Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 13:37
Static task
static1
Behavioral task
behavioral1
Sample
6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exe
Resource
win10v2004-20230220-en
General
-
Target
6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exe
-
Size
738KB
-
MD5
a6e092032d6863b2526c26a205477a84
-
SHA1
b1d8b8cfcc1edda4a3a8dc4ceac46e16297351b4
-
SHA256
6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa
-
SHA512
a1311c4fa4844ef3cbe9d557b8c9326e39deea1fa087fab203ff894d1d25cc161600be9d7e9d99900e78af3d268cae8ba7eaadca0115050d934dc04bab435eaf
-
SSDEEP
12288:nMrjy90xzPTmiEJ+5JK0ClOBaKia+hZ2om0qmM0kQU1y8CahJsDzM7j4NiHnNdX:cy4zPTmh053ClxatOnmD3sE7j4Nif
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
AppLaunch.exea5588497.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5588497.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5588497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5588497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a5588497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5588497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5588497.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v8408361.exev1242347.exev0838208.exea5588497.exeb0038645.exec8050572.exepid process 3268 v8408361.exe 2460 v1242347.exe 1448 v0838208.exe 2192 a5588497.exe 4172 b0038645.exe 4240 c8050572.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a5588497.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5588497.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exev8408361.exev1242347.exev0838208.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v8408361.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v8408361.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1242347.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v1242347.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0838208.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v0838208.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b0038645.exedescription pid process target process PID 4172 set thread context of 1872 4172 b0038645.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1136 4172 WerFault.exe b0038645.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
a5588497.exeAppLaunch.exec8050572.exepid process 2192 a5588497.exe 2192 a5588497.exe 1872 AppLaunch.exe 1872 AppLaunch.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe 4240 c8050572.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a5588497.exeAppLaunch.exec8050572.exedescription pid process Token: SeDebugPrivilege 2192 a5588497.exe Token: SeDebugPrivilege 1872 AppLaunch.exe Token: SeDebugPrivilege 4240 c8050572.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exev8408361.exev1242347.exev0838208.exeb0038645.exedescription pid process target process PID 628 wrote to memory of 3268 628 6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exe v8408361.exe PID 628 wrote to memory of 3268 628 6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exe v8408361.exe PID 628 wrote to memory of 3268 628 6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exe v8408361.exe PID 3268 wrote to memory of 2460 3268 v8408361.exe v1242347.exe PID 3268 wrote to memory of 2460 3268 v8408361.exe v1242347.exe PID 3268 wrote to memory of 2460 3268 v8408361.exe v1242347.exe PID 2460 wrote to memory of 1448 2460 v1242347.exe v0838208.exe PID 2460 wrote to memory of 1448 2460 v1242347.exe v0838208.exe PID 2460 wrote to memory of 1448 2460 v1242347.exe v0838208.exe PID 1448 wrote to memory of 2192 1448 v0838208.exe a5588497.exe PID 1448 wrote to memory of 2192 1448 v0838208.exe a5588497.exe PID 1448 wrote to memory