Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 11:43
Static task
static1
Behavioral task
behavioral1
Sample
09176899.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
09176899.exe
Resource
win10v2004-20230220-en
General
-
Target
09176899.exe
-
Size
738KB
-
MD5
7d6d01b7c3df47a2a39be56193817755
-
SHA1
7e9ca287926b479f1f8eae2e3868dbad49536e51
-
SHA256
fd15974ecf3a2d60fdfd573d4cd2d77022ef0616b627a7288eef94c7457cf61a
-
SHA512
ec806cf71621ae75927e4199a8be3c366adf311a5d65071101c73881c6a1d990fc72a021fbdb30e9a7984d503245ee29166591fc17c49372cb9c3d12d085e2d0
-
SSDEEP
12288:ZMrYy90L8oZeYoRGMwo3D8gvLrYw2Api257LxV8GUBD1jeIOQ4NYjRu+R:pya8ouE03pvLrYVq/eGID16I10+R
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a1183090.exeAppLaunch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a1183090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1183090.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1183090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1183090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1183090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1183090.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v1934255.exev1811017.exev6061350.exea1183090.exeb9439976.exec9037711.exepid process 5032 v1934255.exe 4716 v1811017.exe 3144 v6061350.exe 1388 a1183090.exe 4932 b9439976.exe 2300 c9037711.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a1183090.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1183090.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v1934255.exev1811017.exev6061350.exe09176899.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1934255.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1934255.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1811017.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v1811017.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v6061350.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v6061350.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 09176899.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 09176899.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b9439976.exedescription pid process target process PID 4932 set thread context of 4760 4932 b9439976.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5040 4932 WerFault.exe b9439976.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
a1183090.exeAppLaunch.exec9037711.exepid process 1388 a1183090.exe 1388 a1183090.exe 4760 AppLaunch.exe 4760 AppLaunch.exe 2300 c9037711.exe 2300 c9037711.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a1183090.exeAppLaunch.exec9037711.exedescription pid process Token: SeDebugPrivilege 1388 a1183090.exe Token: SeDebugPrivilege 4760 AppLaunch.exe Token: SeDebugPrivilege 2300 c9037711.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
09176899.exev1934255.exev1811017.exev6061350.exeb9439976.exedescription pid process target process PID 3596 wrote to memory of 5032 3596 09176899.exe v1934255.exe PID 3596 wrote to memory of 5032 3596 09176899.exe v1934255.exe PID 3596 wrote to memory of 5032 3596 09176899.exe v1934255.exe PID 5032 wrote to memory of 4716 5032 v1934255.exe v1811017.exe PID 5032 wrote to memory of 4716 5032 v1934255.exe v1811017.exe PID 5032 wrote to memory of 4716 5032 v1934255.exe v1811017.exe PID 4716 wrote to memory of 3144 4716 v1811017.exe v6061350.exe PID 4716 wrote to memory of 3144 4716 v1811017.exe v6061350.exe PID 4716 wrote to memory of 3144 4716 v1811017.exe v6061350.exe PID 3144 wrote to memory of 1388 3144 v6061350.exe a1183090.exe PID 3144 wrote to memory of 1388 3144 v6061350.exe a1183090.exe PID 3144 wrote to memory of 4932 3144 v6061350.exe b9439976.exe PID 3144 wrote to memory of 4932 3144 v6061350.exe b9439976.exe PID 3144 wrote to memory of 4932 3144 v6061350.exe b9439976.exe PID 4932 wrote to memory of 4760 4932 b9439976.exe AppLaunch.exe PID 4932 wrote to memory of 4760 4932 b9439976.exe AppLaunch.exe PID 4932 wrote to memory of 4760 4932 b9439976.exe AppLaunch.exe PID 4932 wrote to memory of 4760 4932 b9439976.exe AppLaunch.exe PID 4932 wrote to memory of 4760 4932 b9439976.exe AppLaunch.exe PID 4716 wrote to memory of 2300 4716 v1811017.exe c9037711.exe PID 4716 wrote to memory of 2300 4716 v1811017.exe c9037711.exe PID 4716 wrote to memory of 2300 4716 v1811017.exe c9037711.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09176899.exe"C:\Users\Admin\AppData\Local\Temp\09176899.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1934255.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1934255.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1811017.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1811017.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6061350.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6061350.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1183090.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1183090.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9439976.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9439976.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1406⤵
- Program crash
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9037711.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9037711.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4932 -ip 49321⤵PID:4596
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1934255.exeFilesize
531KB
MD5e38542dbc634e1c9cc932901142166c8
SHA1924db07c74addd4d3efac85491f29b66545d0e43
SHA2562a7d4cf9010bee1a75e7378ab03365bc5a1550f4bb8a5a11ef767c423e6f373b
SHA512d7dc5e291d6fb25cee9b63dca3c42d27425afc35d8062404a9ce06793c31d89efd83e63a0948f73cd73fad3fba7603bbbb06601e5feb501d90bc11830e33ff52
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1934255.exeFilesize
531KB
MD5e38542dbc634e1c9cc932901142166c8
SHA1924db07c74addd4d3efac85491f29b66545d0e43
SHA2562a7d4cf9010bee1a75e7378ab03365bc5a1550f4bb8a5a11ef767c423e6f373b
SHA512d7dc5e291d6fb25cee9b63dca3c42d27425afc35d8062404a9ce06793c31d89efd83e63a0948f73cd73fad3fba7603bbbb06601e5feb501d90bc11830e33ff52
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1811017.exeFilesize
359KB
MD5013fd9ff7f426d4d7e4edff0aa363669
SHA17f53a5a5462748cdcbfaf8a7a8a064444d6969b1
SHA256ab0857d7e28d001e47b9960ef249b084873ad2add5f71bff19a94ce990fe77af
SHA51238706aa58f232f60bfd5ba9c9fef2a6ba4933464d403a0e28d448bd03a5965185b6094799823375fed533f310a41f11b5de1375254c221a7e465790a1e4865e3
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1811017.exeFilesize
359KB
MD5013fd9ff7f426d4d7e4edff0aa363669
SHA17f53a5a5462748cdcbfaf8a7a8a064444d6969b1
SHA256ab0857d7e28d001e47b9960ef249b084873ad2add5f71bff19a94ce990fe77af
SHA51238706aa58f232f60bfd5ba9c9fef2a6ba4933464d403a0e28d448bd03a5965185b6094799823375fed533f310a41f11b5de1375254c221a7e465790a1e4865e3
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9037711.exeFilesize
172KB
MD5ebdf0f9c5cb81a62ce9c7347ba1fc812
SHA15b84fc80114b912057b45a50134cc23e983238db
SHA256f05bea1fdd45456e5140492a2cc1855d8ef8b4bcc0105f1b80baa60f8c73e9e9
SHA512aed76b52509676eac8b2d99d9054ab8febd510af08472b0fca4f93bf408b955ba2b155f21a6742b533d35a43732227046f36f79b0c7503055f4b56ebea356453
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9037711.exeFilesize
172KB
MD5ebdf0f9c5cb81a62ce9c7347ba1fc812
SHA15b84fc80114b912057b45a50134cc23e983238db
SHA256f05bea1fdd45456e5140492a2cc1855d8ef8b4bcc0105f1b80baa60f8c73e9e9
SHA512aed76b52509676eac8b2d99d9054ab8febd510af08472b0fca4f93bf408b955ba2b155f21a6742b533d35a43732227046f36f79b0c7503055f4b56ebea356453
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6061350.exeFilesize
204KB
MD512c77008c7e8d7bd9cca8f1205258da3
SHA175bf95fb3df76edeec28d421f034cfce60b42dee
SHA25609d20c3d61899b2d4bf62acfdb0ad4a4e0236cc928c8903a8ad35b35b87543e5
SHA512e5048c3ceddfac254a7359951291f4c4d5074edfc79be03daa7c73c06dadd78b52c09a846f61236fc8716cb762f16b45f768f252f3dc293d2c55b0938725d0de
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6061350.exeFilesize
204KB
MD512c77008c7e8d7bd9cca8f1205258da3
SHA175bf95fb3df76edeec28d421f034cfce60b42dee
SHA25609d20c3d61899b2d4bf62acfdb0ad4a4e0236cc928c8903a8ad35b35b87543e5
SHA512e5048c3ceddfac254a7359951291f4c4d5074edfc79be03daa7c73c06dadd78b52c09a846f61236fc8716cb762f16b45f768f252f3dc293d2c55b0938725d0de
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1183090.exeFilesize
13KB
MD5cf639a22ff6a665c3a8adc3c9a2a2818
SHA1fd4c929c1e1e21d805a3a773072481fbf065f8c8
SHA256ac85bb2291afe96a0f8aedc7a6898481da3af0ab083d3877d6b0c2c22209339f
SHA5120896751b8efd55b27cf83d0ed0796528e5bd4e1e4f25e25a48cd724ad391289f360ceb86b0706b0da67aeb0f20b40b747b714ef5ac7af79c642d39e155bd77e7
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1183090.exeFilesize
13KB
MD5cf639a22ff6a665c3a8adc3c9a2a2818
SHA1fd4c929c1e1e21d805a3a773072481fbf065f8c8
SHA256ac85bb2291afe96a0f8aedc7a6898481da3af0ab083d3877d6b0c2c22209339f
SHA5120896751b8efd55b27cf83d0ed0796528e5bd4e1e4f25e25a48cd724ad391289f360ceb86b0706b0da67aeb0f20b40b747b714ef5ac7af79c642d39e155bd77e7
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9439976.exeFilesize
120KB
MD55a9682af2a44eb7b2fe84b5804e3d1cd
SHA1d6d15f9193baff6148ea83e7580f4f84e35902ae
SHA25635c918845b44d2cf746b5cd94a115fd4848dc811cd596c8ac03d06ce40947854
SHA512436978dc35a29864d8d2a7a02d12af69e37054855ccf017585121ad3e2c64fef71946213397f0eefc294c12e1b849b31f772cad5fbe9612c0b0413d344947057
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9439976.exeFilesize
120KB
MD55a9682af2a44eb7b2fe84b5804e3d1cd
SHA1d6d15f9193baff6148ea83e7580f4f84e35902ae
SHA25635c918845b44d2cf746b5cd94a115fd4848dc811cd596c8ac03d06ce40947854
SHA512436978dc35a29864d8d2a7a02d12af69e37054855ccf017585121ad3e2c64fef71946213397f0eefc294c12e1b849b31f772cad5fbe9612c0b0413d344947057
-
memory/1388-161-0x00000000008A0000-0x00000000008AA000-memory.dmpFilesize
40KB
-
memory/2300-175-0x0000000000D50000-0x0000000000D80000-memory.dmpFilesize
192KB
-
memory/2300-182-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB
-
memory/2300-176-0x000000000B0D0000-0x000000000B6E8000-memory.dmpFilesize
6.1MB
-
memory/2300-177-0x000000000ABC0000-0x000000000ACCA000-memory.dmpFilesize
1.0MB
-
memory/2300-178-0x000000000AAD0000-0x000000000AAE2000-memory.dmpFilesize
72KB
-
memory/2300-179-0x000000000AB30000-0x000000000AB6C000-memory.dmpFilesize
240KB
-
memory/2300-180-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB
-
memory/2300-189-0x000000000CD20000-0x000000000D24C000-memory.dmpFilesize
5.2MB
-
memory/2300-183-0x000000000B800000-0x000000000B876000-memory.dmpFilesize
472KB
-
memory/2300-184-0x000000000B920000-0x000000000B9B2000-memory.dmpFilesize
584KB
-
memory/2300-185-0x000000000B880000-0x000000000B8E6000-memory.dmpFilesize
408KB
-
memory/2300-186-0x000000000C070000-0x000000000C614000-memory.dmpFilesize
5.6MB
-
memory/2300-187-0x000000000BCA0000-0x000000000BCF0000-memory.dmpFilesize
320KB
-
memory/2300-188-0x000000000C620000-0x000000000C7E2000-memory.dmpFilesize
1.8MB
-
memory/4760-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB