Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 14:11
Static task
static1
Behavioral task
behavioral1
Sample
302b0f6d712eba3d1a0b8ebf8dc98aec.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
302b0f6d712eba3d1a0b8ebf8dc98aec.exe
Resource
win10v2004-20230220-en
General
-
Target
302b0f6d712eba3d1a0b8ebf8dc98aec.exe
-
Size
739KB
-
MD5
302b0f6d712eba3d1a0b8ebf8dc98aec
-
SHA1
6c564fafa65f2ab0b6bd5ea791cac254ab7cf331
-
SHA256
65141035941017854ad4ac7a2ad9ff6e553da933a2311843f2144366946a2796
-
SHA512
4d1e5352ecf82540e3ee2b065bb3ca32b1bac2d5291eeb94a8d896b89369b86b09f68943fde2ca6ac50aac2d629bfd8b74f5565c790d7834f2e53368fff634c6
-
SSDEEP
12288:IMrWy90kbJ6cC+DS6NYfJBBHjUmHzf7J3NPS/qygFBreKIvBCJW5yoQP:eyNJTDSdPbN3NPGqyyBrkIJIyvP
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
AppLaunch.exea3031433.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3031433.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a3031433.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3031433.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3031433.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3031433.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3031433.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v7531338.exev9263717.exev5183631.exea3031433.exeb3728369.exec3276124.exepid process 4120 v7531338.exe 3708 v9263717.exe 3404 v5183631.exe 1244 a3031433.exe 416 b3728369.exe 4280 c3276124.exe -
Processes:
a3031433.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a3031433.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v9263717.exev5183631.exe302b0f6d712eba3d1a0b8ebf8dc98aec.exev7531338.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9263717.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v9263717.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5183631.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v5183631.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 302b0f6d712eba3d1a0b8ebf8dc98aec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 302b0f6d712eba3d1a0b8ebf8dc98aec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7531338.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7531338.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b3728369.exedescription pid process target process PID 416 set thread context of 4244 416 b3728369.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3712 416 WerFault.exe b3728369.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a3031433.exeAppLaunch.exepid process 1244 a3031433.exe 1244 a3031433.exe 4244 AppLaunch.exe 4244 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a3031433.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 1244 a3031433.exe Token: SeDebugPrivilege 4244 AppLaunch.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
302b0f6d712eba3d1a0b8ebf8dc98aec.exev7531338.exev9263717.exev5183631.exeb3728369.exedescription pid process target process PID 3692 wrote to memory of 4120 3692 302b0f6d712eba3d1a0b8ebf8dc98aec.exe v7531338.exe PID 3692 wrote to memory of 4120 3692 302b0f6d712eba3d1a0b8ebf8dc98aec.exe v7531338.exe PID 3692 wrote to memory of 4120 3692 302b0f6d712eba3d1a0b8ebf8dc98aec.exe v7531338.exe PID 4120 wrote to memory of 3708 4120 v7531338.exe v9263717.exe PID 4120 wrote to memory of 3708 4120 v7531338.exe v9263717.exe PID 4120 wrote to memory of 3708 4120 v7531338.exe v9263717.exe PID 3708 wrote to memory of 3404 3708 v9263717.exe v5183631.exe PID 3708 wrote to memory of 3404 3708 v9263717.exe v5183631.exe PID 3708 wrote to