Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 15:45
Static task
static1
Behavioral task
behavioral1
Sample
08723799.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
08723799.exe
Resource
win10v2004-20230220-en
General
-
Target
08723799.exe
-
Size
738KB
-
MD5
ce8e78f602a55a5952ead887f3e632d5
-
SHA1
1a12e0a2a4ad9307270c61649f3262b26209e7e4
-
SHA256
f96e2f36eb80d62032e1266804efadc3d35926cff9dd6fed1461af79cffa236a
-
SHA512
b903698d11c96ba0a6297332e919d5c14d542cb07554e9b84afbf7e4a58b3d8753a4887d1f8c9d1793d1c0bbab45d5bc66efd7f028e23ed47f501aab211fa945
-
SSDEEP
12288:4Mrdy9044PkO6cExehlE0SMrEaploc2SOJOuSxo0PW4xyZf8A5BRyP1/+:lyFncEx0l5Jp2SOM5x1WIyZFB8P1/+
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a2502541.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a2502541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a2502541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a2502541.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a2502541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a2502541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a2502541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v6963026.exev5589596.exev5710896.exea2502541.exeb3705868.exec0834935.exepid process 2184 v6963026.exe 4804 v5589596.exe 3280 v5710896.exe 556 a2502541.exe 2964 b3705868.exe 228 c0834935.exe -
Processes:
a2502541.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a2502541.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
08723799.exev6963026.exev5589596.exev5710896.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 08723799.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v6963026.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v6963026.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5589596.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5589596.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5710896.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v5710896.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 08723799.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b3705868.exedescription pid process target process PID 2964 set thread context of 3640 2964 b3705868.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 624 2964 WerFault.exe b3705868.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a2502541.exeAppLaunch.exepid process 556 a2502541.exe 556 a2502541.exe 3640 AppLaunch.exe 3640 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a2502541.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 556 a2502541.exe Token: SeDebugPrivilege 3640 AppLaunch.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
08723799.exev6963026.exev5589596.exev5710896.exeb3705868.exedescription pid process target process PID 4968 wrote to memory of 2184 4968 08723799.exe v6963026.exe PID 4968 wrote to memory of 2184 4968 08723799.exe v6963026.exe PID 4968 wrote to memory of 2184 4968 08723799.exe v6963026.exe PID 2184 wrote to memory of 4804 2184 v6963026.exe v5589596.exe PID 2184 wrote to memory of 4804 2184 v6963026.exe v5589596.exe PID 2184 wrote to memory of 4804 2184 v6963026.exe v5589596.exe PID 4804 wrote to memory of 3280 4804 v5589596.exe v5710896.exe PID 4804 wrote to memory of 3280 4804 v5589596.exe v5710896.exe PID 4804 wrote to memory of 3280 4804 v5589596.exe v5710896.exe PID 3280 wrote to memory of 556 3280 v5710896.exe a2502541.exe PID 3280 wrote to memory of 556 3280 v5710896.exe a2502541.exe PID 3280 wrote to memory of 2964 3280 v5710896.exe b3705868.exe PID 3280 wrote to memory of 2964 3280 v5710896.exe b3705868.exe PID 3280 wrote to memory of 2964 3280 v5710896.exe b3705868.exe PID 2964 wrote to memory of 3640 2964 b3705868.exe AppLaunch.exe PID 2964 wrote to memory of 3640 2964 b3705868.exe AppLaunch.exe PID 2964 wrote to memory of 3640 2964 b3705868.exe AppLaunch.exe PID 2964 wrote to memory of 3640 2964 b3705868.exe AppLaunch.exe PID 2964 wrote to memory of 3640 2964 b3705868.exe AppLaunch.exe PID 4804 wrote to memory of 228 4804 v5589596.exe c0834935.exe PID 4804 wrote to memory of 228 4804 v5589596.exe c0834935.exe PID 4804 wrote to memory of 228 4804 v5589596.exe c0834935.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08723799.exe"C:\Users\Admin\AppData\Local\Temp\08723799.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6963026.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6963026.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5589596.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5589596.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5710896.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5710896.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2502541.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2502541.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3705868.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3705868.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 1406⤵
- Program crash
PID:624 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0834935.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0834935.exe4⤵
- Executes dropped EXE
