Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06/06/2023, 11:40 UTC
Static task
static1
Behavioral task
behavioral1
Sample
07118299.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
07118299.exe
Resource
win10v2004-20230220-en
General
-
Target
07118299.exe
-
Size
585KB
-
MD5
bb4539edbb8fa9c890cc49978383414d
-
SHA1
61a759e91f6cdeacffbb1cab32e692b7075efaa8
-
SHA256
3c785e270042f3778b2321d0be981e2252fbe5dc55109b38b66a6e5c1418e204
-
SHA512
8e54826a8fccdb64714bff359ae9223dadb00cfb5de15456e6a15c66d1a16faa9dee836101527ca8fe7f5e1e714c77e776bcb377466951207ca51ba546745fa5
-
SSDEEP
12288:TMrqy90Z037vhyfXuO8v59X22y+MXZejR1EQP/eq64aNZa:lyYy6uD/ZMp2EeeDVa
Malware Config
Extracted
redline
diza
83.97.73.126:19048
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k4225289.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k4225289.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k4225289.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k4225289.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection k4225289.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k4225289.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 1224 y0826039.exe 836 y1856327.exe 1668 k4225289.exe 928 l4429849.exe -
Loads dropped DLL 7 IoCs
pid Process 1696 07118299.exe 1224 y0826039.exe 1224 y0826039.exe 836 y1856327.exe 836 y1856327.exe 836 y1856327.exe 928 l4429849.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features k4225289.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k4225289.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y1856327.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 07118299.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 07118299.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce y0826039.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y0826039.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce y1856327.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1668 k4225289.exe 1668 k4225289.exe 928 l4429849.exe 928 l4429849.exe 928 l4429849.exe 928 l4429849.exe 928 l4429849.exe 928 l4429849.exe 928 l4429849.exe 928 l4429849.exe 928 l4429849.exe 928 l4429849.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1668 k4225289.exe Token: SeDebugPrivilege 928 l4429849.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1696 wrote to memory of 1224 1696 07118299.exe 26 PID 1696 wrote to memory of 1224 1696 07118299.exe 26 PID 1696 wrote to memory of 1224 1696 07118299.exe 26 PID 1696 wrote to memory of 1224 1696 07118299.exe 26 PID 1696 wrote to memory of 1224 1696 07118299.exe 26 PID 1696 wrote to memory of 1224 1696 07118299.exe 26 PID 1696 wrote to memory of 1224 1696 07118299.exe 26 PID 1224 wrote to memory of 836 1224 y0826039.exe 27 PID 1224 wrote to memory of 836 1224 y0826039.exe 27 PID 1224 wrote to memory of 836 1224 y0826039.exe 27 PID 1224 wrote to memory of 836 1224 y0826039.exe 27 PID 1224 wrote to memory of 836 1224 y0826039.exe 27 PID 1224 wrote to memory of 836 1224 y0826039.exe 27 PID 1224 wrote to memory of 836 1224 y0826039.exe 27 PID 836 wrote to memory of 1668 836 y1856327.exe 28 PID 836 wrote to memory of 1668 836 y1856327.exe 28 PID 836 wrote to memory of 1668 836 y1856327.exe 28 PID 836 wrote to memory of 1668 836 y1856327.exe 28 PID 836 wrote to memory of 1668 836 y1856327.exe 28 PID 836 wrote to memory of 1668 836 y1856327.exe 28 PID 836 wrote to memory of 1668 836 y1856327.exe 28 PID 836 wrote to memory of 928 836 y1856327.exe 29 PID 836 wrote to memory of 928 836 y1856327.exe 29 PID 836 wrote to memory of 928 836 y1856327.exe 29 PID 836 wrote to memory of 928 836 y1856327.exe 29 PID 836 wrote to memory of 928 836 y1856327.exe 29 PID 836 wrote to memory of 928 836 y1856327.exe 29 PID 836 wrote to memory of 928 836 y1856327.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\07118299.exe"C:\Users\Admin\AppData\Local\Temp\07118299.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
