Overview

overview

10

Static

static

3

05850899.exe

windows7-x64

10

05850899.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05850899.exe

  • Size

    734KB

  • MD5

    b5cb9a4b76f6dfd9264504f976b8582d

  • SHA1

    c8b21b12f9849f6b5ddd0903d259f5b80275d0fc

  • SHA256

    8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175

  • SHA512

    fd141f9ebd5441cac42691d9ec9e46b62b405f736b4ef4c3c44f801f040e852a65106fbfdca2d56b44fd39bea693a0b555de041e64fc9bba18ebfccdc0a32131

  • SSDEEP

    12288:2MrjBy90JbYz/kDqodUFVCNlFffHJhNJ7b3KMcYLaXE+jMVVqftxG2SxA:5By4U72qCUQFf1J7wY8JMnqrGJxA

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05850899.exe
    "C:\Users\Admin\AppData\Local\Temp\05850899.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9189362.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9189362.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4260240.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4260240.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4820
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7032959.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7032959.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:5080
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3030276.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3030276.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:100
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3496119.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3496119.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3600
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:864
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 152
              6⤵
              • Program crash
              PID:2520
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8841072.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8841072.exe
          4⤵
          • Executes dropped EXE
          PID:3028
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3600 -ip 3600
    1⤵
      PID:472

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9189362.exe
      Filesize

      530KB

      MD5

      ae765ddfbeb7c875ef91204328eeb41d

      SHA1

      362dbd6df82f9c99fa0ed5dc6bf8f68ea626728b

      SHA256

      5cd8f9dfea6d323ee811ce6fa0617e6f65e78e7169cf48f49a73e0e8bda93191

      SHA512

      576a16d3249d15e6b90e46bffd37b5578bb570ab81860a898a8e3ec44126cc18fd8ed3f2d3b69cb4fe085c46391882306b69d258e0c75ed5de669f95400e3e81

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9189362.exe
      Filesize

      530KB

      MD5

      ae765ddfbeb7c875ef91204328eeb41d

      SHA1

      362dbd6df82f9c99fa0ed5dc6bf8f68ea626728b

      SHA256

      5cd8f9dfea6d323ee811ce6fa0617e6f65e78e7169cf48f49a73e0e8bda93191

      SHA512

      576a16d3249d15e6b90e46bffd37b5578bb570ab81860a898a8e3ec44126cc18fd8ed3f2d3b69cb4fe085c46391882306b69d258e0c75ed5de669f95400e3e81

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4260240.exe
      Filesize

      358KB

      MD5

      5eaef42842b5a7fd6e9f69cd39554174

      SHA1

      d831b1ca87310a7f6e6bd8671e8b64a043b0c0e1

      SHA256

      cdaaa5fc791100decea31f408d56a473d914216f0eeb23e72064d2dd1177614f

      SHA512

      2b6f0c5aad8082d8e88226057f8ee6959ed60f9b47346a60c74770faeb3b59b2eb2ccfef8662d80c474ac42195a9300becea238aa7be29d8736d251d17cdd80f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4260240.exe
      Filesize

      358KB

      MD5

      5eaef42842b5a7fd6e9f69cd39554174

      SHA1

      d831b1ca87310a7f6e6bd8671e8b64a043b0c0e1

      SHA256

      cdaaa5fc791100decea31f408d56a473d914216f0eeb23e72064d2dd1177614f

      SHA512

      2b6f0c5aad8082d8e88226057f8ee6959ed60f9b47346a60c74770faeb3b59b2eb2ccfef8662d80c474ac42195a9300becea238aa7be29d8736d251d17cdd80f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8841072.exe
      Filesize

      172KB

      MD5

      1be663d1abc8c80466b6983f4c6c03c1

      SHA1

      875838e1ca4bd688eda6e64e29c0f759b2914a4d

      SHA256

      813a9f5b35c768cb95326fc2a109fabf70711dd635b1aa62b5d3d2c5a343b2d5

      SHA512

      a83cbe87d8f83567fa9235d6e6bb8fc7d42a964940b824bebd5b130c3ae09c1d174dad8ff01f3e3b3d86c1f9fd66b1fe8bbbe78a40d5904a6156c85c602b8780