memory of 3404 3708 v9263717.exe v5183631.exe PID 3404 wrote to memory of 1244 3404 v5183631.exe a3031433.exe PID 3404 wrote to memory of 1244 3404 v5183631.exe a3031433.exe PID 3404 wrote to memory of 416 3404 v5183631.exe b3728369.exe PID 3404 wrote to memory of 416 3404 v5183631.exe b3728369.exe PID 3404 wrote to memory of 416 3404 v5183631.exe b3728369.exe PID 416 wrote to memory of 4244 416 b3728369.exe AppLaunch.exe PID 416 wrote to memory of 4244 416 b3728369.exe AppLaunch.exe PID 416 wrote to memory of 4244 416 b3728369.exe AppLaunch.exe PID 416 wrote to memory of 4244 416 b3728369.exe AppLaunch.exe PID 416 wrote to memory of 4244 416 b3728369.exe AppLaunch.exe PID 3708 wrote to memory of 4280 3708 v9263717.exe c3276124.exe PID 3708 wrote to memory of 4280 3708 v9263717.exe c3276124.exe PID 3708 wrote to memory of 4280 3708 v9263717.exe c3276124.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\302b0f6d712eba3d1a0b8ebf8dc98aec.exe"C:\Users\Admin\AppData\Local\Temp\302b0f6d712eba3d1a0b8ebf8dc98aec.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7531338.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7531338.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263717.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263717.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5183631.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5183631.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3031433.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3031433.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3728369.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3728369.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1366⤵
- Program crash
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3276124.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3276124.exe4⤵
- Executes dropped EXE
PID:4280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 416 -ip 4161⤵PID:236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7531338.exeFilesize
532KB
MD59f3cba9132e818f87b82bfd1dec1ef44
SHA1a62c86a3a16263279074a6646cfcfc2778b89899
SHA25627ea521651300c184d2c57a793e81301b1324b4917981bacbc61e17352a6365f
SHA512be66a8c534a2ef754c0ceda136abc54d74453cf7ee7ad8918c46ba62fa7617c2ebfe88f8022f6e2aacd32cd632164b688218fb3b1172b7e991e237e17a47de3e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7531338.exeFilesize
532KB
MD59f3cba9132e818f87b82bfd1dec1ef44
SHA1a62c86a3a16263279074a6646cfcfc2778b89899
SHA25627ea521651300c184d2c57a793e81301b1324b4917981bacbc61e17352a6365f
SHA512be66a8c534a2ef754c0ceda136abc54d74453cf7ee7ad8918c46ba62fa7617c2ebfe88f8022f6e2aacd32cd632164b688218fb3b1172b7e991e237e17a47de3e
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263717.exeFilesize
359KB
MD58ddd700c9c58bcbd61948ece8102ce15
SHA160d9e88620ad374384020bd11a3e23db380e2981
SHA25633c336e8ba629bcc31057daba0ae8c010e73d559a9209792833ef49213507560
SHA5128b95247a00a9621a794d86f8be57208acc6447bb1ab86d3c1c51d55f2e130da8130984aac7f6640fb45f4f3500091f7d2ad76874c3c37296ba6c8956ff6bd48f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263717.exeFilesize
359KB
MD58ddd700c9c58bcbd61948ece8102ce15
SHA160d9e88620ad374384020bd11a3e23db380e2981
SHA25633c336e8ba629bcc31057daba0ae8c010e73d559a9209792833ef49213507560
SHA5128b95247a00a9621a794d86f8be57208acc6447bb1ab86d3c1c51d55f2e130da8130984aac7f6640fb45f4f3500091f7d2ad76874c3c37296ba6c8956ff6bd48f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3276124.exeFilesize
172KB
MD57c412cfbd52a7cdc085f22d008303140
