Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 13:25
Static task
static1
Behavioral task
behavioral1
Sample
3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exe
Resource
win10v2004-20230221-en
General
-
Target
3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exe
-
Size
739KB
-
MD5
3684c8be1f7b0e3dbcfdfea2e86bb30b
-
SHA1
0cf3c61103cdeb25af3f1a0b1d9b16f7a96c5939
-
SHA256
3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d
-
SHA512
2e7c56b2bf8accef8b7503d603e6a87c43020b6882dfa31962af7ccfe07071043f4497baf784018924cbc96060e306d070aa13e8c8139393a05641c3d804f0bf
-
SSDEEP
12288:aMrsy90O1K4Nec7SqvZw8wnJ2Q2GNuolfps1j0zlyQqDMLdiDs:6yJjNeepfwJ2GU56yrD0diDs
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a0985244.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a0985244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a0985244.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a0985244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a0985244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a0985244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a0985244.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v9846025.exev2680905.exev7361371.exea0985244.exeb0952475.exec2655409.exepid process 4968 v9846025.exe 4452 v2680905.exe 4644 v7361371.exe 2172 a0985244.exe 3432 b0952475.exe 4860 c2655409.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a0985244.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0985244.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v2680905.exev7361371.exe3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exev9846025.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v2680905.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v2680905.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7361371.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v7361371.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9846025.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v9846025.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b0952475.exedescription pid process target process PID 3432 set thread context of 872 3432 b0952475.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4440 3432 WerFault.exe b0952475.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
a0985244.exeAppLaunch.exec2655409.exepid process 2172 a0985244.exe 2172 a0985244.exe 872 AppLaunch.exe 872 AppLaunch.exe 4860 c2655409.exe 4860 c2655409.exe 4860 c2655409.exe 4860 c2655409.exe 4860 c2655409.exe 4860 c2655409.exe 4860 c2655409.exe 4860 c2655409.exe 4860 c2655409.exe 4860 c2655409.exe 4860 c2655409.exe 4860 c2655409.exe 4860 c2655409.exe 4860 c2655409.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a0985244.exeAppLaunch.exec2655409.exedescription pid process Token: SeDebugPrivilege 2172 a0985244.exe Token: SeDebugPrivilege 872 AppLaunch.exe Token: SeDebugPrivilege 4860 c2655409.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exev9846025.exev2680905.exev7361371.exeb0952475.exedescription pid process target process PID 2736 wrote to memory of 4968 2736 3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exe v9846025.exe PID 2736 wrote to memory of 4968 2736 3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exe v9846025.exe PID 2736 wrote to memory of 4968 2736 3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exe v9846025.exe PID 4968 wrote to memory of 4452 4968 v9846025.exe v2680905.exe PID 4968 wrote to memory of 4452 4968 v9846025.exe v2680905.exe PID 4968 wrote to memory of 4452 4968 v9846025.exe v2680905.exe PID 4452 wrote to memory of 4644 4452 v2680905.exe v7361371.exe PID 4452 wrote to memory of 4644 4452 v2680905.exe v7361371.exe PID 4452 wrote to memory of 4644 4452 v2680905.exe v7361371.exe PID 4644 wrote to memory of 2172 4644 v7361371.exe a0985244.exe PID 4644 wrote to memory of 2172 4644 v7361371.exe a0985244.exe PID 4644 wrote to memory of 3432 4644 v7361371.exe b0952475.exe PID 4644 wrote to memory of 3432 4644 v7361371.exe b0952475.exe PID 4644 wrote to memory of 3432 4644 v7361371.exe b0952475.exe PID 3432 wrote to memory of 872 3432 b0952475.exe AppLaunch.exe PID 3432 wrote to memory of 872 3432 b0952475.exe AppLaunch.exe PID 3432 wrote to memory of 872 3432 b0952475.exe AppLaunch.exe PID 3432 wrote to memory of 872 3432 b0952475.exe AppLaunch.exe PID 3432 wrote to memory of 872 3432 b0952475.exe AppLaunch.exe PID 4452 wrote to memory of 4860 4452 v2680905.exe c2655409.exe PID 4452 wrote to memory of 4860 4452 v2680905.exe c2655409.exe PID 4452 wrote to memory of 4860 4452 v2680905.exe c2655409.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exe"C:\Users\Admin\AppData\Local\Temp\3f953b7250b78641f39f43b9679d7c6c967e8cf4802111eaf338544fdda5bc1d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9846025.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9846025.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2680905.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2680905.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7361371.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7361371.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0985244.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0985244.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0952475.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0952475.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1486⤵
- Program crash
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2655409.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2655409.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3432 -ip 34321⤵PID:3944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9846025.exeFilesize
532KB
MD578373fccf6adeb4700a6f6def7aca89c
SHA13f6c2c20f9f114362020ac5330dae1f3ae14fa8c
SHA25640c2336445e68b6f470a45fe6a4fa417dffdb4adff86ee1dc5b47e8c53fccd24
SHA5126eaa462b7fb3774c43f8aab883d2f88e5d8bddb02cda1a7c84bfaf8c41da8b866bb1e83562af182552ef238c2b1daf94217bd816ea3bf44f5c1146e5500b3df5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9846025.exeFilesize
532KB
MD578373fccf6adeb4700a6f6def7aca89c
SHA13f6c2c20f9f114362020ac5330dae1f3ae14fa8c
SHA25640c2336445e68b6f470a45fe6a4fa417dffdb4adff86ee1dc5b47e8c53fccd24
SHA5126eaa462b7fb3774c43f8aab883d2f88e5d8bddb02cda1a7c84bfaf8c41da8b866bb1e83562af182552ef238c2b1daf94217bd816ea3bf44f5c1146e5500b3df5
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2680905.exeFilesize
359KB
MD5c60e37579b0a4d9f7f64d5738ea84412
SHA1c422105bb3cdc46e5d0c7bcbbd393e24e2b20ad0
SHA2562a39b9fda983ef69e946f955f98cc39bdc7b56eb7dd49116665b8564d917384d
SHA51296b9f6e7eb34271941e971c4404fb923cbb5b3ae8b7105c9e8faa3065a58882e69f6cb634f0143567bf043aec11304149b6971316b6f20f748a25e31763ef995
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2680905.exeFilesize
359KB
MD5c60e37579b0a4d9f7f64d5738ea84412
SHA1c422105bb3cdc46e5d0c7bcbbd393e24e2b20ad0
SHA2562a39b9fda983ef69e946f955f98cc39bdc7b56eb7dd49116665b8564d917384d
SHA51296b9f6e7eb34271941e971c4404fb923cbb5b3ae8b7105c9e8faa3065a58882e69f6cb634f0143567bf043aec11304149b6971316b6f20f748a25e31763ef995
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2655409.exeFilesize
172KB
MD561e020d914cd540eb0f5f8cc51fc4b1d
SHA14c24cbd2af6bc64f8dcd105cf2740b73e8922880
SHA256cbd8b131aec0655a00655015e14086086629ab69f84c113beacf31b9ec9f4e55
SHA512eeb383e975f14e333c2b9801b9b426f31d0ebb54982df907a270c8eacca0c2a854a70b5353a4e8351ca1154b8f41d47aca4c6b39e2e200109bdeb6f1b060ca40
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2655409.exeFilesize
