Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 18:10
Static task
static1
Behavioral task
behavioral1
Sample
e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exe
Resource
win10v2004-20230221-en
General
-
Target
e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exe
-
Size
739KB
-
MD5
ca9cc7d4b935c560cb7d48f85b3b32a2
-
SHA1
407ceba8c3ddb5789a4c8f7127c16c8414acd919
-
SHA256
e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3
-
SHA512
c07cb6fb8a98bf7e0a42e186e40f7b61973d8327e4fcd49d88e806c5e9e9db0319e69c46084fdd22b89fbfa6ebbc560e3eae9e3a46c0542243332945bbb060d6
-
SSDEEP
12288:wMrGy90+O4jEGHVW59ZJgblZ/gjghYDD3DHGGznGCfFT4awt:myxjEGsvZJUlZ/g0+D3JGMJmt
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
AppLaunch.exea4716462.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a4716462.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4716462.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4716462.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4716462.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4716462.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4716462.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v2243333.exev7610011.exev9931431.exea4716462.exeb4512777.exec4427841.exepid process 4144 v2243333.exe 2352 v7610011.exe 1360 v9931431.exe 2004 a4716462.exe 3048 b4512777.exe 5012 c4427841.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a4716462.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4716462.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v9931431.exee4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exev2243333.exev7610011.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9931431.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v9931431.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v2243333.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v2243333.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7610011.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v7610011.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b4512777.exedescription pid process target process PID 3048 set thread context of 2268 3048 b4512777.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1620 3048 WerFault.exe b4512777.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
a4716462.exeAppLaunch.exec4427841.exepid process 2004 a4716462.exe 2004 a4716462.exe 2268 AppLaunch.exe 2268 AppLaunch.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe 5012 c4427841.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a4716462.exeAppLaunch.exec4427841.exedescription pid process Token: SeDebugPrivilege 2004 a4716462.exe Token: SeDebugPrivilege 2268 AppLaunch.exe Token: SeDebugPrivilege 5012 c4427841.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exev2243333.exev7610011.exev9931431.exeb4512777.exedescription pid process target process PID 2564 wrote to memory of 4144 2564 e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exe v2243333.exe PID 2564 wrote to memory of 4144 2564 e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exe v2243333.exe PID 2564 wrote to memory of 4144 2564 e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exe v2243333.exe PID 4144 wrote to memory of 2352 4144 v2243333.exe v7610011.exe PID 4144 wrote to memory of 2352 4144 v2243333.exe v7610011.exe PID 4144 wrote to memory of 2352 4144 v2243333.exe v7610011.exe PID 2352 wrote to memory of 1360 2352 v7610011.exe v9931431.exe PID 2352 wrote to memory of 1360 2352 v7610011.exe v9931431.exe PID 2352 wrote to memory of 1360 2352 v7610011.exe v9931431.exe PID 1360 wrote to memory of 2004 1360 v9931431.exe a4716462.exe PID 1360 wrote to memory of 2004 1360 v9931431.exe a4716462.exe