Overview

overview

10

Static

static

3

07118299.exe

windows7-x64

10

07118299.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2023, 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07118299.exe

  • Size

    585KB

  • MD5

    bb4539edbb8fa9c890cc49978383414d

  • SHA1

    61a759e91f6cdeacffbb1cab32e692b7075efaa8

  • SHA256

    3c785e270042f3778b2321d0be981e2252fbe5dc55109b38b66a6e5c1418e204

  • SHA512

    8e54826a8fccdb64714bff359ae9223dadb00cfb5de15456e6a15c66d1a16faa9dee836101527ca8fe7f5e1e714c77e776bcb377466951207ca51ba546745fa5

  • SSDEEP

    12288:TMrqy90Z037vhyfXuO8v59X22y+MXZejR1EQP/eq64aNZa:lyYy6uD/ZMp2EeeDVa

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07118299.exe
    "C:\Users\Admin\AppData\Local\Temp\07118299.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3644
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3832

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe
    Filesize

    377KB

    MD5

    04c913636eef8e009b67a6471aceb1cc

    SHA1

    50c666e0fc32181e3673352451e67167aa15632a

    SHA256

    bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d

    SHA512

    3cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe
    Filesize

    377KB

    MD5

    04c913636eef8e009b67a6471aceb1cc

    SHA1

    50c666e0fc32181e3673352451e67167aa15632a

    SHA256

    bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d

    SHA512

    3cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe
    Filesize

    206KB

    MD5

    141cac089e26c4f0c69e0d7e512f7be1

    SHA1

    5509723287d89cfbbdd084d6480f8f7c962f2e47

    SHA256

    45d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82

    SHA512

    35ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe
    Filesize

    206KB

    MD5

    141cac089e26c4f0c69e0d7e512f7be1

    SHA1

    5509723287d89cfbbdd084d6480f8f7c962f2e47

    SHA256

    45d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82

    SHA512

    35ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe
    Filesize

    13KB

    MD5

    2729520af0a8af272be9fa9a08374fed

    SHA1

    287f245bc42c5672947f9be216934c3193ff20fd

    SHA256

    5ba9237ec136790729e884f911cb938883dfe89921928fb95d183c9fbea6b3a7

    SHA512

    eba559f01fb22ac033f05792fa2c5a99c9221a9d96267451b42852192722e25c75a76208270a53d1fdd8db0d98e997f6303e09efc79e0261215f8105d520738d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe
    Filesize

    13KB

    MD5

    2729520af0a8af272be9fa9a08374fed

    SHA1

    287f245bc42c5672947f9be216934c3193ff20fd

    SHA256

    5ba9237ec136790729e884f911cb938883dfe89921928fb95d183c9fbea6b3a7

    SHA512

    eba559f01fb22ac033f05792fa2c5a99c9221a9d96267451b42852192722e25c75a76208270a53d1fdd8db0d98e997f6303e09efc79e0261215f8105d520738d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe
    Filesize

    172KB

    MD5

    9ee6e7a9103170f2f829a497879dec4d

    SHA1

    1013f962d3071a62ef343cb8d93888264d528d64

    SHA256

    77ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39

    SHA512

    60bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe
    Filesize

    172KB

    MD5

    9ee6e7a9103170f2f829a497879dec4d

    SHA1

    1013f962d3071a62ef343cb8d93888264d528d64

    SHA256

    77ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39

    SHA512

    60bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4

    Download Submit

  • memory/3644-154-0x0000000000D60000-0x0000000000D6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3832-160-0x000000000A930000-0x000000000AF48000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3832-166-0x000000000AFF0000-0x000000000B082000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3832-161-0x000000000A4A0000-0x000000000A5AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3832-162-0x000000000A3E0000-0x000000000A3F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3832-163-0x000000000A440000-0x000000000A47C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3832-164-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3832-165-0x000000000A750000-0x000000000A7C6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3832-159-0x0000000000520000-0x0000000000550000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3832-167-0x000000000B640000-0x000000000BBE4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3832-168-0x000000000B090000-0x000000000B0F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3832-169-0x0000000004D00000-0x0000000004D10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3832-170-0x000000000B5A0000-0x000000000B5F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3832-171-0x000000000BDC0000-0x000000000BF82000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3832-172-0x000000000C4C0000-0x000000000C9EC000-memory.dmp

    Filesize

    5.2MB

    Download