Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 13:10
Static task
static1
Behavioral task
behavioral1
Sample
5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exe
Resource
win10v2004-20230220-en
General
-
Target
5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exe
-
Size
739KB
-
MD5
e7ff2a2862cde8845e711eb5a132c41f
-
SHA1
966f8457dc3a809606bcb4dac709cafc64cd6c02
-
SHA256
5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7
-
SHA512
4fb5e0e90858532903cfbe90e3f449ce7a69e9921bed5d43e9973612bb50abf1e1a158773eddbfbee959e8e62754f759f48ad674b80b48ae369d31f8b989f660
-
SSDEEP
12288:8MrYy90o0Y7Py/kaUvYYlkuMgHmkiUHPL4ZKpOxJrow97Ie8YECJ+vtz:Uyfl7Pwka2zlkuMgGkiqPLmK8xT90+Eh
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
AppLaunch.exea8185444.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8185444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8185444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8185444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a8185444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8185444.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8185444.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v3063723.exev2454168.exev9154372.exea8185444.exeb7296296.exec5646205.exepid process 2108 v3063723.exe 3284 v2454168.exe 400 v9154372.exe 3468 a8185444.exe 4896 b7296296.exe 3980 c5646205.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a8185444.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8185444.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exev3063723.exev2454168.exev9154372.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v3063723.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3063723.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v2454168.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v2454168.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9154372.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v9154372.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b7296296.exedescription pid process target process PID 4896 set thread context of 244 4896 b7296296.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4300 4896 WerFault.exe b7296296.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
a8185444.exeAppLaunch.exec5646205.exepid process 3468 a8185444.exe 3468 a8185444.exe 244 AppLaunch.exe 244 AppLaunch.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe 3980 c5646205.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a8185444.exeAppLaunch.exec5646205.exedescription pid process Token: SeDebugPrivilege 3468 a8185444.exe Token: SeDebugPrivilege 244 AppLaunch.exe Token: SeDebugPrivilege 3980 c5646205.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exev3063723.exev2454168.exev9154372.exeb7296296.exedescription pid process target process PID 1764 wrote to memory of 2108 1764 5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exe v3063723.exe PID 1764 wrote to memory of 2108 1764 5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exe v3063723.exe PID 1764 wrote to memory of 2108 1764 5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exe v3063723.exe PID 2108 wrote to memory of 3284 2108 v3063723.exe v2454168.exe PID 2108 wrote to memory of 3284 2108 v3063723.exe v2454168.exe PID 2108 wrote to memory of 3284 2108 v3063723.exe v2454168.exe PID 3284 wrote to memory of 400 3284 v2454168.exe v9154372.exe PID 3284 wrote to memory of 400 3284 v2454168.exe v9154372.exe PID 3284 wrote to memory of 400 3284 v2454168.exe v9154372.exe PID 400 wrote to memory of 3468 400 v9154372.exe a8185444.exe PID 400 wrote to memory of 3468 400 v9154372.exe a8185444.exe PID 400 wrote to memory of 4896 400 