PID 1360 wrote to memory of 3048 1360 v9931431.exe b4512777.exe PID 1360 wrote to memory of 3048 1360 v9931431.exe b4512777.exe PID 1360 wrote to memory of 3048 1360 v9931431.exe b4512777.exe PID 3048 wrote to memory of 2268 3048 b4512777.exe AppLaunch.exe PID 3048 wrote to memory of 2268 3048 b4512777.exe AppLaunch.exe PID 3048 wrote to memory of 2268 3048 b4512777.exe AppLaunch.exe PID 3048 wrote to memory of 2268 3048 b4512777.exe AppLaunch.exe PID 3048 wrote to memory of 2268 3048 b4512777.exe AppLaunch.exe PID 2352 wrote to memory of 5012 2352 v7610011.exe c4427841.exe PID 2352 wrote to memory of 5012 2352 v7610011.exe c4427841.exe PID 2352 wrote to memory of 5012 2352 v7610011.exe c4427841.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exe"C:\Users\Admin\AppData\Local\Temp\e4ca5a0125f5acbea1c042fe4a43cf898684896b2d725060d6572350fb1353e3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2243333.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2243333.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7610011.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7610011.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9931431.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9931431.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4716462.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4716462.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4512777.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4512777.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1406⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4427841.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4427841.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3048 -ip 30481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2243333.exeFilesize
532KB
MD58e1656b25e495b0bfcb6fb36e7ffd612
SHA13c807f453ef42c3d39fb0e44d57031eb916e7773
SHA256b142dc8ed5426b37b2ae094e57b10f6b5d13f858ba754121374f766ee84c47d1
SHA512a49e3f4c67d483bd8288d896666bc34052a26699c527b89666c722f8f9a6b1579fe3f99c483330bab27611b4233dd2a9e06a4b4d64786e294c81eac7595dfd3e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2243333.exeFilesize
532KB
MD58e1656b25e495b0bfcb6fb36e7ffd612
SHA13c807f453ef42c3d39fb0e44d57031eb916e7773
SHA256b142dc8ed5426b37b2ae094e57b10f6b5d13f858ba754121374f766ee84c47d1
SHA512a49e3f4c67d483bd8288d896666bc34052a26699c527b89666c722f8f9a6b1579fe3f99c483330bab27611b4233dd2a9e06a4b4d64786e294c81eac7595dfd3e
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7610011.exeFilesize
359KB
MD5269f11c8dc7dcbbc1f518f25afdc3227
SHA179a2f6a56c58935a15b3f670c9117b1c38e02002
SHA256de9732c83aec1975933940e1842af403ac9b97e27d01d7a15c837bdf947a89bd
SHA51237e155505f6c5e8a8c278b92a34dd2b287f7c8dabafccacff89ca8308686d9274c72c1dcc9634dc6e2583ca0cc212286e9dbe6f06d31bef0804188ad229c2a3e
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7610011.exeFilesize
359KB
MD5269f11c8dc7dcbbc1f518f25afdc3227
SHA179a2f6a56c58935a15b3f670c9117b1c38e02002
SHA256de9732c83aec1975933940e1842af403ac9b97e27d01d7a15c837bdf947a89bd
SHA51237e155505f6c5e8a8c278b92a34dd2b287f7c8dabafccacff89ca8308686d9274c72c1dcc9634dc6e2583ca0cc212286e9dbe6f06d31bef0804188ad229c2a3e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4427841.exeFilesize
172KB
MD59d2d82dccd511d2878954383752254ed
SHA18a54aec262e24e8c1b23c2dd7cb50e33987dcf4a
SHA2569f448b158b6b9a76a27f2d7e7de8b6a22c11e41782d86c28fac68e0ee3aeef16
SHA512045b9696a9ce716975e6b373d4869187d016c2c7796874f84690b72112ea3d80a64c37c102759feee8d532e176d592cde84348f2fdf18ee84ebe3988acf93765
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4427841.exeFilesize
172KB
MD59d2d82dccd511d2878954383752254ed
SHA18a54aec262e24e8c1b23c2dd7cb50e33987dcf4a
