Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 14:59
Static task
static1
Behavioral task
behavioral1
Sample
8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exe
Resource
win10v2004-20230220-en
General
-
Target
8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exe
-
Size
734KB
-
MD5
b5cb9a4b76f6dfd9264504f976b8582d
-
SHA1
c8b21b12f9849f6b5ddd0903d259f5b80275d0fc
-
SHA256
8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175
-
SHA512
fd141f9ebd5441cac42691d9ec9e46b62b405f736b4ef4c3c44f801f040e852a65106fbfdca2d56b44fd39bea693a0b555de041e64fc9bba18ebfccdc0a32131
-
SSDEEP
12288:2MrjBy90JbYz/kDqodUFVCNlFffHJhNJ7b3KMcYLaXE+jMVVqftxG2SxA:5By4U72qCUQFf1J7wY8JMnqrGJxA
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a3030276.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3030276.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3030276.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a3030276.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3030276.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3030276.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3030276.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v9189362.exev4260240.exev7032959.exea3030276.exeb3496119.exec8841072.exepid process 2752 v9189362.exe 2096 v4260240.exe 3860 v7032959.exe 2316 a3030276.exe 3472 b3496119.exe 4616 c8841072.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a3030276.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a3030276.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v4260240.exev7032959.exe8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exev9189362.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v4260240.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v4260240.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7032959.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v7032959.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9189362.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v9189362.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b3496119.exedescription pid process target process PID 3472 set thread context of 3528 3472 b3496119.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 216 3472 WerFault.exe b3496119.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
a3030276.exeAppLaunch.exec8841072.exepid process 2316 a3030276.exe 2316 a3030276.exe 3528 AppLaunch.exe 3528 AppLaunch.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe 4616 c8841072.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a3030276.exeAppLaunch.exec8841072.exedescription pid process Token: SeDebugPrivilege 2316 a3030276.exe Token: SeDebugPrivilege 3528 AppLaunch.exe Token: SeDebugPrivilege 4616 c8841072.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exev9189362.exev4260240.exev7032959.exeb3496119.exedescription pid process target process PID 5096 wrote to memory of 2752 5096 8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exe v9189362.exe PID 5096 wrote to memory of 2752 5096 8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exe v9189362.exe PID 5096 wrote to memory of 2752 5096 8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exe v9189362.exe PID 2752 wrote to memory of 2096 2752 v9189362.exe v4260240.exe PID 2752 wrote to memory of 2096 2752 v9189362.exe v4260240.exe PID 2752 wrote to memory of 2096 2752 v9189362.exe v4260240.exe PID 2096 wrote to memory of 3860 2096 v4260240.exe v7032959.exe PID 2096 wrote to memory of 3860 2096 v4260240.exe v7032959.exe PID 2096 wrote to memory of 3860 2096 v4260240.exe v7032959.exe PID 3860 wrote to memory of 2316 3860 v7032959.exe a3030276.exe PID 3860 wrote to memory of 2316 3860 v7032959.exe a3030276.exe