Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 11:43
Static task
static1
Behavioral task
behavioral1
Sample
08949199.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
08949199.exe
Resource
win10v2004-20230220-en
General
-
Target
08949199.exe
-
Size
740KB
-
MD5
9ccd9cc6c2e3fbf4d4b4577c7b207d96
-
SHA1
4ec412a532f322f3940c96568a3b3ae56468e54b
-
SHA256
a3635b054acb399ff8719c53c3503240f582ede2976387331cf87901907993d5
-
SHA512
a7fe2d496e49af8c562551d0ba3d1e2071ca00b5e4fbccfd66a6b70f2484406939421110782cf4fc5fb1292cfc019b1ff4f3eea37c830bdfc3560a90397b2ba5
-
SSDEEP
12288:IMrSy90moG1w368E7A5PJ7BJSm5pXAkWkGrU+FV3/4q1LMTlNJ8mq+e5fB2Z:qyvoewK8Z5PhJQVXrU25LMTxhq+EB2Z
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a6084572.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a6084572.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a6084572.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a6084572.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a6084572.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a6084572.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a6084572.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v0297438.exev6216552.exev0346463.exea6084572.exeb8281406.exec7682489.exepid process 5088 v0297438.exe 3532 v6216552.exe 556 v0346463.exe 2616 a6084572.exe 1368 b8281406.exe 2528 c7682489.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a6084572.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a6084572.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v0297438.exev6216552.exev0346463.exe08949199.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0297438.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v6216552.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6216552.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0346463.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v0346463.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 08949199.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 08949199.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0297438.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b8281406.exedescription pid process target process PID 1368 set thread context of 2968 1368 b8281406.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 312 1368 WerFault.exe b8281406.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
a6084572.exeAppLaunch.exec7682489.exepid process 2616 a6084572.exe 2616 a6084572.exe 2968 AppLaunch.exe 2968 AppLaunch.exe 2528 c7682489.exe 2528 c7682489.exe 2528 c7682489.exe 2528 c7682489.exe 2528 c7682489.exe 2528 c7682489.exe 2528 c7682489.exe 2528 c7682489.exe 2528 c7682489.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a6084572.exeAppLaunch.exec7682489.exedescription pid process Token: SeDebugPrivilege 2616 a6084572.exe Token: SeDebugPrivilege 2968 AppLaunch.exe Token: SeDebugPrivilege 2528 c7682489.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
08949199.exev0297438.exev6216552.exev0346463.exeb8281406.exedescription pid process target process PID 2276 wrote to memory of 5088 2276 08949199.exe v0297438.exe PID 2276 wrote to memory of 5088 2276 08949199.exe v0297438.exe PID 2276 wrote to memory of 5088 2276 08949199.exe v0297438.exe PID 5088 wrote to memory of 3532 5088 v0297438.exe v6216552.exe PID 5088 wrote to memory of 3532 5088 v0297438.exe v6216552.exe PID 5088 wrote to memory of 3532 5088 v0297438.exe v6216552.exe PID 3532 wrote to memory of 556 3532 v6216552.exe v0346463.exe PID 3532 wrote to memory of 556 3532 v6216552.exe v0346463.exe PID 3532 wrote to memory of 556 3532 v6216552.exe v0346463.exe PID 556 wrote to memory of 2616 556 v0346463.exe a6084572.exe PID 556 wrote to memory of 2616 556 