Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 15:44
Static task
static1
Behavioral task
behavioral1
Sample
08153099.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
08153099.exe
Resource
win10v2004-20230221-en
General
-
Target
08153099.exe
-
Size
737KB
-
MD5
8cbd362081a1042c0469f35ab503929c
-
SHA1
28ddb29e27f7b59d45a6dc38a4ded65d3c6ac841
-
SHA256
bb256ee62b85dc522d2c8694681f789bfb3bbd19160cf544b950b581787ce570
-
SHA512
b5e52a436138a01fb8222d7122c52936ab4d1b01e14f95e08eb1dc816d4c422649d17cb43d2fd7143af5b86ba01036db7d13eac6e156b4d9e92dc64655c973c1
-
SSDEEP
12288:HMr+y90uCiCEnr+3C0zPlUHlbxW4fnHuArtGxdWi0Bb4lBXt87ELPf:Jy4ib8qHlbxW42aIbW1BMlBdlf
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a8546891.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8546891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8546891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8546891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a8546891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8546891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8546891.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v1929268.exev4755630.exev6659796.exea8546891.exeb4448971.exec5077409.exepid process 1804 v1929268.exe 3012 v4755630.exe 3764 v6659796.exe 3904 a8546891.exe 4996 b4448971.exe 2676 c5077409.exe -
Processes:
a8546891.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8546891.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
08153099.exev1929268.exev4755630.exev6659796.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 08153099.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 08153099.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v1929268.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1929268.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v4755630.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v4755630.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v6659796.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v6659796.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b4448971.exedescription pid process target process PID 4996 set thread context of 2316 4996 b4448971.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3292 4996 WerFault.exe b4448971.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a8546891.exeAppLaunch.exepid process 3904 a8546891.exe 3904 a8546891.exe 2316 AppLaunch.exe 2316 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a8546891.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 3904 a8546891.exe Token: SeDebugPrivilege 2316 AppLaunch.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
08153099.exev1929268.exev4755630.exev6659796.exeb4448971.exedescription pid process target process PID 4896 wrote to memory of 1804 4896 08153099.exe v1929268.exe PID 4896 wrote to memory of 1804 4896 08153099.exe v1929268.exe PID 4896 wrote to memory of 1804 4896 08153099.exe v1929268.exe PID 1804 wrote to memory of 3012 1804 v1929268.exe v4755630.exe PID 1804 wrote to memory of 3012 1804 v1929268.exe v4755630.exe PID 1804 wrote to memory of 3012 1804 v1929268.exe v4755630.exe PID 3012 wrote to memory of 3764 3012 v4755630.exe v6659796.exe PID 3012 wrote to memory of 3764 3012 v4755630.exe v6659796.exe PID 3012 wrote to memory of 3764 3012 v4755630.exe v6659796.exe PID 3764 wrote to memory of 3904 3764 v6659796.exe a8546891.exe PID 3764 wrote to memory of 3904 3764 v6659796.exe a8546891.exe PID 3764 wrote to memory of 4996 3764 v6659796.exe b4448971.exe PID 3764 wrote to memory of 4996 3764 v6659796.exe b4448971.exe PID 3764 wrote to memory of 4996 3764 v6659796.exe b4448971.exe PID 4996 wrote to memory of 2316 4996 b4448971.exe AppLaunch.exe PID 4996 wrote to memory of 2316 4996 b4448971.exe AppLaunch.exe PID 4996 wrote to memory of 2316 4996 b4448971.exe AppLaunch.exe PID 4996 wrote to memory of 2316 4996 b4448971.exe AppLaunch.exe PID 4996 wrote to memory of 2316 4996 b4448971.exe AppLaunch.exe PID 3012 wrote to memory of 2676 3012 v4755630.exe c5077409.exe PID 3012 wrote to memory of 2676 3012 v4755630.exe c5077409.exe PID 3012 wrote to memory of 2676 3012 v4755630.exe c5077409.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08153099.exe"C:\Users\Admin\AppData\Local\Temp\08153099.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1929268.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1929268.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4755630.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4755630.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6659796.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6659796.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8546891.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8546891.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4448971.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4448971.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1406⤵
- Program crash
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5077409.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5077409.exe4⤵
- Executes dropped EXE