SHA197b64b26e4ae34360f4642b823e1a2d66d3be7d7
SHA2560adfdaf7ffac50f3e5bfebe95f1a33552447ca7d800080f767f9b3b8d1780135
SHA51284f4b21f1df6cef5b39ca541af4a5615d8e9d6ef2749454a04fd65cdfd9b2179697417987cdc57584611405505fb54dd64a632f23108d0bb664b13ed67e6cb22
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3276124.exeFilesize
172KB
MD57c412cfbd52a7cdc085f22d008303140
SHA197b64b26e4ae34360f4642b823e1a2d66d3be7d7
SHA2560adfdaf7ffac50f3e5bfebe95f1a33552447ca7d800080f767f9b3b8d1780135
SHA51284f4b21f1df6cef5b39ca541af4a5615d8e9d6ef2749454a04fd65cdfd9b2179697417987cdc57584611405505fb54dd64a632f23108d0bb664b13ed67e6cb22
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5183631.exeFilesize
204KB
MD5025ea76ef219cf2e4595af6f23a0e034
SHA1f3a77c3bb4fb22b3412b798351e73ef9190d3578
SHA256c54ddd3e51f87225c221176cc14df29777e6d17d59e8cc024ccdffced861ae13
SHA51291c697dcec32c107bec0b5b97c6e2b8c998fed38aa74dc446d131eabc4b9e7fa009fc75eca257d00937dd42727b348de0a8626f4dae79ea0a3cf4cb904f9a432
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5183631.exeFilesize
204KB
MD5025ea76ef219cf2e4595af6f23a0e034
SHA1f3a77c3bb4fb22b3412b798351e73ef9190d3578
SHA256c54ddd3e51f87225c221176cc14df29777e6d17d59e8cc024ccdffced861ae13
SHA51291c697dcec32c107bec0b5b97c6e2b8c998fed38aa74dc446d131eabc4b9e7fa009fc75eca257d00937dd42727b348de0a8626f4dae79ea0a3cf4cb904f9a432
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3031433.exeFilesize
13KB
MD5b98df5064ab62453b88540430ad97abe
SHA15c5dea6c3ca46227479d50917e155d13d4564c27
SHA256d487ea328b6c6a98a959bca8ebeaac10cea1ff9b202a1448d09be034cd328664
SHA512e4bafc90cf556acd3edb994ee9bf578a771d6c13e81cf9935dfff3201e897ab968caf9ddb230229d595d65df1b4f10d3076b4be13ecd4b7af62d6f0c11cb3dca
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3031433.exeFilesize
13KB
MD5b98df5064ab62453b88540430ad97abe
SHA15c5dea6c3ca46227479d50917e155d13d4564c27
SHA256d487ea328b6c6a98a959bca8ebeaac10cea1ff9b202a1448d09be034cd328664
SHA512e4bafc90cf556acd3edb994ee9bf578a771d6c13e81cf9935dfff3201e897ab968caf9ddb230229d595d65df1b4f10d3076b4be13ecd4b7af62d6f0c11cb3dca
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3728369.exeFilesize
120KB
MD5bb3d19feded6b3f3b78efdec80fc3aba
SHA1b115c21e2304ae26d0f56917fa798d7bf784ba24
SHA25661310e75dcf5e3c0975ce16622d4f0568e32fa9fd45ae3e49d7e9f27498ab547
SHA5129b7f76c158e9f24c34e8cbaff7ee1a0a647b3cde59e341f055cb9238e1947cfcaeb19596957fa9544ab0988614a50b77f62ebc689d7281f543ab84bde517c69b
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3728369.exeFilesize
120KB
MD5bb3d19feded6b3f3b78efdec80fc3aba
SHA1b115c21e2304ae26d0f56917fa798d7bf784ba24
SHA25661310e75dcf5e3c0975ce16622d4f0568e32fa9fd45ae3e49d7e9f27498ab547
SHA5129b7f76c158e9f24c34e8cbaff7ee1a0a647b3cde59e341f055cb9238e1947cfcaeb19596957fa9544ab0988614a50b77f62ebc689d7281f543ab84bde517c69b
-
memory/1244-161-0x00000000005B0000-0x00000000005BA000-memory.dmpFilesize
40KB
-
memory/4244-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4280-175-0x00000000003E0000-0x0000000000410000-memory.dmpFilesize
192KB
-
memory/4280-176-0x000000000A7E0000-0x000000000ADF8000-memory.dmpFilesize
6.1MB
-
memory/4280-177-0x000000000A360000-0x000000000A46A000-memory.dmpFilesize
1.0MB
-
memory/4280-178-0x000000000A2A0000-0x000000000A2B2000-memory.dmpFilesize
72KB
-
memory/4280-179-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB
-
memory/4280-180-0x000000000A300000-0x000000000A33C000-memory.dmpFilesize
240KB
-
memory/4280-182-0x0000000004BB0000-0x0000000004BC0000-memory.dmpFilesize
64KB