172KB
MD561e020d914cd540eb0f5f8cc51fc4b1d
SHA14c24cbd2af6bc64f8dcd105cf2740b73e8922880
SHA256cbd8b131aec0655a00655015e14086086629ab69f84c113beacf31b9ec9f4e55
SHA512eeb383e975f14e333c2b9801b9b426f31d0ebb54982df907a270c8eacca0c2a854a70b5353a4e8351ca1154b8f41d47aca4c6b39e2e200109bdeb6f1b060ca40
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7361371.exeFilesize
204KB
MD5568e508481c949fee9347810d2e929f5
SHA15f0202130d11a27b3ce9066fe0350e448c750cda
SHA256e655e3fcfdc98cca37600c11404e3b9878733e62daed4dafbc029e08a2afe5e1
SHA512a9437ebd594a40189e80451d932bc1da7f666ea3dc5bd19f8f42bce0f2a117ba2fbc19ece8ca16e538a3ea6ec42ba820383c7b696c769a66527997c1a796bc04
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7361371.exeFilesize
204KB
MD5568e508481c949fee9347810d2e929f5
SHA15f0202130d11a27b3ce9066fe0350e448c750cda
SHA256e655e3fcfdc98cca37600c11404e3b9878733e62daed4dafbc029e08a2afe5e1
SHA512a9437ebd594a40189e80451d932bc1da7f666ea3dc5bd19f8f42bce0f2a117ba2fbc19ece8ca16e538a3ea6ec42ba820383c7b696c769a66527997c1a796bc04
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0985244.exeFilesize
13KB
MD5a5200aa1bed495e0197d2163c121ad27
SHA1f7c21f834fd0707365a56562dda15afc431c18c8
SHA256e5ae8bdf1bb21eace1605a02ce634ba59062e06ab8aaa39e92e5829a9d0cd2ce
SHA51255544375698e267e2b8ccf02f5cde11b032001e0706793b87fbb5b20eddde97536d275849d31dfd93114d681b76cec89be08d1252b243061ca9de02d6aaf2cc9
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0985244.exeFilesize
13KB
MD5a5200aa1bed495e0197d2163c121ad27
SHA1f7c21f834fd0707365a56562dda15afc431c18c8
SHA256e5ae8bdf1bb21eace1605a02ce634ba59062e06ab8aaa39e92e5829a9d0cd2ce
SHA51255544375698e267e2b8ccf02f5cde11b032001e0706793b87fbb5b20eddde97536d275849d31dfd93114d681b76cec89be08d1252b243061ca9de02d6aaf2cc9
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0952475.exeFilesize
120KB
MD5f73b37c658a9bef2f302107ff25e59de
SHA147a975a00013f724b0dade7ba5cf51cc8b539957
SHA256f6fd85c07723e1a8a8e026903509921d43e036fde97696b67ca7c4dfde32280b
SHA512cd193e93e45868b6fcf99187406ddeb39f06532f81cea24b17efafdcca16fbf60fa6b6e97989e26c6e3089fcaa68f0e0b081d4ff3af236317193c45bebbca8fd
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0952475.exeFilesize
120KB
MD5f73b37c658a9bef2f302107ff25e59de
SHA147a975a00013f724b0dade7ba5cf51cc8b539957
SHA256f6fd85c07723e1a8a8e026903509921d43e036fde97696b67ca7c4dfde32280b
SHA512cd193e93e45868b6fcf99187406ddeb39f06532f81cea24b17efafdcca16fbf60fa6b6e97989e26c6e3089fcaa68f0e0b081d4ff3af236317193c45bebbca8fd
-
memory/872-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2172-161-0x0000000000AA0000-0x0000000000AAA000-memory.dmpFilesize
40KB
-
memory/4860-175-0x0000000000F30000-0x0000000000F60000-memory.dmpFilesize
192KB
-
memory/4860-176-0x000000000B210000-0x000000000B828000-memory.dmpFilesize
6.1MB
-
memory/4860-177-0x000000000AD70000-0x000000000AE7A000-memory.dmpFilesize
1.0MB
-
memory/4860-178-0x000000000ACB0000-0x000000000ACC2000-memory.dmpFilesize
72KB
-
memory/4860-179-0x000000000AD10000-0x000000000AD4C000-memory.dmpFilesize
240KB
-
memory/4860-180-0x0000000005760000-0x0000000005770000-memory.dmpFilesize
64KB
-
memory/4860-181-0x000000000B020000-0x000000000B096000-memory.dmpFilesize
472KB
-
memory/4860-182-0x000000000B140000-0x000000000B1D2000-memory.dmpFilesize
584KB
-
memory/4860-183-0x000000000BDE0000-0x000000000C384000-memory.dmpFilesize
5.6MB
-
memory/4860-184-0x000000000B930000-0x000000000B996000-memory.dmpFilesize
408KB
-
memory/4860-186-0x000000000BD70000-0x000000000BDC0000-memory.dmpFilesize
320KB
-
memory/4860-187-0x0000000005760000-0x0000000005770000-memory.dmpFilesize
64KB
-
memory/4860-188-0x000000000C660000-0x000000000C822000-memory.dmpFilesize
1.8MB
-
memory/4860-189-0x000000000CD60000-0x000000000D28C000-memory.dmpFilesize
5.2MB