f2c738d46676f6732a5f292e91c14d37ce59baab5f9b502bb442d59c20ce2a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0295850.exe
      Filesize

      203KB

      MD5

      317e6c303cee6e17b54001d6d9ac6b72

      SHA1

      04904de50c646dc1476dbb28869a8f56ff89b1df

      SHA256

      3e7c041b1b078d774ab9a4d47e09fd7ea058111e49d273daabe997758d78e32b

      SHA512

      36544a4333069b5dd3586c91898bd05852239ab8a9f14fb999918ff9046c947b88f2c738d46676f6732a5f292e91c14d37ce59baab5f9b502bb442d59c20ce2a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1858299.exe
      Filesize

      13KB

      MD5

      b4d1df44bc2a04fcdc2071f6054c5b09

      SHA1

      4c07635f36ea55d7207f492c56af89db48742280

      SHA256

      6a479432c044dc6a35133655df9ae402ab0a282a80e96f44118e9979c418184b

      SHA512

      55710af73eaef6cd40b82d301f1b0e6b950ce79aa147eeaeaf95a4af2187641118a0d57a70912cbb5dbdb6aec9a8aa9e8345ffd13a0054dc1f9fcb27ebdde7a9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1858299.exe
      Filesize

      13KB

      MD5

      b4d1df44bc2a04fcdc2071f6054c5b09

      SHA1

      4c07635f36ea55d7207f492c56af89db48742280

      SHA256

      6a479432c044dc6a35133655df9ae402ab0a282a80e96f44118e9979c418184b

      SHA512

      55710af73eaef6cd40b82d301f1b0e6b950ce79aa147eeaeaf95a4af2187641118a0d57a70912cbb5dbdb6aec9a8aa9e8345ffd13a0054dc1f9fcb27ebdde7a9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6175107.exe
      Filesize

      120KB

      MD5

      a2d4bad81bc942e91663f23e4bfac242

      SHA1

      292c77a990956df6fcb6646255728bdf4078976b

      SHA256

      2d9606207c27c78a12ad768c69274f5c92bd899a552f488adf37294afb9065e5

      SHA512

      dae14995dec7b7df463d892e644f95b15935d2da0056b1d32d49051472e20d575ef2d4f1c43af4609b80cf37032308e0c819e824895e6151db1466079f9f4f53

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6175107.exe
      Filesize

      120KB

      MD5

      a2d4bad81bc942e91663f23e4bfac242

      SHA1

      292c77a990956df6fcb6646255728bdf4078976b

      SHA256

      2d9606207c27c78a12ad768c69274f5c92bd899a552f488adf37294afb9065e5

      SHA512

      dae14995dec7b7df463d892e644f95b15935d2da0056b1d32d49051472e20d575ef2d4f1c43af4609b80cf37032308e0c819e824895e6151db1466079f9f4f53

      Download Submit
    • memory/720-175-0x00000000007C0000-0x00000000007F0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/720-180-0x000000000A5A0000-0x000000000A5DC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/720-189-0x000000000C720000-0x000000000CC4C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/720-176-0x000000000AAB0000-0x000000000B0C8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/720-177-0x000000000A600000-0x000000000A70A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/720-178-0x000000000A540000-0x000000000A552000-memory.dmp
      Filesize

      72KB

      Download
    • memory/720-179-0x0000000005100000-0x0000000005110000-memory.dmp
      Filesize

      64KB

      Download
    • memory/720-188-0x000000000C020000-0x000000000C1E2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/720-182-0x0000000005100000-0x0000000005110000-memory.dmp
      Filesize

      64KB

      Download
    • memory/720-183-0x000000000B1D0000-0x000000000B246000-memory.dmp
      Filesize

      472KB

      Download
    • memory/720-184-0x000000000B250000-0x000000000B2E2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/720-185-0x000000000B8A0000-0x000000000BE44000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/720-186-0x000000000B3F0000-0x000000000B456000-memory.dmp
      Filesize

      408KB

      Download
    • memory/720-187-0x000000000B720000-0x000000000B770000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1568-161-0x0000000000EE0000-0x0000000000EEA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1684-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download