v0346463.exe a6084572.exe PID 556 wrote to memory of 1368 556 v0346463.exe b8281406.exe PID 556 wrote to memory of 1368 556 v0346463.exe b8281406.exe PID 556 wrote to memory of 1368 556 v0346463.exe b8281406.exe PID 1368 wrote to memory of 2968 1368 b8281406.exe AppLaunch.exe PID 1368 wrote to memory of 2968 1368 b8281406.exe AppLaunch.exe PID 1368 wrote to memory of 2968 1368 b8281406.exe AppLaunch.exe PID 1368 wrote to memory of 2968 1368 b8281406.exe AppLaunch.exe PID 1368 wrote to memory of 2968 1368 b8281406.exe AppLaunch.exe PID 3532 wrote to memory of 2528 3532 v6216552.exe c7682489.exe PID 3532 wrote to memory of 2528 3532 v6216552.exe c7682489.exe PID 3532 wrote to memory of 2528 3532 v6216552.exe c7682489.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08949199.exe"C:\Users\Admin\AppData\Local\Temp\08949199.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0297438.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0297438.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6216552.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6216552.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0346463.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0346463.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6084572.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6084572.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8281406.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8281406.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1406⤵
- Program crash
PID:312 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7682489.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7682489.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1368 -ip 13681⤵PID:3740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0297438.exeFilesize
531KB
MD5812566b6c33e5724fbce4c9fd26ecb75
SHA12d566a362c1a92e4205e9754796c1de65c38b80a
SHA2563dfecd3a55c02260cd10315b86abe446a57b566ed19d9a8ef621eb9cee9301bc
SHA512b4d1875ca125ecc128faa8be55c23578731005fe76fb472605d45cc7c45b9269d2201d4557515e47f6cd22968f4d33e023daccb75cada625342cb10265a346cb
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0297438.exeFilesize
531KB
MD5812566b6c33e5724fbce4c9fd26ecb75
SHA12d566a362c1a92e4205e9754796c1de65c38b80a
SHA2563dfecd3a55c02260cd10315b86abe446a57b566ed19d9a8ef621eb9cee9301bc
SHA512b4d1875ca125ecc128faa8be55c23578731005fe76fb472605d45cc7c45b9269d2201d4557515e47f6cd22968f4d33e023daccb75cada625342cb10265a346cb
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6216552.exeFilesize
359KB
MD50eca1605ec3093f99f055e0f6dc95d98
SHA10d59a992d809d10ac09af9df294dc1f492b89ce1
SHA256e87778584b21e5e9f578a05eba92ce53721b6f6980c7894da484d474473a07d8
SHA51256c64dbe00b2fdab5950eb1cc409682ae665dccb836b5e398429f3735f4333f95d9a6cb08a6deab981658cde895366a928b605293c3999e007d5b8f410cf1135
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6216552.exeFilesize
359KB
MD50eca1605ec3093f99f055e0f6dc95d98
SHA10d59a992d809d10ac09af9df294dc1f492b89ce1
SHA256e87778584b21e5e9f578a05eba92ce53721b6f6980c7894da484d474473a07d8
SHA51256c64dbe00b2fdab5950eb1cc409682ae665dccb836b5e398429f3735f4333f95d9a6cb08a6deab981658cde895366a928b605293c3999e007d5b8f410cf1135
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7682489.exeFilesize
172KB
MD598db40fd7b9922b16f0ab64e4af487d8
SHA1c7f247901a8f841ccf2a73f7634a695c24a1bb65
SHA2568ebf4085b0d273edb9a51b83c26e25fe0041879b75d46ff0dee73e0678cfdce9
SHA512d67b0536fe98892deba5b9a1c2f8f123d8ac57716d305e47ae48d3552fd9d8bf60a39f7a7996f4e31431b7fa7cad9248a32c3ab74ae6c53874486367eb231b49
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7682489.exeFilesize
172KB
MD598db40fd7b9922b16f0ab64e4af487d8
SHA1c7f247901a8f841ccf2a73f7634a695c24a1bb65