PID:2676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4996 -ip 49961⤵PID:4812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1929268.exeFilesize
531KB
MD56c837aaca276f685b92859982affa8eb
SHA1b7e396c9dd6a037758f2a435a26e94235e90501c
SHA2564bb2837eb5e65283feda7e311a5a24bc316e84d01afd27b7f98689e3e7f7d831
SHA512c67aa35152215abe5956b2009fb155dbb239b84d4a879ee22e59a4f3959974e78621dc543649b235d80e869ff74b99b3b7a81776f1f192cf9ec5ab0ae7bd295f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1929268.exeFilesize
531KB
MD56c837aaca276f685b92859982affa8eb
SHA1b7e396c9dd6a037758f2a435a26e94235e90501c
SHA2564bb2837eb5e65283feda7e311a5a24bc316e84d01afd27b7f98689e3e7f7d831
SHA512c67aa35152215abe5956b2009fb155dbb239b84d4a879ee22e59a4f3959974e78621dc543649b235d80e869ff74b99b3b7a81776f1f192cf9ec5ab0ae7bd295f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4755630.exeFilesize
358KB
MD57f546d704efff592e526092a58e040ef
SHA1d7f0022749d28255da77feace3e06501be5c5be7
SHA25620c8b9610b939c8a480de86cbc4252747aa2be56da787b372c04ac5e81a9fad9
SHA51210a7bbc6f600660475daff9be7d9d3a12d274adad515f867afd1daecf984cce4d9b8d720832d5d4af0b361eb262f05684c63da6412a3fd18234327f89b090fdc
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4755630.exeFilesize
358KB
MD57f546d704efff592e526092a58e040ef
SHA1d7f0022749d28255da77feace3e06501be5c5be7
SHA25620c8b9610b939c8a480de86cbc4252747aa2be56da787b372c04ac5e81a9fad9
SHA51210a7bbc6f600660475daff9be7d9d3a12d274adad515f867afd1daecf984cce4d9b8d720832d5d4af0b361eb262f05684c63da6412a3fd18234327f89b090fdc
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5077409.exeFilesize
172KB
MD5dc120875e72748f625a41442517a9d6f
SHA1a087e4970a06a85d322fdd4e8b557feb305e52fd
SHA256b1d80f171c0846afcf0b18f95f0543d65e430c262721c01ee0cc5eb268a761a5
SHA51203740a35f17cd966b8f16a40c2fd79568c014d70564ff59869571ed1ae818f0325a5f9fb45d2d9a0ea08752c61dcb85a69b281fc56f9ad90717e80bd492b15f5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5077409.exeFilesize
172KB
MD5dc120875e72748f625a41442517a9d6f
SHA1a087e4970a06a85d322fdd4e8b557feb305e52fd
SHA256b1d80f171c0846afcf0b18f95f0543d65e430c262721c01ee0cc5eb268a761a5
SHA51203740a35f17cd966b8f16a40c2fd79568c014d70564ff59869571ed1ae818f0325a5f9fb45d2d9a0ea08752c61dcb85a69b281fc56f9ad90717e80bd492b15f5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6659796.exeFilesize
203KB
MD54da82f331b132b20c8a7ae87c5f031b1
SHA1ec77ec89fed6fd93f0186bfc6d2dfa091951bf3a
SHA2562c6967e40196bc2011a4215c50abc56c82c37c7c494d700190dd10f0a7b943c8
SHA5126005557b038e541ab0640029d84b1c435a1e39b6f6648e94760f36a9790f67587a305896b4bbaf5003a8198c43c764cc6d556041ac1ebff979e2575411c6064c
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6659796.exeFilesize
203KB
MD54da82f331b132b20c8a7ae87c5f031b1
SHA1ec77ec89fed6fd93f0186bfc6d2dfa091951bf3a
SHA2562c6967e40196bc2011a4215c50abc56c82c37c7c494d700190dd10f0a7b943c8
SHA5126005557b038e541ab0640029d84b1c435a1e39b6f6648e94760f36a9790f67587a305896b4bbaf5003a8198c43c764cc6d556041ac1ebff979e2575411c6064c
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8546891.exeFilesize
13KB
MD52c9ddf554832270a968d90d04c46c051
SHA1855575a1cf07ca8da1a9a60ed7a072aa8a5c83fb
SHA25600e4079547615d86a7c32cc4ba6c5759e222386d7fb7867f1adc486948e7d938
SHA512e640f4c6a2c608097ef695ebfe08d8cb2a30baa2d8b7d8d1ca9ee4e3f3ef84d2c20ea88b5cca9edaccfd485c1a0a266f5963fba896ac87006c114d8fe036c4a5
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8546891.exeFilesize
13KB
MD52c9ddf554832270a968d90d04c46c051
SHA1855575a1cf07ca8da1a9a60ed7a072aa8a5c83fb
SHA25600e4079547615d86a7c32cc4ba6c5759e222386d7fb7867f1adc486948e7d938
SHA512e640f4c6a2c608097ef695ebfe08d8cb2a30baa2d8b7d8d1ca9ee4e3f3ef84d2c20ea88b5cca9edaccfd485c1a0a266f5963fba896ac87006c114d8fe036c4a5
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4448971.exeFilesize
120KB
MD5a7205c3b046170a75bf755fac79b48a1
SHA197c363a608bdeea74101dd54f0bbb706d8cf6f67
SHA256e95936efc8e6269c57d307c158bae2c4e034f01e4a0b100a70dfa1e32b573407
SHA512eda7706d8a79945fbe0eccc1710259f524d993ab4d9d93f6f6b69f55c793e185f43d16b1d1bb774452c0c7ab307bc39d9e3f6528a4bb83032dc96623619fb8db
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4448971.exeFilesize
120KB
MD5a7205c3b046170a75bf755fac79b48a1
SHA197c363a608bdeea74101dd54f0bbb706d8cf6f67
SHA256e95936efc8e6269c57d307c158bae2c4e034f01e4a0b100a70dfa1e32b573407
SHA512eda7706d8a79945fbe0eccc1710259f524d993ab4d9d93f6f6b69f55c793e185f43d16b1d1bb774452c0c7ab307bc39d9e3f6528a4bb83032dc96623619fb8db
-
memory/2316-167-0x00000000005B0000-0x00000000005BA000-memory.dmpFilesize
40KB
-
memory/2676-175-0x0000000000810000-0x0000000000840000-memory.dmpFilesize
192KB
-
memory/2676-176-0x000000000AB80000-0x000000000B198000-memory.dmpFilesize
6.1MB
-
memory/2676-177-0x000000000A670000-0x000000000A77A000-memory.dmpFilesize
1.0MB
-
memory/2676-178-0x000000000A590000-0x000000000A5A2000-memory.dmpFilesize
72KB
-
memory/2676-179-0x000000000A5F0000-0x000000000A62C000-memory.dmpFilesize
240KB
-
memory/2676-180-0x00000000051D0000-0x00000000051E0000-memory.dmpFilesize
64KB
-
memory/2676-182-0x00000000051D0000-0x00000000051E0000-memory.dmpFilesize
64KB
-
memory/3904-161-0x0000000000B70000-0x0000000000B7A000-memory.dmpFilesize
40KB