of 4172 1448 v0838208.exe b0038645.exe PID 1448 wrote to memory of 4172 1448 v0838208.exe b0038645.exe PID 1448 wrote to memory of 4172 1448 v0838208.exe b0038645.exe PID 4172 wrote to memory of 1872 4172 b0038645.exe AppLaunch.exe PID 4172 wrote to memory of 1872 4172 b0038645.exe AppLaunch.exe PID 4172 wrote to memory of 1872 4172 b0038645.exe AppLaunch.exe PID 4172 wrote to memory of 1872 4172 b0038645.exe AppLaunch.exe PID 4172 wrote to memory of 1872 4172 b0038645.exe AppLaunch.exe PID 2460 wrote to memory of 4240 2460 v1242347.exe c8050572.exe PID 2460 wrote to memory of 4240 2460 v1242347.exe c8050572.exe PID 2460 wrote to memory of 4240 2460 v1242347.exe c8050572.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exe"C:\Users\Admin\AppData\Local\Temp\6a1b06db64db921ffde1e1658e29bf6499fab9ae83be89e287469a383850d3aa.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8408361.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8408361.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1242347.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1242347.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0838208.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0838208.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5588497.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5588497.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0038645.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0038645.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1406⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8050572.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8050572.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4172 -ip 41721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8408361.exeFilesize
531KB
MD5d0520ea6ebd3012ac98072195ab6beec
SHA177f46d54e8eb0cac816f0604ba7450f0385bc777
SHA2561ec6d44258ab366fa6a6c1d1e8ca4bcaf2ae08621281d0a998023be7e6b0f6e5
SHA5123f6ed5937cdb91fecb312e935d6310706b19e990c0e8f471313d81d693784f861d1e0cd09e958c1c99b1dda7f7978bd666ce45a76f64f30bca45277327b0dce9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8408361.exeFilesize
531KB
MD5d0520ea6ebd3012ac98072195ab6beec
SHA177f46d54e8eb0cac816f0604ba7450f0385bc777
SHA2561ec6d44258ab366fa6a6c1d1e8ca4bcaf2ae08621281d0a998023be7e6b0f6e5
SHA5123f6ed5937cdb91fecb312e935d6310706b19e990c0e8f471313d81d693784f861d1e0cd09e958c1c99b1dda7f7978bd666ce45a76f64f30bca45277327b0dce9
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1242347.exeFilesize
359KB
MD5c4000fbe64c5542773e6c764f41c5a3b
SHA15575fa3e4502553815f2b26bdb279fefc69ce34d
SHA2563ce6f37758bc1c708ad11edd878453485512ad6357dc4e55f3897a843a79b193
SHA51271d05bacda6047b43dcfde944fae3cb92c9274bda2e39342861eaec88b4e3ace0225efe58d206543127b744cc433e5d8f8ef407570152ec0fad461c72bcc0607
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1242347.exeFilesize
359KB
MD5c4000fbe64c5542773e6c764f41c5a3b
SHA15575fa3e4502553815f2b26bdb279fefc69ce34d
SHA2563ce6f37758bc1c708ad11edd878453485512ad6357dc4e55f3897a843a79b193
SHA51271d05bacda6047b43dcfde944fae3cb92c9274bda2e39342861eaec88b4e3ace0225efe58d206543127b744cc433e5d8f8ef407570152ec0fad461c72bcc0607
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8050572.exeFilesize
172KB
MD53aa0c0354a38ae841c7f876df830cf51
SHA1777ec7fa72c4a0766bb4565a1dcc5a9a2d2438c3
SHA25684e57261462ec8bc4766511d432b15298105877213992c934f33374314ed6694
SHA51250f6a06ee2549290b291ca25a8ddbe484aef8ad94465327b78e6ce0bb39b4fea1b476792d66a343ed52dd95ef62f3175310a695bb0f15c8e8528a36795f09a5b
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8050572.exeFilesize
172KB
MD53aa0c0354a38ae841c7f876df830cf51
SHA1777ec7fa72c4a0766bb4565a1dcc5a9a2d2438c3
SHA25684e57261462ec8bc4766511d432b15298105877213992c934f33374314ed6694
SHA51250f6a06ee2549290b291ca25a8ddbe484aef8ad94465327b78e6ce0bb39b4fea1b476792d66a343ed52dd95ef62f3175310a695bb0f15c8e8528a36795f09a5b
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0838208.exeFilesize
204KB
MD5ff7d2def9cfc51d701e4d0edd08cb6c7
SHA1f0e03def4b451d9a34d8683bc5454b089412fafe
SHA25601d9223d55369cf59cf9d7403c975dfca6e1cca790e904e41f18c53721f8459a
SHA5122657498898c9736db74801f3a869f1fa7cccb9e6a9d3cac1eb59ff1c2235267a28e3110ad2bc7b9d3ed6bc979a642b78749611fca00adf26b1b9a00fc61753bc
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0838208.exeFilesize
204KB
MD5ff7d2def9cfc51d701e4d0edd08cb6c7
SHA1f0e03def4b451d9a34d8683bc5454b089412fafe
SHA25601d9223d55369cf59cf9d7403c975dfca6e1cca790e904e41f18c53721f8459a
SHA5122657498898c9736db74801f3a869f1fa7cccb9e6a9d3cac1eb59ff1c2235267a28e3110ad2bc7b9d3ed6bc979a642b78749611fca00adf26b1b9a00fc61753bc
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5588497.exeFilesize
13KB
MD55820ec43b01659b39e500c7265a72ff1
SHA112635061fd3962cbc36afeed146a8ecaae6116d1
SHA256c5d3a2b5b88a9d2198f942772923effbb775b9199449179e6ccbc47fc2bc2cae
SHA5124f8d8c2e3c5f58f8aa9649ff4adb8b11c15c3121f0890e679f46a3639e9fccaf39fd4c669c680934df4a748505d5487e463c3419a6796bc5f498f89b2ded7bd6
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5588497.exeFilesize
13KB
MD55820ec43b01659b39e500c7265a72ff1
SHA112635061fd3962cbc36afeed146a8ecaae6116d1
SHA256c5d3a2b5b88a9d2198f942772923effbb775b9199449179e6ccbc47fc2bc2cae
SHA5124f8d8c2e3c5f58f8aa9649ff4adb8b11c15c3121f0890e679f46a3639e9fccaf39fd4c669c680934df4a748505d5487e463c3419a6796bc5f498f89b2ded7bd6
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0038645.exeFilesize
120KB
MD5a4dc27de06ac2f262981e05c54c09c23
SHA178861e5d74076493cec31bf21fb7d84ff29fe45e
SHA2568faae76d80764561c7c682e8293b4957fbdc58665eee1b33d730770214c61d33
SHA512d1f14625497970effe80ee0cda62948a14d9f0b810a691e07d0f8dc0177cb96286cd86d880065dda61604c36c22d3f58b9450c734be46fc82234a23625d40e76
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0038645.exeFilesize
120KB
MD5a4dc27de06ac2f262981e05c54c09c23
SHA178861e5d74076493cec31bf21fb7d84ff29fe45e
SHA2568faae76d80764561c7c682e8293b4957fbdc58665eee1b33d730770214c61d33
SHA512d1f14625497970effe80ee0cda62948a14d9f0b810a691e07d0f8dc0177cb96286cd86d880065dda61604c36c22d3f58b9450c734be46fc82234a23625d40e76
-
memory/1872-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2192-161-0x00000000008F0000-0x00000000008FA000-memory.dmpFilesize
40KB
-
memory/4240-175-0x0000000000C40000-0x0000000000C70000-memory.dmpFilesize
192KB
-
memory/4240-176-0x0000000005BE0000-0x00000000061F8000-memory.dmpFilesize
6.1MB
-
memory/4240-177-0x00000000056D0000-0x00000000057DA000-memory.dmpFilesize
1.0MB
-
memory/4240-178-0x0000000005590000-0x00000000055A2000-memory.dmpFilesize
72KB
-
memory/4240-179-0x0000000005600000-0x000000000563C000-memory.dmpFilesize
240KB
-
memory/4240-180-0x00000000055B0000-0x00000000055C0000-memory.dmpFilesize
64KB
-
memory/4240-181-0x0000000005910000-0x0000000005986000-memory.dmpFilesize
472KB
-
memory/4240-182-0x0000000005A30000-0x0000000005AC2000-memory.dmpFilesize
584KB
-
memory/4240-183-0x0000000005990000-0x00000000059F6000-memory.dmpFilesize
408KB
-
memory/4240-184-0x0000000006CA0000-0x0000000007244000-memory.dmpFilesize
5.6MB
-
memory/4240-186-0x0000000006750000-0x00000000067A0000-memory.dmpFilesize
320KB
-
memory/4240-187-0x0000000006AA0000-0x0000000006C62000-memory.dmpFilesize
1.8MB
-
memory/4240-188-0x0000000008E70000-0x000000000939C000-memory.dmpFilesize
5.2MB
-
memory/4240-189-0x00000000055B0000-0x00000000055C0000-memory.dmpFilesize
64KB