SHA2568ebf4085b0d273edb9a51b83c26e25fe0041879b75d46ff0dee73e0678cfdce9
SHA512d67b0536fe98892deba5b9a1c2f8f123d8ac57716d305e47ae48d3552fd9d8bf60a39f7a7996f4e31431b7fa7cad9248a32c3ab74ae6c53874486367eb231b49
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0346463.exeFilesize
204KB
MD5fb5676b23ad44557a5d289268a6ea461
SHA11d883ef415c35400f51cb87ba3914e2c85c7838e
SHA2564b8ea8c6d1f68bd37b7954812846e6f5ad851e98d9eb69901320948e3186509b
SHA512628520188558089e91c31d02d67b51fabab2ae1e533ef76f45f3d90a4a3eb2bf4e20aa09c1d7f36e7ec0c418af1270a032c222c11b9ea7ffe6ad14c6d452cc67
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0346463.exeFilesize
204KB
MD5fb5676b23ad44557a5d289268a6ea461
SHA11d883ef415c35400f51cb87ba3914e2c85c7838e
SHA2564b8ea8c6d1f68bd37b7954812846e6f5ad851e98d9eb69901320948e3186509b
SHA512628520188558089e91c31d02d67b51fabab2ae1e533ef76f45f3d90a4a3eb2bf4e20aa09c1d7f36e7ec0c418af1270a032c222c11b9ea7ffe6ad14c6d452cc67
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6084572.exeFilesize
13KB
MD5765ed2f26c88474cd2fbaebad452990c
SHA1d6922cb3a5c92233e07d57b55fa748dce7e644c0
SHA256194a1e09f24014e3f48216fe698993f1126401412fdb6af625dae84c7028dcfc
SHA51295e8d3844112251e1f5010e8848c946a4db8633be7c55c3541adafee3188208c30bf02e4e777f0e4b1d26819a92d1b6cb6b1c1d5c78c387e2199bef1c8b6377b
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6084572.exeFilesize
13KB
MD5765ed2f26c88474cd2fbaebad452990c
SHA1d6922cb3a5c92233e07d57b55fa748dce7e644c0
SHA256194a1e09f24014e3f48216fe698993f1126401412fdb6af625dae84c7028dcfc
SHA51295e8d3844112251e1f5010e8848c946a4db8633be7c55c3541adafee3188208c30bf02e4e777f0e4b1d26819a92d1b6cb6b1c1d5c78c387e2199bef1c8b6377b
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8281406.exeFilesize
120KB
MD5b2ae5d1a2fd4116e41123a816065c6eb
SHA1a00937a530b0ba929ad9a6677d3a746b92beeb5f
SHA256fff33d2728ac183ae564800f25fbaf2b82bde67061a19d11abc5164203f8ac2b
SHA512175a04717e763251a4ca4dd3af3d9e9f726ebc78a87701441d9ee48a4aae96668006820f02508018ca4a1045d5b99fbe4fbaec97453747d7d6730a3472b7d916
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8281406.exeFilesize
120KB
MD5b2ae5d1a2fd4116e41123a816065c6eb
SHA1a00937a530b0ba929ad9a6677d3a746b92beeb5f
SHA256fff33d2728ac183ae564800f25fbaf2b82bde67061a19d11abc5164203f8ac2b
SHA512175a04717e763251a4ca4dd3af3d9e9f726ebc78a87701441d9ee48a4aae96668006820f02508018ca4a1045d5b99fbe4fbaec97453747d7d6730a3472b7d916
-
memory/2528-175-0x0000000000340000-0x0000000000370000-memory.dmpFilesize
192KB
-
memory/2528-180-0x0000000004CA0000-0x0000000004CB0000-memory.dmpFilesize
64KB
-
memory/2528-189-0x000000000B240000-0x000000000B290000-memory.dmpFilesize
320KB
-
memory/2528-176-0x000000000A650000-0x000000000AC68000-memory.dmpFilesize
6.1MB
-
memory/2528-177-0x000000000A180000-0x000000000A28A000-memory.dmpFilesize
1.0MB
-
memory/2528-178-0x000000000A0C0000-0x000000000A0D2000-memory.dmpFilesize
72KB
-
memory/2528-179-0x000000000A120000-0x000000000A15C000-memory.dmpFilesize
240KB
-
memory/2528-188-0x000000000C210000-0x000000000C73C000-memory.dmpFilesize
5.2MB
-
memory/2528-182-0x0000000004CA0000-0x0000000004CB0000-memory.dmpFilesize
64KB
-
memory/2528-183-0x000000000ADF0000-0x000000000AE66000-memory.dmpFilesize
472KB
-
memory/2528-184-0x000000000AF10000-0x000000000AFA2000-memory.dmpFilesize
584KB
-
memory/2528-185-0x000000000B560000-0x000000000BB04000-memory.dmpFilesize
5.6MB
-
memory/2528-186-0x000000000AFB0000-0x000000000B016000-memory.dmpFilesize
408KB
-
memory/2528-187-0x000000000BB10000-0x000000000BCD2000-memory.dmpFilesize
1.8MB
-
memory/2616-161-0x0000000000820000-0x000000000082A000-memory.dmpFilesize
40KB
-
memory/2968-167-0x00000000003D0000-0x00000000003DA000-memory.dmpFilesize
40KB