PID 3860 wrote to memory of 3472 3860 v7032959.exe b3496119.exe PID 3860 wrote to memory of 3472 3860 v7032959.exe b3496119.exe PID 3860 wrote to memory of 3472 3860 v7032959.exe b3496119.exe PID 3472 wrote to memory of 3528 3472 b3496119.exe AppLaunch.exe PID 3472 wrote to memory of 3528 3472 b3496119.exe AppLaunch.exe PID 3472 wrote to memory of 3528 3472 b3496119.exe AppLaunch.exe PID 3472 wrote to memory of 3528 3472 b3496119.exe AppLaunch.exe PID 3472 wrote to memory of 3528 3472 b3496119.exe AppLaunch.exe PID 2096 wrote to memory of 4616 2096 v4260240.exe c8841072.exe PID 2096 wrote to memory of 4616 2096 v4260240.exe c8841072.exe PID 2096 wrote to memory of 4616 2096 v4260240.exe c8841072.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exe"C:\Users\Admin\AppData\Local\Temp\8c519136fb09ae5a508ed98e882466bcb329dfc2fb79e070bc5dfb0051fcf175.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9189362.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9189362.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4260240.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4260240.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7032959.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7032959.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3030276.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3030276.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3496119.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3496119.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1406⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8841072.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8841072.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3472 -ip 34721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9189362.exeFilesize
530KB
MD5ae765ddfbeb7c875ef91204328eeb41d
SHA1362dbd6df82f9c99fa0ed5dc6bf8f68ea626728b
SHA2565cd8f9dfea6d323ee811ce6fa0617e6f65e78e7169cf48f49a73e0e8bda93191
SHA512576a16d3249d15e6b90e46bffd37b5578bb570ab81860a898a8e3ec44126cc18fd8ed3f2d3b69cb4fe085c46391882306b69d258e0c75ed5de669f95400e3e81
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9189362.exeFilesize
530KB
MD5ae765ddfbeb7c875ef91204328eeb41d
SHA1362dbd6df82f9c99fa0ed5dc6bf8f68ea626728b
SHA2565cd8f9dfea6d323ee811ce6fa0617e6f65e78e7169cf48f49a73e0e8bda93191
SHA512576a16d3249d15e6b90e46bffd37b5578bb570ab81860a898a8e3ec44126cc18fd8ed3f2d3b69cb4fe085c46391882306b69d258e0c75ed5de669f95400e3e81
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4260240.exeFilesize
358KB
MD55eaef42842b5a7fd6e9f69cd39554174
SHA1d831b1ca87310a7f6e6bd8671e8b64a043b0c0e1
SHA256cdaaa5fc791100decea31f408d56a473d914216f0eeb23e72064d2dd1177614f
SHA5122b6f0c5aad8082d8e88226057f8ee6959ed60f9b47346a60c74770faeb3b59b2eb2ccfef8662d80c474ac42195a9300becea238aa7be29d8736d251d17cdd80f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4260240.exeFilesize
358KB
MD55eaef42842b5a7fd6e9f69cd39554174
SHA1d831b1ca87310a7f6e6bd8671e8b64a043b0c0e1
SHA256cdaaa5fc791100decea31f408d56a473d914216f0eeb23e72064d2dd1177614f
SHA5122b6f0c5aad8082d8e88226057f8ee6959ed60f9b47346a60c74770faeb3b59b2eb2ccfef8662d80c474ac42195a9300becea238aa7be29d8736d251d17cdd80f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8841072.exeFilesize
172KB
MD51be663d1abc8c80466b6983f4c6c03c1
SHA1875838e1ca4bd688eda6e64e29c0f759b2914a4d
SHA256813a9f5b35c768cb95326fc2a109fabf70711dd635b1aa62b5d3d2c5a343b2d5
SHA512a83cbe87d8f83567fa9235d6e6bb8fc7d42a964940b824bebd5b130c3ae09c1d174dad8ff01f3e3b3d86c1f9fd66b1fe8bbbe78a40d5904a6156c85c602b8780
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8841072.exeFilesize
172KB
MD51be663d1abc8c80466b6983f4c6c03c1
SHA1875838e1ca4bd688eda6e64e29c0f759b2914a4d
