Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 15:37
Static task
static1
Behavioral task
behavioral1
Sample
04051799.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
04051799.exe
Resource
win10v2004-20230220-en
General
-
Target
04051799.exe
-
Size
739KB
-
MD5
eebc454fd7a373d158995ebafa294d54
-
SHA1
adf21db0504a53985d7ebbc932ba48dcebe8ecac
-
SHA256
01bff0bd2b40804fc3efa9f6c527c4dce0b4a6c5cf1065ba5496ecfb8dcd042e
-
SHA512
bbd5cf50f67e5f9bf667ec097eb237060f39c8d8080a06a8abf7ee31b3866d7d6c9b028e3dbcf1f5448c1c8dacf4ee90f6b031de9b97054b399d71ad0f2ebf45
-
SSDEEP
12288:vMroy90o/S/AugWc5vWvBkUgRkuOfApAXrZEyGiaWvz37t:3yn6eWh98NOfApAXrk2/t
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
AppLaunch.exea5725355.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a5725355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5725355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5725355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5725355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5725355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5725355.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v9723996.exev5788348.exev5687024.exea5725355.exeb6922324.exec4586915.exepid process 1436 v9723996.exe 4240 v5788348.exe 1120 v5687024.exe 2036 a5725355.exe 728 b6922324.exe 2272 c4586915.exe -
Processes:
a5725355.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5725355.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v9723996.exev5788348.exev5687024.exe04051799.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v9723996.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5788348.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5788348.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5687024.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v5687024.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 04051799.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 04051799.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9723996.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b6922324.exedescription pid process target process PID 728 set thread context of 4312 728 b6922324.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3352 728 WerFault.exe b6922324.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a5725355.exeAppLaunch.exepid process 2036 a5725355.exe 2036 a5725355.exe 4312 AppLaunch.exe 4312 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a5725355.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 2036 a5725355.exe Token: SeDebugPrivilege 4312 AppLaunch.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
04051799.exev9723996.exev5788348.exev5687024.exeb6922324.exedescription pid process target process PID 5036 wrote to memory of 1436 5036 04051799.exe v9723996.exe PID 5036 wrote to memory of 1436 5036 04051799.exe v9723996.exe PID 5036 wrote to memory of 1436 5036 04051799.exe v9723996.exe PID 1436 wrote to memory of 4240 1436 v9723996.exe v5788348.exe PID 1436 wrote to memory of 4240 1436 v9723996.exe v5788348.exe PID 1436 wrote to memory of 4240 1436 v9723996.exe v5788348.exe PID 4240 wrote to memory of 1120 4240 v5788348.exe v5687024.exe PID 4240 wrote to memory of 1120 4240 v5788348.exe v5687024.exe PID 4240 wrote to memory of 1120 4240 v5788348.exe v5687024.exe PID 1120 wrote to memory of 2036 1120 v5687024.exe a5725355.exe PID 1120 wrote to memory of 2036 1120 v5687024.exe a5725355.exe PID 1120 wrote to memory of 728 1120 v5687024.exe b6922324.exe PID 1120 wrote to memory of 728 1120 v5687024.exe b6922324.exe PID 1120 wrote to memory of 728 1120 v5687024.exe b6922324.exe PID 728 wrote to memory of 4312 728 b6922324.exe AppLaunch.exe PID 728 wrote to memory of 4312 728 b6922324.exe AppLaunch.exe PID 728 wrote to memory of 4312 728 b6922324.exe AppLaunch.exe PID 728 wrote to memory of 4312 728 b6922324.exe AppLaunch.exe PID 728 wrote to memory of 4312 728 b6922324.exe AppLaunch.exe PID 4240 wrote to memory of 2272 4240 v5788348.exe c4586915.exe PID 4240 wrote to memory of 2272 4240 v5788348.exe c4586915.exe PID 4240 wrote to memory of 2272 4240 v5788348.exe c4586915.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04051799.exe"C:\Users\Admin\AppData\Local\Temp\04051799.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9723996.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9723996.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5788348.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5788348.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5687024.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5687024.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5725355.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5725355.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6922324.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6922324.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 5806⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4586915.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4586915.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 728 -ip 7281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9723996.exeFilesize