v9154372.exe b7296296.exe PID 400 wrote to memory of 4896 400 v9154372.exe b7296296.exe PID 400 wrote to memory of 4896 400 v9154372.exe b7296296.exe PID 4896 wrote to memory of 244 4896 b7296296.exe AppLaunch.exe PID 4896 wrote to memory of 244 4896 b7296296.exe AppLaunch.exe PID 4896 wrote to memory of 244 4896 b7296296.exe AppLaunch.exe PID 4896 wrote to memory of 244 4896 b7296296.exe AppLaunch.exe PID 4896 wrote to memory of 244 4896 b7296296.exe AppLaunch.exe PID 3284 wrote to memory of 3980 3284 v2454168.exe c5646205.exe PID 3284 wrote to memory of 3980 3284 v2454168.exe c5646205.exe PID 3284 wrote to memory of 3980 3284 v2454168.exe c5646205.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exe"C:\Users\Admin\AppData\Local\Temp\5ed45e6fe41fb7b7f093c150a506f5c234dc164ed0b4ed7d1b970dc6a1676fd7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3063723.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3063723.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2454168.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2454168.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9154372.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9154372.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8185444.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8185444.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7296296.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7296296.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 5606⤵
- Program crash
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5646205.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5646205.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4896 -ip 48961⤵PID:4112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3063723.exeFilesize
532KB
MD56fa4f5eaf83761cd32091a56e0366376
SHA124fb85f54bc94f87b2b43db91d7277b65f1e777e
SHA2565fa75efc47cfb998041c0df19cf100fced7d97017dcc3db877a168de34025ef8
SHA51236fc00d03072c985e1a46f82ff383c9f50e0163b033739a4a9555ab4b65fc315aacbefafe1d0f42107daa849fd9efada7a31e05094bdd7a02d2d62e20a2eca1b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3063723.exeFilesize
532KB
MD56fa4f5eaf83761cd32091a56e0366376
SHA124fb85f54bc94f87b2b43db91d7277b65f1e777e
SHA2565fa75efc47cfb998041c0df19cf100fced7d97017dcc3db877a168de34025ef8
SHA51236fc00d03072c985e1a46f82ff383c9f50e0163b033739a4a9555ab4b65fc315aacbefafe1d0f42107daa849fd9efada7a31e05094bdd7a02d2d62e20a2eca1b
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2454168.exeFilesize
359KB
MD552d15d939bfa4ed6866e3260f302484a
SHA16197f0fdcca96e1ac20ce96b2878804d24b37d9a
SHA256878d54de9d1ef033464bc10e8862b651d560de3fda79d35b157f53ef0b9ade87
SHA512b674df3b6535ec17b9f3d5ebd39e3a49a79e4d2a1d92434febef2332362087935559a54782d9e69cadcca5f03be175cee74f4ae92fd5bab5de48aaff4fe32e98
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2454168.exeFilesize
359KB
MD552d15d939bfa4ed6866e3260f302484a
SHA16197f0fdcca96e1ac20ce96b2878804d24b37d9a
SHA256878d54de9d1ef033464bc10e8862b651d560de3fda79d35b157f53ef0b9ade87
SHA512b674df3b6535ec17b9f3d5ebd39e3a49a79e4d2a1d92434febef2332362087935559a54782d9e69cadcca5f03be175cee74f4ae92fd5bab5de48aaff4fe32e98
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5646205.exeFilesize
172KB
MD5956d31e1a454901056ab95e190025cf4
SHA17405ce885d08fd95f04ec78c7ee43712512e0290
SHA2568b83f4bc090b82fe9e34bdefd8527e0af41ec0ad4c79276e9fab7707f6632df9
SHA512491d939bd8628c83ac9eac844568bb5b8f5e751f044ff06087c7387013c2d76186beb6ffa7890d1fe4b885bf35ad53e8fb38d4395af381d19ab1625535f82d25
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5646205.exeFilesize
172KB
MD5956d31e1a454901056ab95e190025cf4
SHA17405ce885d08fd95f04ec78c7ee43712512e0290
