Overview

overview

10

Static

static

3

09811099.exe

windows7-x64

10

09811099.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09811099.exe

  • Size

    737KB

  • MD5

    9968629604b0af2009ef3e43a792358f

  • SHA1

    f535bd273a8c8f2d77c2fe35df5211ec7da3fe3c

  • SHA256

    c696584fb5084e55156a6246b2ca1e8da0331253c283751408f64cf0a3061119

  • SHA512

    5a7f071e5b7d6de7d2285b6109472bc335c108f7292967962193ab4159f365ad9c5b688f8e3849163daf8688861a0942b663dbb4052dce7efda582fe428ee13f

  • SSDEEP

    12288:HMrNy90BT5JxRaLfMLXGvd3Lr/Dv3UM8wlimOAAhKeJJqkKxcoZ:GymxaL2Glbr/AtgcLhxqTZ

Score
10/10
redlinedizaevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09811099.exe
    "C:\Users\Admin\AppData\Local\Temp\09811099.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2133624.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2133624.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4419937.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4419937.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y8575116.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y8575116.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3944
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7589791.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7589791.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3836
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4776
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 148
              6⤵
              • Program crash
              PID:2352
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2514076.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2514076.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3504
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5243724.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5243724.exe
          4⤵
          • Executes dropped EXE
          PID:4404
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3836 -ip 3836
    1⤵
      PID:4292

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2133624.exe
      Filesize

      531KB

      MD5

      348d3f5ef7fc94477649cc30df1e72e4

      SHA1

      797066839be3c582f90765a18deadb0f4e569c10

      SHA256

      a1dd48565b08de5c64505d72a48e23d721641592b8cade546a1239cb6cf52525

      SHA512

      f4907171472854d177bca490e62ca1874f8e81f608d117b7c3fdc96b20cc5ede31a9c821a1d6702a1781fb3ea3b5572c489bbcab7fdf06c035788f89d5559aef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2133624.exe
      Filesize

      531KB

      MD5

      348d3f5ef7fc94477649cc30df1e72e4

      SHA1

      797066839be3c582f90765a18deadb0f4e569c10

      SHA256

      a1dd48565b08de5c64505d72a48e23d721641592b8cade546a1239cb6cf52525

      SHA512

      f4907171472854d177bca490e62ca1874f8e81f608d117b7c3fdc96b20cc5ede31a9c821a1d6702a1781fb3ea3b5572c489bbcab7fdf06c035788f89d5559aef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4419937.exe
      Filesize

      359KB

      MD5

      b3fb0453c0286a5e5c0bffd88ac125c0

      SHA1

      da26d2b2e61f8dd3d178bb956bed26c9325f704e

      SHA256

      0ab78f332790f3ee1255f5c485c23676d44de35359f33f89b896e46550ea5103

      SHA512

      a7f7e7c0fd456aea031b2c080f6b4a7c73d0d8fdb97faac6c04478e93f8ca8838a3f7605e5858bf5e16876340b273fd430725f236aa04b97a191400e11da410d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4419937.exe
      Filesize

      359KB

      MD5

      b3fb0453c0286a5e5c0bffd88ac125c0

      SHA1

      da26d2b2e61f8dd3d178bb956bed26c9325f704e

      SHA256

      0ab78f332790f3ee1255f5c485c23676d44de35359f33f89b896e46550ea5103

      SHA512

      a7f7e7c0fd456aea031b2c080f6b4a7c73d0d8fdb97faac6c04478e93f8ca8838a3f7605e5858bf5e16876340b273fd430725f236aa04b97a191400e11da410d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5243724.exe
      Filesize

      172KB

      MD5

      37656b8d1ada38e9cb62de9264ab2c5c

      SHA1

      274b0e756180e5b25e9ed76a98c511ebed4821b3

      SHA256

      b73bf7888d5ae3876f051289dbc5e42160b6023246aa7fedd07097f821635d84

      SHA512

      66542906c03933689aeaa798163a58a13a8c85f68c1f2ed35cb22e1220db646cfbc6fa0fd3ac0c94db7ae761e03de53aa7f072fdf5370d94bc88640c9e50920e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5243724.exe
      Filesize

      172KB

      MD5

      37656b8d1ada38e9cb62de9264ab2c5c

      SHA1

      274b0e756180e5b25e9ed76a98c511ebed4821b3

      SHA256

      b73bf7888d5ae3876f051289dbc5e42160b6023246aa7fedd07097f821635d84

      SHA512

      66542906c03933689aeaa798163a58a13a8c85f68c1f2ed35cb22e1220db646cfbc6fa0fd3ac0c94db7ae761e03de53aa7f072fdf5370d94bc88640c9e50920e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y8575116.exe
      Filesize

      203KB

      MD5

      5fd738ac7cf7a144bec935fca4b26ded

      SHA1

      a29f05a4aca015f9d7789c91fdb6c229ca8fee58

      SHA256

      1d1055607540f387b993cdca3c21da90ff3c2dcbff16d4e25c6b3939d2ac4297

      SHA512

      737b790d77da05547652eef1003e01f267f491d36d9df15cfaba483c35fa84e004bdaca7bc7d7a5667101f82d6abf92ddcaeceae135650a78452feff4fea5e16

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y8575116.exe
      Filesize

      203KB

      MD5

      5fd738ac7cf7a144bec935fca4b26ded

      SHA1

      a29f05a4aca015f9d7789c91fdb6c229ca8fee58

      SHA256

      1d1055607540f387b993cdca3c21da90ff3c2dcbff16d4e25c6b3939d2ac4297

      SHA512

      737b790d77da05547652eef1003e01f267f491d36d9df15cfaba483c35fa84e004bdaca7bc7d7a5667101f82d6abf92ddcaeceae135650a78452feff4fea5e16

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7589791.exe
      Filesize

      120KB

      MD5

      0143b81b956191a04f6d42e1ffce3942

      SHA1

      9b11d17c1be424384b55cab5d3ed99f9bd376726

      SHA256

      c6665d7852dee446a69529528918ad19b5a43a68f6d6566ae727d9dfbe05c0f5

      SHA512

      9355386ca7cc476904d8c3e84936e22e94eee2ad9d435efd011a1081f488b5ba37dbae663f075ca9793cd58d351869a3e8436eb19c0fe500b833bbb6c16a7912

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7589791.exe
      Filesize

      120KB

      MD5

      0143b81b956191a04f6d42e1ffce3942

      SHA1

      9b11d17c1be424384b55cab5d3ed99f9bd376726

      SHA256

      c6665d7852dee446a69529528918ad19b5a43a68f6d6566ae727d9dfbe05c0f5

      SHA512

      9355386ca7cc476904d8c3e84936e22e94eee2ad9d435efd011a1081f488b5ba37dbae663f075ca9793cd58d351869a3e8436eb19c0fe500b833bbb6c16a7912

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2514076.exe
      Filesize

      14KB

      MD5

      d16bf3ddf75c422b042ccb9bcafc6fd3

      SHA1

      c592fb480fa0fddf86ecb50d848ac4173d950214

      SHA256

      2e3addfd795bc7e1ab11f85464282a1be9afdac2ff65aeb3505dcfd5091abe8f

      SHA512

      cc559d6035277de612542052937eaed66feab2fd052438ac0eaab3f861e3b611a1ea1eb1bb9cba050d21bb8663492c3e6701fe93eb90650587e8bbdcedb0b0c9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2514076.exe
      Filesize

      14KB

      MD5

      d16bf3ddf75c422b042ccb9bcafc6fd3

      SHA1

      c592fb480fa0fddf86ecb50d848ac4173d950214

      SHA256

      2e3addfd795bc7e1ab11f85464282a1be9afdac2ff65aeb3505dcfd5091abe8f

      SHA512

      cc559d6035277de612542052937eaed66feab2fd052438ac0eaab3f861e3b611a1ea1eb1bb9cba050d21bb8663492c3e6701fe93eb90650587e8bbdcedb0b0c9

      Download Submit

    • memory/3504-170-0x00000000005B0000-0x00000000005BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4404-176-0x00000000000D0000-0x0000000000100000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4404-177-0x000000000A420000-0x000000000AA38000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4404-178-0x0000000009F10000-0x000000000A01A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4404-179-0x0000000009E50000-0x0000000009E62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4404-180-0x0000000009EB0000-0x0000000009EEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4404-181-0x0000000004A70000-0x0000000004A80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4404-182-0x0000000004A70000-0x0000000004A80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4776-162-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download