SHA256813a9f5b35c768cb95326fc2a109fabf70711dd635b1aa62b5d3d2c5a343b2d5
SHA512a83cbe87d8f83567fa9235d6e6bb8fc7d42a964940b824bebd5b130c3ae09c1d174dad8ff01f3e3b3d86c1f9fd66b1fe8bbbe78a40d5904a6156c85c602b8780
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7032959.exeFilesize
203KB
MD537d5ddc6cf56e656a7c57efa3664b016
SHA174f2ddfe3943eaf0c1a6fc36697fadf31e084f52
SHA256e7a8e5b30485af6190adfdae236dfc126da8e707df8b0e75bb63608a614cb4f0
SHA5123ffca4b5385638e96d479d609b92ba1d03fc83cd08148cd78ff0c9530ddd543db2aba1151eedd3b784697a44ffb44cc8103eaf3a97df7f0e5b5bde9ac71c5a82
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7032959.exeFilesize
203KB
MD537d5ddc6cf56e656a7c57efa3664b016
SHA174f2ddfe3943eaf0c1a6fc36697fadf31e084f52
SHA256e7a8e5b30485af6190adfdae236dfc126da8e707df8b0e75bb63608a614cb4f0
SHA5123ffca4b5385638e96d479d609b92ba1d03fc83cd08148cd78ff0c9530ddd543db2aba1151eedd3b784697a44ffb44cc8103eaf3a97df7f0e5b5bde9ac71c5a82
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3030276.exeFilesize
14KB
MD52869e46b33ece6f0afd03fbad7bb338d
SHA1784a9d3e212d059795b2981068f98fc2e6703f1a
SHA2562288b47b9dc1f8865e567d06e05e480f9d8bc43d290e0c3922f96fbd420e5509
SHA512e24eccbd38fe164000cd2b7d6e6c557263cdeaa7668449bf21b8df93ef7374a6979f7ba1cdef66d2e82a18f3567f738dbf4b2ceebaad6a1140305185a47ed520
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3030276.exeFilesize
14KB
MD52869e46b33ece6f0afd03fbad7bb338d
SHA1784a9d3e212d059795b2981068f98fc2e6703f1a
SHA2562288b47b9dc1f8865e567d06e05e480f9d8bc43d290e0c3922f96fbd420e5509
SHA512e24eccbd38fe164000cd2b7d6e6c557263cdeaa7668449bf21b8df93ef7374a6979f7ba1cdef66d2e82a18f3567f738dbf4b2ceebaad6a1140305185a47ed520
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3496119.exeFilesize
120KB
MD5b03d4dbc407b835c9113153feae96078
SHA1d33963e90b1581dc473127acd7b87d9d4213fbff
SHA25616ff41b160e7e51c6975efed48c52cc5c223c3c7c9c114e07e52638818c71cc6
SHA512e8f5977d6dd74bfece120c5e208b4ae3a79bf86446e7a9fa3d9c6d7d8e3a8632210cccbc844196639ee9ada0546254561cba4dfa48c8dfc301fb5f82f806c5aa
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3496119.exeFilesize
120KB
MD5b03d4dbc407b835c9113153feae96078
SHA1d33963e90b1581dc473127acd7b87d9d4213fbff
SHA25616ff41b160e7e51c6975efed48c52cc5c223c3c7c9c114e07e52638818c71cc6
SHA512e8f5977d6dd74bfece120c5e208b4ae3a79bf86446e7a9fa3d9c6d7d8e3a8632210cccbc844196639ee9ada0546254561cba4dfa48c8dfc301fb5f82f806c5aa
-
memory/2316-161-0x0000000000DF0000-0x0000000000DFA000-memory.dmpFilesize
40KB
-
memory/3528-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4616-175-0x00000000009D0000-0x0000000000A00000-memory.dmpFilesize
192KB
-
memory/4616-176-0x000000000AC90000-0x000000000B2A8000-memory.dmpFilesize
6.1MB
-
memory/4616-177-0x000000000A810000-0x000000000A91A000-memory.dmpFilesize
1.0MB
-
memory/4616-178-0x000000000A750000-0x000000000A762000-memory.dmpFilesize
72KB
-
memory/4616-179-0x000000000A7B0000-0x000000000A7EC000-memory.dmpFilesize
240KB
-
memory/4616-180-0x00000000052E0000-0x00000000052F0000-memory.dmpFilesize
64KB
-
memory/4616-181-0x000000000AAC0000-0x000000000AB36000-memory.dmpFilesize
472KB
-
memory/4616-182-0x000000000ABE0000-0x000000000AC72000-memory.dmpFilesize
584KB
-
memory/4616-183-0x000000000B860000-0x000000000BE04000-memory.dmpFilesize
5.6MB
-
memory/4616-184-0x000000000B3B0000-0x000000000B416000-memory.dmpFilesize
408KB
-
memory/4616-185-0x000000000B7E0000-0x000000000B830000-memory.dmpFilesize
320KB
-
memory/4616-187-0x00000000052E0000-0x00000000052F0000-memory.dmpFilesize
64KB
-
memory/4616-188-0x000000000C0E0000-0x000000000C2A2000-memory.dmpFilesize
1.8MB
-
memory/4616-189-0x000000000C7E0000-0x000000000CD0C000-memory.dmpFilesize
5.2MB