PID:228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2964 -ip 29641⤵PID:2676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6963026.exeFilesize
531KB
MD53efd4c2348bd4546ecff74cb06923e76
SHA1900eabd5d0d2d492e7b1d71601a359f42a3831d0
SHA2563ff165b739551eefdaebcb2344dfae73a5ead2409508fb88063a64bd0fcfc5e1
SHA51284bc7f1a815375d790ea0fe25df86fa7d1ca467393d5dd54a590bbee39678e1467dca940d1f7e38e1651b8676cd236f37c1248fb9357d25fd28f0604d1c41049
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6963026.exeFilesize
531KB
MD53efd4c2348bd4546ecff74cb06923e76
SHA1900eabd5d0d2d492e7b1d71601a359f42a3831d0
SHA2563ff165b739551eefdaebcb2344dfae73a5ead2409508fb88063a64bd0fcfc5e1
SHA51284bc7f1a815375d790ea0fe25df86fa7d1ca467393d5dd54a590bbee39678e1467dca940d1f7e38e1651b8676cd236f37c1248fb9357d25fd28f0604d1c41049
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5589596.exeFilesize
359KB
MD547864224d1c8e2f8e30fbcd5c760177e
SHA1f2884d9878e0c959efed91536258cd8d7884ac88
SHA25688f9e1c1d40e814f5927dcbf9484db9bfc21277daba485bf456bc9752ac515eb
SHA51273427de62a424aefb0f2812ae6c84071f62af3cd6fbd49fad25c332bd09d21fc09a8e83a318b0c5f2337face73156ec51276664b0a2a8eab9a9469e5fd9ba3fc
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5589596.exeFilesize
359KB
MD547864224d1c8e2f8e30fbcd5c760177e
SHA1f2884d9878e0c959efed91536258cd8d7884ac88
SHA25688f9e1c1d40e814f5927dcbf9484db9bfc21277daba485bf456bc9752ac515eb
SHA51273427de62a424aefb0f2812ae6c84071f62af3cd6fbd49fad25c332bd09d21fc09a8e83a318b0c5f2337face73156ec51276664b0a2a8eab9a9469e5fd9ba3fc
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0834935.exeFilesize
172KB
MD5ef982035f7924741b055054c44037626
SHA15d820585a41fb051ac607c577a3aa3bb76ec8160
SHA256c9f3e6d150e334a044ac942570612c31f0324d76e4bac0df2fbaf8f7485aa0c4
SHA5125816ea55fb8532d6b4279e6252a2ad99b8f81a2185828b95ecb81edffc31500ffccdf3eff3dccfe6b19e9a62ecdf013edb87f848e5985ce01ed610a834953bd5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0834935.exeFilesize
172KB
MD5ef982035f7924741b055054c44037626
SHA15d820585a41fb051ac607c577a3aa3bb76ec8160
SHA256c9f3e6d150e334a044ac942570612c31f0324d76e4bac0df2fbaf8f7485aa0c4
SHA5125816ea55fb8532d6b4279e6252a2ad99b8f81a2185828b95ecb81edffc31500ffccdf3eff3dccfe6b19e9a62ecdf013edb87f848e5985ce01ed610a834953bd5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5710896.exeFilesize
203KB
MD51785a7c83f2bfe56ad1c94d4fe699f06
SHA16133f724f0c9d345797e8722162fbf043fa0a7af
SHA25646121870ae506abb9d63fca74a3685d4db9cd98ef190a2e0b4ef2ae4fca112ad
SHA5128fe0865971e1c669d0c5070c7ffc10e3564d9509a008d3273b9b53fbacb145ba5a496f3576aaa34eee2d7f972be8d129669af2490fc97fd19e4b19149ab3c806
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5710896.exeFilesize
203KB
MD51785a7c83f2bfe56ad1c94d4fe699f06
SHA16133f724f0c9d345797e8722162fbf043fa0a7af
SHA25646121870ae506abb9d63fca74a3685d4db9cd98ef190a2e0b4ef2ae4fca112ad
SHA5128fe0865971e1c669d0c5070c7ffc10e3564d9509a008d3273b9b53fbacb145ba5a496f3576aaa34eee2d7f972be8d129669af2490fc97fd19e4b19149ab3c806
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2502541.exeFilesize
13KB
MD59a6951d27510a660faed05ab6966cbf4
SHA14918aaec8be9798e773a632c0d2a786797d3b4f5
SHA2567979c6644af8a5837993858a5a369ec99eb3a89d0aa2ff2c48eb925ded90f865
SHA512b29988d44039e8c8dc179259775a06e7997bb78284892448a5759b25aa235159b011d5af160610bc402aebad9966803ff8379414e6bc03d13a0aeb6e5c8426f4
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2502541.exeFilesize
13KB
MD59a6951d27510a660faed05ab6966cbf4
SHA14918aaec8be9798e773a632c0d2a786797d3b4f5
SHA2567979c6644af8a5837993858a5a369ec99eb3a89d0aa2ff2c48eb925ded90f865
SHA512b29988d44039e8c8dc179259775a06e7997bb78284892448a5759b25aa235159b011d5af160610bc402aebad9966803ff8379414e6bc03d13a0aeb6e5c8426f4
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3705868.exeFilesize
120KB
MD5a4a521f4f98ccebcbd886bf1f6a738bd
SHA1bd06ba0ca8c29b4b27d2de6a228a35dabf71e015
SHA256e17dd10c00aa12e62d2321f272b01d5662fd02619ed436645934813452679ff6
SHA5124a19298fdaeaa77a9f96d571033a15f801c5b07693c9e73e91e36940ff3a017e2266a4efa9b3cae30e0b0dbb2b2574694ec42baa07ef0678a55f5f4cfef8e6d6
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3705868.exeFilesize
120KB
MD5a4a521f4f98ccebcbd886bf1f6a738bd
SHA1bd06ba0ca8c29b4b27d2de6a228a35dabf71e015
SHA256e17dd10c00aa12e62d2321f272b01d5662fd02619ed436645934813452679ff6
SHA5124a19298fdaeaa77a9f96d571033a15f801c5b07693c9e73e91e36940ff3a017e2266a4efa9b3cae30e0b0dbb2b2574694ec42baa07ef0678a55f5f4cfef8e6d6
-
memory/228-175-0x0000000000100000-0x0000000000130000-memory.dmpFilesize
192KB
-
memory/228-176-0x000000000A500000-0x000000000AB18000-memory.dmpFilesize
6.1MB
-
memory/228-177-0x000000000A080000-0x000000000A18A000-memory.dmpFilesize
1.0MB
-
memory/228-178-0x0000000009FC0000-0x0000000009FD2000-memory.dmpFilesize
72KB
-
memory/228-179-0x000000000A020000-0x000000000A05C000-memory.dmpFilesize
240KB
-
memory/228-180-0x00000000024F0000-0x0000000002500000-memory.dmpFilesize
64KB
-
memory/228-182-0x00000000024F0000-0x0000000002500000-memory.dmpFilesize
64KB
-
memory/556-161-0x0000000000740000-0x000000000074A000-memory.dmpFilesize
40KB
-
memory/3640-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB