Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 13:05
Static task
static1
Behavioral task
behavioral1
Sample
4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exe
Resource
win10v2004-20230220-en
General
-
Target
4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exe
-
Size
738KB
-
MD5
a5ebeaaee8aeaadecca6a52c53e2d3a5
-
SHA1
6e8d4b1a6d0cb8e6dfc490b76ae666b4048706ff
-
SHA256
4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7
-
SHA512
595fbb516716f4b49abe9f67ed18b9074a58ee937f4ba69a1f79f96f951bd3a1c828db7c20ef2b25f8914e5a645052c3f22897bdac0f7ab3d09fbd6d311554be
-
SSDEEP
12288:GMrGy905+c1qD86fqGjSTikvLF/ytKFFdAiQM8/NWXWoYwz4rgQxx6OSsx7o01W/:8ya+cK8hbz6tKLdALzFWXYqY36FE7o4c
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a0710886.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a0710886.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a0710886.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a0710886.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a0710886.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a0710886.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a0710886.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v4079760.exev6703574.exev8596962.exea0710886.exeb8336968.exec2763413.exepid process 4424 v4079760.exe 4952 v6703574.exe 1096 v8596962.exe 3156 a0710886.exe 1336 b8336968.exe 2600 c2763413.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a0710886.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0710886.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v8596962.exe4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exev4079760.exev6703574.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v8596962.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v4079760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v4079760.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v6703574.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6703574.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v8596962.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b8336968.exedescription pid process target process PID 1336 set thread context of 228 1336 b8336968.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3664 1336 WerFault.exe b8336968.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
a0710886.exeAppLaunch.exec2763413.exepid process 3156 a0710886.exe 3156 a0710886.exe 228 AppLaunch.exe 228 AppLaunch.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe 2600 c2763413.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a0710886.exeAppLaunch.exec2763413.exedescription pid process Token: SeDebugPrivilege 3156 a0710886.exe Token: SeDebugPrivilege 228 AppLaunch.exe Token: SeDebugPrivilege 2600 c2763413.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exev4079760.exev6703574.exev8596962.exeb8336968.exedescription pid process target process PID 5028 wrote to memory of 4424 5028 4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exe v4079760.exe PID 5028 wrote to memory of 4424 5028 4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exe v4079760.exe PID 5028 wrote to memory of 4424 5028 4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exe v4079760.exe PID 4424 wrote to memory of 4952 4424 v4079760.exe v6703574.exe PID 4424 wrote to memory of 4952 4424 v4079760.exe v6703574.exe PID 4424 wrote to memory of 4952 4424 v4079760.exe v6703574.exe PID 4952 wrote to memory of 1096 4952 v6703574.exe v8596962.exe PID 4952 wrote to memory of 1096 4952 v6703574.exe v8596962.exe PID 4952 wrote to memory of 1096 4952 v6703574.exe v8596962.exe PID 1096 wrote to memory of 3156 1096 v8596962.exe a0710886.exe PID 1096 wrote to memory of 3156 1096 v8596962.exe a0710886.exe PID 1096 wrote to memory of 1336 1096 v8596962.exe b8336968.exe PID 1096 wrote to memory of 1336 1096 v8596962.exe b8336968.exe PID 1096 wrote to memory of 1336 1096 v8596962.exe b8336968.exe PID 1336 wrote to memory of 228 1336 b8336968.exe AppLaunch.exe PID 1336 wrote to memory of 228 1336 b8336968.exe AppLaunch.exe PID 1336 wrote to memory of 228 1336 b8336968.exe AppLaunch.exe PID 1336 wrote to memory of 228 1336 b8336968.exe AppLaunch.exe PID 1336 wrote to memory of 228 1336 b8336968.exe AppLaunch.exe PID 4952 wrote to memory of 2600 4952 v6703574.exe c2763413.exe PID 4952 wrote to memory of 2600 4952 v6703574.exe c2763413.exe PID 4952 wrote to memory of 2600 4952 v6703574.exe c2763413.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exe"C:\Users\Admin\AppData\Local\Temp\4cb603c562454a15062327d3acbca5cbce2587e5a873d2b24c6f1df001ec59d7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4079760.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4079760.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703574.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703574.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8596962.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8596962.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0710886.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0710886.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8336968.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8336968.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1406⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2763413.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2763413.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1336 -ip 13361⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4079760.exeFilesize
531KB
MD5c5559933cef54508570297ecb06d6398
SHA1173385861fea7278850f7bed44e3266f62f7fdbd
SHA256e52b36ab12bd0e62c7c9bac727639ee17688fcb7f084cfdba1604c58a4c2d295
SHA512973812859ac8e78b584311298a9671ff985ee1ac1839f3a0a4266e1d3bfb8d219d36e4d411b46d1e0a670fdcb677feb06016017a2440c9dc125177889606316d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4079760.exeFilesize
531KB
MD5c5559933cef54508570297ecb06d6398
SHA1173385861fea7278850f7bed44e3266f62f7fdbd
SHA256e52b36ab12bd0e62c7c9bac727639ee17688fcb7f084cfdba1604c58a4c2d295
SHA512973812859ac8e78b584311298a9671ff985ee1ac1839f3a0a4266e1d3bfb8d219d36e4d411b46d1e0a670fdcb677feb06016017a2440c9dc125177889606316d
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703574.exeFilesize
358KB
MD585150f63c80ad22fbe201123a4efc9ae
SHA10e0bdc927de8a3852de5d32eec3306276034ff8f
SHA25639c10409c726f9b6cfcdbcd916b6cb0818f5278dc9de53048d283012635d7978
SHA512162f241e129b556ec96cc6805435b013ff9dce7022fec51655bf79ac9ddb2f8630748b0c24d20b6dab417c0c223e733ddf38cc26045bbd6bf0d73650a2eca979
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6703574.exeFilesize
358KB
MD585150f63c80ad22fbe201123a4efc9ae
SHA10e0bdc927de8a3852de5d32eec3306276034ff8f
SHA25639c10409c726f9b6cfcdbcd916b6cb0818f5278dc9de53048d283012635d7978
SHA512162f241e129b556ec96cc6805435b013ff9dce7022fec51655bf79ac9ddb2f8630748b0c24d20b6dab417c0c223e733ddf38cc26045bbd6bf0d73650a2eca979
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2763413.exeFilesize
172KB
MD5153a76ae542572dd7f9af01385b403e6
SHA181c9224fee56356fbe98e3a1dc6a54e984a7ccba
SHA256ba11b71bcafc9121fd340c2e2cb784f2fc86b207aa766303bf92ce052423f6a6
SHA512228f7d0cc5f890c9c2cac2552d3a6014930db524f5fb420b90af41f82ac475c6c393bc97e1a3d6546e04239bc9e4c7c17192c64b10e4f23ca30a2a01837441e7
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2763413.exeFilesize
172KB
MD5153a76ae542572dd7f9af01385b403e6
SHA181c9224fee56356fbe98e3a1dc6a54e984a7ccba
SHA256ba11b71bcafc9121fd340c2e2cb784f2fc86b207aa766303bf92ce052423f6a6
SHA512228f7d0cc5f890c9c2cac2552d3a6014930db524f5fb420b90af41f82ac475c6c393bc97e1a3d6546e04239bc9e4c7c17192c64b10e4f23ca30a2a01837441e7
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8596962.exeFilesize
203KB
MD54f78eb1b2baf664a9091b35b657cb652
SHA121b68418735f15eb85df55672f2ecf9c7b347caa
SHA256aacdb8a3a2c65b10e1da1bc56a45344d1285b996a992b708442d3db371bd74a4
SHA51244d995f4adf27a4aa489bc930c90dc3496055c692d3f65cb2b4bc79a35c46df8881cd1439a7f62f1a461ea7091f391912ec96f7809f539bc826b65c3906e8d1f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8596962.exeFilesize
203KB
MD54f78eb1b2baf664a9091b35b657cb652
SHA121b68418735f15eb85df55672f2ecf9c7b347caa
SHA256aacdb8a3a2c65b10e1da1bc56a45344d1285b996a992b708442d3db371bd74a4
SHA51244d995f4adf27a4aa489bc930c90dc3496055c692d3f65cb2b4bc79a35c46df8881cd1439a7f62f1a461ea7091f391912ec96f7809f539bc826b65c3906e8d1f
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0710886.exeFilesize
13KB
MD50ff0f5946cca2600055a274deb11a457
SHA16a31749b9cf645f839f10879b5467ef613cbc7e2
SHA2564bc6b898c0299b405032a319be6c86d2259633b747163da449f06dc93abb8b7f
SHA51299c2760872b3c3e444a3bf77fd81f0c5f35f69cd490ce566cef603645ccdd94835a9fcfdd5f71ec7f3ae8febbcc6db62808a043d501543759626fbcdc047ea2b
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0710886.exeFilesize
13KB
MD50ff0f5946cca2600055a274deb11a457
SHA16a31749b9cf645f839f10879b5467ef613cbc7e2
SHA2564bc6b898c0299b405032a319be6c86d2259633b747163da449f06dc93abb8b7f
SHA51299c2760872b3c3e444a3bf77fd81f0c5f35f69cd490ce566cef603645ccdd94835a9fcfdd5f71ec7f3ae8febbcc6db62808a043d501543759626fbcdc047ea2b
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8336968.exeFilesize
120KB
MD5f80099c6b4822d3438aab8c6acb81349
SHA12ff8e01fe5cbff3293f12e26162bc7aff0cd558d
SHA256c82dd18e6b973b1b66cb5e505712aa7de2dc2b9bf7a332ed78f0de9ff17a3f8f
SHA512d055332243cec6ba1b764c0181ae321d5f4b4541d161de5daf582d6807c5714aeb765cc00a31b3c7c13cfa1f21479ef087aebfc2af9855e921d5008b530cd419
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8336968.exeFilesize
120KB
MD5f80099c6b4822d3438aab8c6acb81349
SHA12ff8e01fe5cbff3293f12e26162bc7aff0cd558d
SHA256c82dd18e6b973b1b66cb5e505712aa7de2dc2b9bf7a332ed78f0de9ff17a3f8f
SHA512d055332243cec6ba1b764c0181ae321d5f4b4541d161de5daf582d6807c5714aeb765cc00a31b3c7c13cfa1f21479ef087aebfc2af9855e921d5008b530cd419
-
memory/228-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2600-175-0x0000000000900000-0x0000000000930000-memory.dmpFilesize
192KB
-
memory/2600-181-0x000000000A9F0000-0x000000000AA66000-memory.dmpFilesize
472KB
-
memory/2600-176-0x000000000AC30000-0x000000000B248000-memory.dmpFilesize
6.1MB
-
memory/2600-177-0x000000000A740000-0x000000000A84A000-memory.dmpFilesize
1.0MB
-
memory/2600-178-0x000000000A680000-0x000000000A692000-memory.dmpFilesize
72KB
-
memory/2600-179-0x0000000005180000-0x0000000005190000-memory.dmpFilesize
64KB
-
memory/2600-180-0x000000000A6E0000-0x000000000A71C000-memory.dmpFilesize
240KB
-
memory/2600-189-0x000000000C720000-0x000000000CC4C000-memory.dmpFilesize
5.2MB
-
memory/2600-182-0x000000000AB10000-0x000000000ABA2000-memory.dmpFilesize
584KB
-
memory/2600-183-0x000000000B800000-0x000000000BDA4000-memory.dmpFilesize
5.6MB
-
memory/2600-184-0x000000000ABB0000-0x000000000AC16000-memory.dmpFilesize
408KB
-
memory/2600-186-0x000000000BE00000-0x000000000BE50000-memory.dmpFilesize
320KB
-
memory/2600-187-0x000000000C020000-0x000000000C1E2000-memory.dmpFilesize
1.8MB
-
memory/2600-188-0x0000000005180000-0x0000000005190000-memory.dmpFilesize
64KB
-
memory/3156-161-0x0000000000820000-0x000000000082A000-memory.dmpFilesize
40KB