SHA2568b83f4bc090b82fe9e34bdefd8527e0af41ec0ad4c79276e9fab7707f6632df9
SHA512491d939bd8628c83ac9eac844568bb5b8f5e751f044ff06087c7387013c2d76186beb6ffa7890d1fe4b885bf35ad53e8fb38d4395af381d19ab1625535f82d25
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9154372.exeFilesize
204KB
MD5f522c6a68f3934ad778cc2699a2361dc
SHA1c8bbede701df2296a8511c76320968f435d74359
SHA256ae49976c324b00e8b6777cb1bebb4fc0f65cc7fc0d435b37e7123ae019a5d75f
SHA5129c58859d66bae3a37b5ef6065f827a78ae67c4f64c931ab5ec9b42c51ffba82ad90bcd4d97ecfbc1e737ab1dd4fc0e921b72b0b5163692484d575dc435f9d2fc
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9154372.exeFilesize
204KB
MD5f522c6a68f3934ad778cc2699a2361dc
SHA1c8bbede701df2296a8511c76320968f435d74359
SHA256ae49976c324b00e8b6777cb1bebb4fc0f65cc7fc0d435b37e7123ae019a5d75f
SHA5129c58859d66bae3a37b5ef6065f827a78ae67c4f64c931ab5ec9b42c51ffba82ad90bcd4d97ecfbc1e737ab1dd4fc0e921b72b0b5163692484d575dc435f9d2fc
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8185444.exeFilesize
13KB
MD59c1bb2b2bcffa6fa6c345504b5de9fef
SHA1893b57742c9dd350f83d863317266180db8eff57
SHA256b60fd433b016bbf901d13dc301addaba3bbdf8b31d415e019e7856014f755771
SHA51297670def67d7b417488484271cd876dcce8c39b9eaec6f696e9da22ef320872a4b622cb5dd5d4d891162314c7f86c08c654177ca8f636025b3e37586a352e4ff
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8185444.exeFilesize
13KB
MD59c1bb2b2bcffa6fa6c345504b5de9fef
SHA1893b57742c9dd350f83d863317266180db8eff57
SHA256b60fd433b016bbf901d13dc301addaba3bbdf8b31d415e019e7856014f755771
SHA51297670def67d7b417488484271cd876dcce8c39b9eaec6f696e9da22ef320872a4b622cb5dd5d4d891162314c7f86c08c654177ca8f636025b3e37586a352e4ff
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7296296.exeFilesize
120KB
MD5ca82ab78203d1e5ed971d83e1b46ef5a
SHA13f2a2482f28b054d800ff3b9e6ccc22b1d0c9caf
SHA256882b18a56b786e3f73c4da03aa3379e46ace7f767a79fb0ebd1ba784288d0754
SHA5127005744a443f60b7d163030a8afdec3c9f523b389db9091a9748adcbedd44226d74cbf0eab00137b9d2ae3f0204f4bba49fccf229dfb00a42640b5579501f599
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7296296.exeFilesize
120KB
MD5ca82ab78203d1e5ed971d83e1b46ef5a
SHA13f2a2482f28b054d800ff3b9e6ccc22b1d0c9caf
SHA256882b18a56b786e3f73c4da03aa3379e46ace7f767a79fb0ebd1ba784288d0754
SHA5127005744a443f60b7d163030a8afdec3c9f523b389db9091a9748adcbedd44226d74cbf0eab00137b9d2ae3f0204f4bba49fccf229dfb00a42640b5579501f599
-
memory/244-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/3468-161-0x00000000002A0000-0x00000000002AA000-memory.dmpFilesize
40KB
-
memory/3980-175-0x0000000000A70000-0x0000000000AA0000-memory.dmpFilesize
192KB
-
memory/3980-176-0x000000000AD50000-0x000000000B368000-memory.dmpFilesize
6.1MB
-
memory/3980-177-0x000000000A8B0000-0x000000000A9BA000-memory.dmpFilesize
1.0MB
-
memory/3980-178-0x000000000A7F0000-0x000000000A802000-memory.dmpFilesize
72KB
-
memory/3980-179-0x000000000A850000-0x000000000A88C000-memory.dmpFilesize
240KB
-
memory/3980-180-0x00000000053A0000-0x00000000053B0000-memory.dmpFilesize
64KB
-
memory/3980-181-0x000000000AC60000-0x000000000ACD6000-memory.dmpFilesize
472KB
-
memory/3980-182-0x000000000B410000-0x000000000B4A2000-memory.dmpFilesize
584KB
-
memory/3980-183-0x000000000BA60000-0x000000000C004000-memory.dmpFilesize
5.6MB
-
memory/3980-184-0x000000000B370000-0x000000000B3D6000-memory.dmpFilesize
408KB
-
memory/3980-186-0x000000000C1E0000-0x000000000C3A2000-memory.dmpFilesize
1.8MB
-
memory/3980-187-0x000000000C8E0000-0x000000000CE0C000-memory.dmpFilesize
5.2MB
-
memory/3980-188-0x00000000053A0000-0x00000000053B0000-memory.dmpFilesize
64KB
-
memory/3980-189-0x000000000C050000-0x000000000C0A0000-memory.dmpFilesize
320KB