-
Network
- No results found
-
152 B 3
-
9.5kB 9.6kB 31 39
-
9.4kB 8.3kB 28 34
-
152 B 3
-
9.4kB 8.3kB 28 36
-
9.4kB 8.3kB 28 36
-
9.4kB 8.4kB 28 37
-
152 B 3
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD504c913636eef8e009b67a6471aceb1cc
SHA150c666e0fc32181e3673352451e67167aa15632a
SHA256bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d
SHA5123cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba
-
Filesize
377KB
MD504c913636eef8e009b67a6471aceb1cc
SHA150c666e0fc32181e3673352451e67167aa15632a
SHA256bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d
SHA5123cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba
-
Filesize
206KB
MD5141cac089e26c4f0c69e0d7e512f7be1
SHA15509723287d89cfbbdd084d6480f8f7c962f2e47
SHA25645d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82
SHA51235ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00
-
Filesize
206KB
MD5141cac089e26c4f0c69e0d7e512f7be1
SHA15509723287d89cfbbdd084d6480f8f7c962f2e47
SHA25645d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82
SHA51235ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00
-
Filesize
13KB
MD52729520af0a8af272be9fa9a08374fed
SHA1287f245bc42c5672947f9be216934c3193ff20fd
SHA2565ba9237ec136790729e884f911cb938883dfe89921928fb95d183c9fbea6b3a7
SHA512eba559f01fb22ac033f05792fa2c5a99c9221a9d96267451b42852192722e25c75a76208270a53d1fdd8db0d98e997f6303e09efc79e0261215f8105d520738d
-
Filesize
13KB
MD52729520af0a8af272be9fa9a08374fed
SHA1287f245bc42c5672947f9be216934c3193ff20fd
SHA2565ba9237ec136790729e884f911cb938883dfe89921928fb95d183c9fbea6b3a7
SHA512eba559f01fb22ac033f05792fa2c5a99c9221a9d96267451b42852192722e25c75a76208270a53d1fdd8db0d98e997f6303e09efc79e0261215f8105d520738d
-
Filesize
172KB
MD59ee6e7a9103170f2f829a497879dec4d
SHA11013f962d3071a62ef343cb8d93888264d528d64
SHA25677ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39
SHA51260bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4
-
Filesize
172KB
MD59ee6e7a9103170f2f829a497879dec4d
SHA11013f962d3071a62ef343cb8d93888264d528d64
SHA25677ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39
SHA51260bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4
-
Filesize
377KB
MD504c913636eef8e009b67a6471aceb1cc
SHA150c666e0fc32181e3673352451e67167aa15632a
SHA256bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d
SHA5123cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba
-
Filesize
377KB
MD504c913636eef8e009b67a6471aceb1cc
SHA150c666e0fc32181e3673352451e67167aa15632a
SHA256bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d
SHA5123cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba
-
Filesize
206KB
MD5141cac089e26c4f0c69e0d7e512f7be1
SHA15509723287d89cfbbdd084d6480f8f7c962f2e47
SHA25645d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82
SHA51235ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00
-
Filesize
206KB
MD5141cac089e26c4f0c69e0d7e512f7be1
SHA15509723287d89cfbbdd084d6480f8f7c962f2e47
SHA25645d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82
SHA51235ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00
-
Filesize
13KB
MD52729520af0a8af272be9fa9a08374fed
SHA1287f245bc42c5672947f9be216934c3193ff20fd
SHA2565ba9237ec136790729e884f911cb938883dfe89921928fb95d183c9fbea6b3a7
SHA512eba559f01fb22ac033f05792fa2c5a99c9221a9d96267451b42852192722e25c75a76208270a53d1fdd8db0d98e997f6303e09efc79e0261215f8105d520738d
-
Filesize
172KB
MD59ee6e7a9103170f2f829a497879dec4d
SHA11013f962d3071a62ef343cb8d93888264d528d64
SHA25677ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39
SHA51260bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4
-
Filesize
172KB
MD59ee6e7a9103170f2f829a497879dec4d
SHA11013f962d3071a62ef343cb8d93888264d528d64
SHA25677ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39
SHA51260bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4