532KB
MD5b6101befc910a8f33f3f98bf655df0ba
SHA13ccfedaab29848407e78cb6fa0a65ff386f8822b
SHA2561de5b6cda08bd60e2ac1ad12ccf909c412ed5c6e7f9f86f09e76c825a59ac6ce
SHA512fe3ea30572f9ab4c84bf632f5601fb85a03997a68225b0cf76ceff57a915f17b8adda0116b5216de7a4805618d27a3fa65c61580530fb635668a10a5141096e5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9723996.exeFilesize
532KB
MD5b6101befc910a8f33f3f98bf655df0ba
SHA13ccfedaab29848407e78cb6fa0a65ff386f8822b
SHA2561de5b6cda08bd60e2ac1ad12ccf909c412ed5c6e7f9f86f09e76c825a59ac6ce
SHA512fe3ea30572f9ab4c84bf632f5601fb85a03997a68225b0cf76ceff57a915f17b8adda0116b5216de7a4805618d27a3fa65c61580530fb635668a10a5141096e5
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5788348.exeFilesize
359KB
MD531e4745b938f0bf68909778d85eae525
SHA157d46e9a00f99fe1df1e25f6f01f457b4018d6b8
SHA2568661639edfecae2430f83dd3dfc4d4c280f1ed7eea0ddd2a7224fbe3ff38e04e
SHA512e1517ac305638e0187d968622b8db04759f8c98f89f7a67b4ed1444cf10b4b5e0866b5273b74011ac069294ba562b46c7a4f224275ad9a6bc0593fac2e2243fd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5788348.exeFilesize
359KB
MD531e4745b938f0bf68909778d85eae525
SHA157d46e9a00f99fe1df1e25f6f01f457b4018d6b8
SHA2568661639edfecae2430f83dd3dfc4d4c280f1ed7eea0ddd2a7224fbe3ff38e04e
SHA512e1517ac305638e0187d968622b8db04759f8c98f89f7a67b4ed1444cf10b4b5e0866b5273b74011ac069294ba562b46c7a4f224275ad9a6bc0593fac2e2243fd
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4586915.exeFilesize
172KB
MD5129b2b454fb700bd8bcdcf0a49b51f16
SHA10bde3bf63b45a414d25f7c1b34903943011d6a19
SHA2561954d4499cd394b022859c5d58ea03554502f32e11ee83c0f9f310f3dae69459
SHA5124317bc78bcd79fcf33f6fad27f013c08dd84507743194e07e984a891c34d4b4c5e30aa56a38c662b445dc2c2463f5a9a6a0b8a9ad49db309282fa206e9553321
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4586915.exeFilesize
172KB
MD5129b2b454fb700bd8bcdcf0a49b51f16
SHA10bde3bf63b45a414d25f7c1b34903943011d6a19
SHA2561954d4499cd394b022859c5d58ea03554502f32e11ee83c0f9f310f3dae69459
SHA5124317bc78bcd79fcf33f6fad27f013c08dd84507743194e07e984a891c34d4b4c5e30aa56a38c662b445dc2c2463f5a9a6a0b8a9ad49db309282fa206e9553321
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5687024.exeFilesize
204KB
MD56097751ed3df160512a6a37992436174
SHA1d1969f66bba19acff9caea8bb2f644488d8bab7a
SHA2563fd0047cd3be2a9df5bb1ad00068bdba16190db9ef465cc9114a74cfb7229821
SHA5123c54383a06d314486b93b554535a95f2d2d3ac7004054266af0511badbe84be47671fb6f72e272ff6c876aa2922d2533ebb03f543cf03c15cd1d3dc9e5fd49c2
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5687024.exeFilesize
204KB
MD56097751ed3df160512a6a37992436174
SHA1d1969f66bba19acff9caea8bb2f644488d8bab7a
SHA2563fd0047cd3be2a9df5bb1ad00068bdba16190db9ef465cc9114a74cfb7229821
SHA5123c54383a06d314486b93b554535a95f2d2d3ac7004054266af0511badbe84be47671fb6f72e272ff6c876aa2922d2533ebb03f543cf03c15cd1d3dc9e5fd49c2
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5725355.exeFilesize
14KB
MD5d3d87170f33a48331be5be99edc20af6
SHA172ea65fac28d416ff5bd647fddac013e35e1ec22
SHA2561c369346d97e3609e7ba3ec91026c8c8325cc35b8f7b7ec4e841bf5c7768340c
SHA5123491340238582e9999632b98b8baee9a73a452fb99be6e194ef66859070c9f1209dbe00adceb79b3f0fafc7cee7be3b76f644123423ce407b023f24cdbc2b5c4
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5725355.exeFilesize
14KB
MD5d3d87170f33a48331be5be99edc20af6
SHA172ea65fac28d416ff5bd647fddac013e35e1ec22
SHA2561c369346d97e3609e7ba3ec91026c8c8325cc35b8f7b7ec4e841bf5c7768340c
SHA5123491340238582e9999632b98b8baee9a73a452fb99be6e194ef66859070c9f1209dbe00adceb79b3f0fafc7cee7be3b76f644123423ce407b023f24cdbc2b5c4
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6922324.exeFilesize
120KB
MD511016677ce6f3e622ae434d0a056afb8
SHA1d566eeb451d11bc6eafe10c72239072cc87e52c2
SHA2568605ec069b83887524e5293c156e8bb80138bf777845fb724b21bd27bb8be1b1
SHA51224c029a6a0f3901f9465ada16f9b1640955d35625610e776ece0d5f294d4b1916f1fc2cc4996170c55634d83085650b7d59ab9b56964053ce91786d7301401f9
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6922324.exeFilesize
120KB
MD511016677ce6f3e622ae434d0a056afb8
SHA1d566eeb451d11bc6eafe10c72239072cc87e52c2
SHA2568605ec069b83887524e5293c156e8bb80138bf777845fb724b21bd27bb8be1b1
SHA51224c029a6a0f3901f9465ada16f9b1640955d35625610e776ece0d5f294d4b1916f1fc2cc4996170c55634d83085650b7d59ab9b56964053ce91786d7301401f9
-
memory/2036-161-0x0000000000EF0000-0x0000000000EFA000-memory.dmpFilesize
40KB
-
memory/2272-175-0x00000000007F0000-0x0000000000820000-memory.dmpFilesize
192KB
-
memory/2272-176-0x000000000AAB0000-0x000000000B0C8000-memory.dmpFilesize
6.1MB
-
memory/2272-177-0x000000000A630000-0x000000000A73A000-memory.dmpFilesize
1.0MB
-
memory/2272-178-0x000000000A570000-0x000000000A582000-memory.dmpFilesize
72KB
-
memory/2272-179-0x000000000A5D0000-0x000000000A60C000-memory.dmpFilesize
240KB
-
memory/2272-180-0x0000000002950000-0x0000000002960000-memory.dmpFilesize
64KB
-
memory/2272-182-0x0000000002950000-0x0000000002960000-memory.dmpFilesize
64KB
-
memory/4312-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB