Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 18:47
Static task
static1
Behavioral task
behavioral1
Sample
beaff98cd46f091732b162ebf45f1fb45d3cb9edf118365d6d5791f8278a9fad.exe
Resource
win10v2004-20230220-en
General
-
Target
beaff98cd46f091732b162ebf45f1fb45d3cb9edf118365d6d5791f8278a9fad.exe
-
Size
738KB
-
MD5
215659adccd58cd153279dcf902c00b5
-
SHA1
4d4bab5816b92f5ded06ffea979526559db0df74
-
SHA256
beaff98cd46f091732b162ebf45f1fb45d3cb9edf118365d6d5791f8278a9fad
-
SHA512
a4e315f6949763a0ed4f959f1019c3bb020260de69f8799b8d54cac10dc5b401a53ffd1fade65e304f15f0874fda98c9509c165e571be09fd22a0ec2e0d6fd7e
-
SSDEEP
12288:VMr0y90+43kCTezHtgFr0pH4JUauzhSX6NpDhu0EHDkDlKXVbZSAYP6Sb9JYq:xytAejtgYHsWzhI6Nplu0EHDkQrSAMbn
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a1513766.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1513766.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1513766.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1513766.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1513766.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a1513766.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1513766.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v6807810.exev5609352.exev0557126.exea1513766.exeb8220672.exec6226511.exepid process 2144 v6807810.exe 3808 v5609352.exe 4880 v0557126.exe 1148 a1513766.exe 2412 b8220672.exe 5028 c6226511.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a1513766.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1513766.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v0557126.exebeaff98cd46f091732b162ebf45f1fb45d3cb9edf118365d6d5791f8278a9fad.exev6807810.exev5609352.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v0557126.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce beaff98cd46f091732b162ebf45f1fb45d3cb9edf118365d6d5791f8278a9fad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" beaff98cd46f091732b162ebf45f1fb45d3cb9edf118365d6d5791f8278a9fad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v6807810.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v6807810.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5609352.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5609352.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v0557126.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b8220672.exedescription pid process target process PID 2412 set thread context of 372 2412 b8220672.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4040 2412 WerFault.exe b8220672.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
a1513766.exeAppLaunch.exec6226511.exepid process 1148 a1513766.exe 1148 a1513766.exe 372 AppLaunch.exe 372 AppLaunch.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe 5028 c6226511.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a1513766.exeAppLaunch.exec6226511.exedescription pid process Token: SeDebugPrivilege 1148 a1513766.exe Token: SeDebugPrivilege 372 AppLaunch.exe Token: SeDebugPrivilege 5028 c6226511.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
beaff98cd46f091732b162ebf45f1fb45d3cb9edf118365d6d5791f8278a9fad.exev6807810.exev5609352.exev0557126.exeb8220672.exedescription pid process target process PID 2208 wrote to memory of 2144 2208 beaff98cd46f091732b162ebf45f1fb45d3cb9edf118365d6d5791f8278a9fad.exe v6807810.exe PID 2208 wrote to memory of 2144 2208 beaff98cd46f091732b162ebf45f1fb45d3cb9edf118365d6d5791f8278a9fad.exe v6807810.exe PID 2208 wrote to memory of 2144 2208 beaff98cd46f091732b162ebf45f1fb45d3cb9edf118365d6d5791f8278a9fad.exe v6807810.exe PID 2144 wrote to memory of 3808 2144 v6807810.exe v5609352.exe PID 2144 wrote to memory of 3808 2144 v6807810.exe v5609352.exe PID 2144 wrote to memory of 3808 2144 v6807810.exe v5609352.exe PID 3808 wrote to memory of 4880 3808 v5609352.exe v0557126.exe PID 3808 wrote to memory of 4880 3808 v5609352.exe v0557126.exe PID 3808 wrote to memory of 4880 3808 v5609352.exe v0557126.exe PID 4880 wrote to memory of 1148 4880 v0557126.exe a1513766.exe PID 4880 wrote to memory of 1148 4880 v0557126.exe a1513766.exe PID 4880 wrote to memory of 2412 4880 v0557126.exe b8220672.exe PID 4880 wrote to memory of 2412 4880 v0557126.exe b8220672.exe PID 4880 wrote to memory of 2412 4880 v0557126.exe b8220672.exe PID 2412 wrote to memory of 372 2412 b8220672.exe AppLaunch.exe PID 2412 wrote to memory of 372 2412 b8220672.exe AppLaunch.exe PID 2412 wrote to memory of 372 2412 b8220672.exe AppLaunch.exe PID 2412 wrote to memory of 372 2412 b8220672.exe AppLaunch.exe PID 2412 wrote to memory of 372 2412 b8220672.exe AppLaunch.exe PID 3808 wrote to memory of 5028 3808 v5609352.exe c6226511.exe PID 3808 wrote to memory of 5028 3808 v5609352.exe c6226511.exe PID 3808 wrote to memory of 5028 3808 v5609352.exe c6226511.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\beaff98cd46f091732b162ebf45f1fb45d3cb9edf118365d6d5791f8278a9fad.exe"C:\Users\Admin\AppData\Local\Temp\beaff98cd46f091732b162ebf45f1fb45d3cb9edf118365d6d5791f8278a9fad.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6807810.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6807810.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5609352.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5609352.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0557126.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0557126.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1513766.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1513766.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8220672.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8220672.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 5726⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6226511.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6226511.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2412 -ip 24121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6807810.exeFilesize
531KB
MD57e196aad4c7adc25baafeeed0a98d21a
SHA13d97dd55972dcbd6030456033c7e2e3df1c9ea09
SHA256641db027a6a677b6fb434b1eae3da6265b0b43ba67d22a52c5d9dea7cd3dd916
SHA512764b10fb3eb2dc5eeec50eb55b112a6c2ed6f032fc5ff4b04508b411a401cd01ba6d3f6e5665822fc77f9c1de8dd5d88580e11bff9118a1c7e8414aea0135079
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6807810.exeFilesize
531KB
MD57e196aad4c7adc25baafeeed0a98d21a
SHA13d97dd55972dcbd6030456033c7e2e3df1c9ea09
SHA256641db027a6a677b6fb434b1eae3da6265b0b43ba67d22a52c5d9dea7cd3dd916
SHA512764b10fb3eb2dc5eeec50eb55b112a6c2ed6f032fc5ff4b04508b411a401cd01ba6d3f6e5665822fc77f9c1de8dd5d88580e11bff9118a1c7e8414aea0135079
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5609352.exeFilesize
359KB
MD547c246c0a285be09590619afdaaa51cb
SHA16c81c2e618d82a6443d24b4f6e66830bf9a2933f
SHA256322941c9edd7806534f040270ab927ce9d82c754496b625d249d3070cdafa4da
SHA5121246623dfa1282688a99fdd2ca8a7990a5d203ef8fd5863633abf0f69d1126d342ccf410a5fc868458cc891897e147ea8a18fc8d8afbba97c93a9b5af56cc0b8
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5609352.exeFilesize
359KB
MD547c246c0a285be09590619afdaaa51cb
SHA16c81c2e618d82a6443d24b4f6e66830bf9a2933f
SHA256322941c9edd7806534f040270ab927ce9d82c754496b625d249d3070cdafa4da
SHA5121246623dfa1282688a99fdd2ca8a7990a5d203ef8fd5863633abf0f69d1126d342ccf410a5fc868458cc891897e147ea8a18fc8d8afbba97c93a9b5af56cc0b8
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6226511.exeFilesize
172KB
MD5a392ac05fc001c3e48b09fa46b7053ac
SHA16c7c75f4a5fb58dde24e4466ba5cd74373138bc9
SHA256f3ffdeba2d8c0fa6b76280bb5e218b3e586ed0568067b8c6ccbec62ec6525ff7
SHA512fae73db46f56c9b40d7a4be75a0f23797bd6c523b36f98a20e9fb397c6eab81536b0e6e47fc6ca4f6181ca168c5c5f6fc5f2dd905db83bebdb2162cc475109cf
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6226511.exeFilesize
172KB
MD5a392ac05fc001c3e48b09fa46b7053ac
SHA16c7c75f4a5fb58dde24e4466ba5cd74373138bc9
SHA256f3ffdeba2d8c0fa6b76280bb5e218b3e586ed0568067b8c6ccbec62ec6525ff7
SHA512fae73db46f56c9b40d7a4be75a0f23797bd6c523b36f98a20e9fb397c6eab81536b0e6e47fc6ca4f6181ca168c5c5f6fc5f2dd905db83bebdb2162cc475109cf
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0557126.exeFilesize
203KB
MD5323cbbd9f66a257f0c1c89d6d14e8b3e
SHA135c995fa703d5acc6ac0dc422ceb0523c1b1509a
SHA2561b533ea84cdb274fcde7293b06ae615db696a7523db48c417757ed8315ab8cef
SHA512d5a25e73320a37365df66999281a01ae002dfe4f8ab48bfd06547bc8a3b9881b93d10d32945be0ec8f81f9a75ba24402913f1cff4f56f357189ceddaef4c13fe
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0557126.exeFilesize
203KB
MD5323cbbd9f66a257f0c1c89d6d14e8b3e
SHA135c995fa703d5acc6ac0dc422ceb0523c1b1509a
SHA2561b533ea84cdb274fcde7293b06ae615db696a7523db48c417757ed8315ab8cef
SHA512d5a25e73320a37365df66999281a01ae002dfe4f8ab48bfd06547bc8a3b9881b93d10d32945be0ec8f81f9a75ba24402913f1cff4f56f357189ceddaef4c13fe
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1513766.exeFilesize
14KB
MD56e761d3ea3c4d8b88f33184461f0a822
SHA1272156007060c8059052808edbcf9328d7b89000
SHA2563473e3bf8edf1ff5ae44ec93ae59dddcc80d852d28daf0629f889f45793e1549
SHA512c3ecdb47f26262ddc4f670de31d3a4ea56ad5309fe57e2f8f1c27216739eb3aa729e60bbfc84bc1c976f044c777daf484b40a2f060fb559ebc678ce0458afcfd
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1513766.exeFilesize
14KB
MD56e761d3ea3c4d8b88f33184461f0a822
SHA1272156007060c8059052808edbcf9328d7b89000
SHA2563473e3bf8edf1ff5ae44ec93ae59dddcc80d852d28daf0629f889f45793e1549
SHA512c3ecdb47f26262ddc4f670de31d3a4ea56ad5309fe57e2f8f1c27216739eb3aa729e60bbfc84bc1c976f044c777daf484b40a2f060fb559ebc678ce0458afcfd
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8220672.exeFilesize
120KB
MD549e85039568698b77789daecea51cf33
SHA1df79e17c42103fd24fc06fba57ff990a02fad7a1
SHA256844b6e16b5caffc62a920890b863abc219ac96d9e38074a33d4669c667730e4e
SHA5128162059b0cfd1f4c1133c2dfe0ab049b15bc5a3cf1c602eb48d5244742e7d044a8a2475d24aa54dc5294af6f4d5135edf94bca6a906baaf5d3560b59c3939b33
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8220672.exeFilesize
120KB
MD549e85039568698b77789daecea51cf33
SHA1df79e17c42103fd24fc06fba57ff990a02fad7a1
SHA256844b6e16b5caffc62a920890b863abc219ac96d9e38074a33d4669c667730e4e
SHA5128162059b0cfd1f4c1133c2dfe0ab049b15bc5a3cf1c602eb48d5244742e7d044a8a2475d24aa54dc5294af6f4d5135edf94bca6a906baaf5d3560b59c3939b33
-
memory/372-167-0x0000000000510000-0x000000000051A000-memory.dmpFilesize
40KB
-
memory/1148-161-0x0000000000680000-0x000000000068A000-memory.dmpFilesize
40KB
-
memory/5028-175-0x0000000000C10000-0x0000000000C40000-memory.dmpFilesize
192KB
-
memory/5028-176-0x000000000AED0000-0x000000000B4E8000-memory.dmpFilesize
6.1MB
-
memory/5028-177-0x000000000AA50000-0x000000000AB5A000-memory.dmpFilesize
1.0MB
-
memory/5028-178-0x000000000A990000-0x000000000A9A2000-memory.dmpFilesize
72KB
-
memory/5028-179-0x000000000A9F0000-0x000000000AA2C000-memory.dmpFilesize
240KB
-
memory/5028-180-0x00000000053B0000-0x00000000053C0000-memory.dmpFilesize
64KB
-
memory/5028-181-0x000000000AD00000-0x000000000AD76000-memory.dmpFilesize
472KB
-
memory/5028-182-0x000000000B590000-0x000000000B622000-memory.dmpFilesize
584KB
-
memory/5028-183-0x000000000B4F0000-0x000000000B556000-memory.dmpFilesize
408KB
-
memory/5028-184-0x000000000BEE0000-0x000000000C484000-memory.dmpFilesize
5.6MB
-
memory/5028-186-0x000000000C490000-0x000000000C652000-memory.dmpFilesize
1.8MB
-
memory/5028-187-0x000000000CB90000-0x000000000D0BC000-memory.dmpFilesize
5.2MB
-
memory/5028-188-0x00000000053B0000-0x00000000053C0000-memory.dmpFilesize
64KB
-
memory/5028-189-0x000000000BC60000-0x000000000BCB0000-memory.dmpFilesize
320KB