SHA2569f448b158b6b9a76a27f2d7e7de8b6a22c11e41782d86c28fac68e0ee3aeef16
SHA512045b9696a9ce716975e6b373d4869187d016c2c7796874f84690b72112ea3d80a64c37c102759feee8d532e176d592cde84348f2fdf18ee84ebe3988acf93765
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9931431.exeFilesize
204KB
MD575e4b0dbf70e7bf181929bc640eba59f
SHA1e7ff34992ffe3dc3e35c16b7a6a892e194af9a4d
SHA2561138b4859bca923f4afdaa982ea5f1418d7dee55665802b04fe7ff5a5f081bec
SHA51275e9e9a2365e1e8fbc560612d6f79fcafeac44bfd3f5123f0d382e1b98ceb11d6bffa532b960a67a6af2c0d29cc3a279b16adcf60998bd3e6ba8effb35c9db28
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9931431.exeFilesize
204KB
MD575e4b0dbf70e7bf181929bc640eba59f
SHA1e7ff34992ffe3dc3e35c16b7a6a892e194af9a4d
SHA2561138b4859bca923f4afdaa982ea5f1418d7dee55665802b04fe7ff5a5f081bec
SHA51275e9e9a2365e1e8fbc560612d6f79fcafeac44bfd3f5123f0d382e1b98ceb11d6bffa532b960a67a6af2c0d29cc3a279b16adcf60998bd3e6ba8effb35c9db28
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4716462.exeFilesize
14KB
MD5d534cda0868656e306bc2be731dd5e0d
SHA1d7c2263ddad7a2ac15c28ae030ca33e5e05c590e
SHA2565d63aa55328cfa50c7ff9143145fb25d3de8d1723adfcf5c8b62f3d85f65c20f
SHA51205fdcbce8acbf06bb9fcd89c883f2b3ebf3ce74ae9a51fc96257df6ace3f0a9912bba18ffad9717575c39a6bc91c7b2c1e76c7f5f39dc2025d8f4f879512c564
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4716462.exeFilesize
14KB
MD5d534cda0868656e306bc2be731dd5e0d
SHA1d7c2263ddad7a2ac15c28ae030ca33e5e05c590e
SHA2565d63aa55328cfa50c7ff9143145fb25d3de8d1723adfcf5c8b62f3d85f65c20f
SHA51205fdcbce8acbf06bb9fcd89c883f2b3ebf3ce74ae9a51fc96257df6ace3f0a9912bba18ffad9717575c39a6bc91c7b2c1e76c7f5f39dc2025d8f4f879512c564
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4512777.exeFilesize
120KB
MD50f8f0c33b4a43e03fbd11fb90715457f
SHA1a3f7dc42f9ab63d5f7b822e563ac63a789067e47
SHA25631ce623bc15a82ca5a8b470a6c482c1ccb8dc4a82c11e2775d2a26e040064e1e
SHA512ea20f5142ca6511f6b4c737af767522e5402efb7d5427d9253aa1f109564eff9e309a158b56a66eee971f485d60713be6e2c19a477ddfe476e90d78281245d99
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4512777.exeFilesize
120KB
MD50f8f0c33b4a43e03fbd11fb90715457f
SHA1a3f7dc42f9ab63d5f7b822e563ac63a789067e47
SHA25631ce623bc15a82ca5a8b470a6c482c1ccb8dc4a82c11e2775d2a26e040064e1e
SHA512ea20f5142ca6511f6b4c737af767522e5402efb7d5427d9253aa1f109564eff9e309a158b56a66eee971f485d60713be6e2c19a477ddfe476e90d78281245d99
-
memory/2004-161-0x0000000000290000-0x000000000029A000-memory.dmpFilesize
40KB
-
memory/2268-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/5012-175-0x0000000000340000-0x0000000000370000-memory.dmpFilesize
192KB
-
memory/5012-176-0x000000000A600000-0x000000000AC18000-memory.dmpFilesize
6.1MB
-
memory/5012-177-0x000000000A180000-0x000000000A28A000-memory.dmpFilesize
1.0MB
-
memory/5012-178-0x000000000A0C0000-0x000000000A0D2000-memory.dmpFilesize
72KB
-
memory/5012-179-0x0000000000C20000-0x0000000000C30000-memory.dmpFilesize
64KB
-
memory/5012-180-0x000000000A120000-0x000000000A15C000-memory.dmpFilesize
240KB
-
memory/5012-181-0x000000000A430000-0x000000000A4A6000-memory.dmpFilesize
472KB
-
memory/5012-182-0x000000000A550000-0x000000000A5E2000-memory.dmpFilesize
584KB
-
memory/5012-183-0x000000000B1D0000-0x000000000B774000-memory.dmpFilesize
5.6MB
-
memory/5012-184-0x000000000AC20000-0x000000000AC86000-memory.dmpFilesize
408KB
-
memory/5012-185-0x000000000B950000-0x000000000BB12000-memory.dmpFilesize
1.8MB
-
memory/5012-186-0x000000000C050000-0x000000000C57C000-memory.dmpFilesize
5.2MB
-
memory/5012-188-0x0000000000C20000-0x0000000000C30000-memory.dmpFilesize
64KB
-
memory/5012-189-0x000000000B900000-0x000000000B950000-memory.dmpFilesize
320KB