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8841072.exe
      Filesize

      172KB

      MD5

      1be663d1abc8c80466b6983f4c6c03c1

      SHA1

      875838e1ca4bd688eda6e64e29c0f759b2914a4d

      SHA256

      813a9f5b35c768cb95326fc2a109fabf70711dd635b1aa62b5d3d2c5a343b2d5

      SHA512

      a83cbe87d8f83567fa9235d6e6bb8fc7d42a964940b824bebd5b130c3ae09c1d174dad8ff01f3e3b3d86c1f9fd66b1fe8bbbe78a40d5904a6156c85c602b8780

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7032959.exe
      Filesize

      203KB

      MD5

      37d5ddc6cf56e656a7c57efa3664b016

      SHA1

      74f2ddfe3943eaf0c1a6fc36697fadf31e084f52

      SHA256

      e7a8e5b30485af6190adfdae236dfc126da8e707df8b0e75bb63608a614cb4f0

      SHA512

      3ffca4b5385638e96d479d609b92ba1d03fc83cd08148cd78ff0c9530ddd543db2aba1151eedd3b784697a44ffb44cc8103eaf3a97df7f0e5b5bde9ac71c5a82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7032959.exe
      Filesize

      203KB

      MD5

      37d5ddc6cf56e656a7c57efa3664b016

      SHA1

      74f2ddfe3943eaf0c1a6fc36697fadf31e084f52

      SHA256

      e7a8e5b30485af6190adfdae236dfc126da8e707df8b0e75bb63608a614cb4f0

      SHA512

      3ffca4b5385638e96d479d609b92ba1d03fc83cd08148cd78ff0c9530ddd543db2aba1151eedd3b784697a44ffb44cc8103eaf3a97df7f0e5b5bde9ac71c5a82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3030276.exe
      Filesize

      14KB

      MD5

      2869e46b33ece6f0afd03fbad7bb338d

      SHA1

      784a9d3e212d059795b2981068f98fc2e6703f1a

      SHA256

      2288b47b9dc1f8865e567d06e05e480f9d8bc43d290e0c3922f96fbd420e5509

      SHA512

      e24eccbd38fe164000cd2b7d6e6c557263cdeaa7668449bf21b8df93ef7374a6979f7ba1cdef66d2e82a18f3567f738dbf4b2ceebaad6a1140305185a47ed520

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3030276.exe
      Filesize

      14KB

      MD5

      2869e46b33ece6f0afd03fbad7bb338d

      SHA1

      784a9d3e212d059795b2981068f98fc2e6703f1a

      SHA256

      2288b47b9dc1f8865e567d06e05e480f9d8bc43d290e0c3922f96fbd420e5509

      SHA512

      e24eccbd38fe164000cd2b7d6e6c557263cdeaa7668449bf21b8df93ef7374a6979f7ba1cdef66d2e82a18f3567f738dbf4b2ceebaad6a1140305185a47ed520

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3496119.exe
      Filesize

      120KB

      MD5

      b03d4dbc407b835c9113153feae96078

      SHA1

      d33963e90b1581dc473127acd7b87d9d4213fbff

      SHA256

      16ff41b160e7e51c6975efed48c52cc5c223c3c7c9c114e07e52638818c71cc6

      SHA512

      e8f5977d6dd74bfece120c5e208b4ae3a79bf86446e7a9fa3d9c6d7d8e3a8632210cccbc844196639ee9ada0546254561cba4dfa48c8dfc301fb5f82f806c5aa

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3496119.exe
      Filesize

      120KB

      MD5

      b03d4dbc407b835c9113153feae96078

      SHA1

      d33963e90b1581dc473127acd7b87d9d4213fbff

      SHA256

      16ff41b160e7e51c6975efed48c52cc5c223c3c7c9c114e07e52638818c71cc6

      SHA512

      e8f5977d6dd74bfece120c5e208b4ae3a79bf86446e7a9fa3d9c6d7d8e3a8632210cccbc844196639ee9ada0546254561cba4dfa48c8dfc301fb5f82f806c5aa

      Download Submit
    • memory/100-161-0x0000000000DE0000-0x0000000000DEA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/864-167-0x00000000001B0000-0x00000000001BA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3028-175-0x0000000000680000-0x00000000006B0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3028-176-0x000000000A940000-0x000000000AF58000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3028-177-0x000000000A4C0000-0x000000000A5CA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3028-178-0x000000000A400000-0x000000000A412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3028-180-0x000000000A460000-0x000000000A49C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3028-179-0x0000000004F90000-0x0000000004FA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3028-182-0x0000000004F90000-0x0000000004FA0000-memory.dmp
      Filesize

      64KB

      Download