Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 18:56
Static task
static1
Behavioral task
behavioral1
Sample
a3d0a0d0193e4b72db476ca8fa311e40cdbf132dcff95716a35285c264cf17af.exe
Resource
win10v2004-20230220-en
General
-
Target
a3d0a0d0193e4b72db476ca8fa311e40cdbf132dcff95716a35285c264cf17af.exe
-
Size
738KB
-
MD5
93a72935d1ec14f620d1e9776fbe74a1
-
SHA1
db7a0130a133481d5d386a8683e66e7f9786f123
-
SHA256
a3d0a0d0193e4b72db476ca8fa311e40cdbf132dcff95716a35285c264cf17af
-
SHA512
ce51ba3502196a04f952a18f8bef41a50134a716a79c463878aadab13109c6d4c1dd222e95f3a44956f3c47020d488bd608eb260d20c0c3b1f32c8e874bc345f
-
SSDEEP
12288:PMr1y90o6bVolwsqHZpR00Tj3Ym1dJxylW3ZB7WgML3PGrHD1gtdN0LH:eyCZ5sqHZpRHYOvyOBdxgtdaLH
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a1023556.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1023556.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1023556.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1023556.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a1023556.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1023556.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1023556.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v2233067.exev7379772.exev8607736.exea1023556.exeb9712082.exec8906249.exepid process 2832 v2233067.exe 4116 v7379772.exe 1212 v8607736.exe 1668 a1023556.exe 4088 b9712082.exe 376 c8906249.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a1023556.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1023556.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v8607736.exea3d0a0d0193e4b72db476ca8fa311e40cdbf132dcff95716a35285c264cf17af.exev2233067.exev7379772.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v8607736.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v8607736.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a3d0a0d0193e4b72db476ca8fa311e40cdbf132dcff95716a35285c264cf17af.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a3d0a0d0193e4b72db476ca8fa311e40cdbf132dcff95716a35285c264cf17af.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v2233067.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v2233067.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7379772.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v7379772.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b9712082.exedescription pid process target process PID 4088 set thread context of 432 4088 b9712082.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 364 4088 WerFault.exe b9712082.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
a1023556.exeAppLaunch.exec8906249.exepid process 1668 a1023556.exe 1668 a1023556.exe 432 AppLaunch.exe 432 AppLaunch.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe 376 c8906249.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a1023556.exeAppLaunch.exec8906249.exedescription pid process Token: SeDebugPrivilege 1668 a1023556.exe Token: SeDebugPrivilege 432 AppLaunch.exe Token: SeDebugPrivilege 376 c8906249.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
a3d0a0d0193e4b72db476ca8fa311e40cdbf132dcff95716a35285c264cf17af.exev2233067.exev7379772.exev8607736.exeb9712082.exedescription pid process target process PID 2312 wrote to memory of 2832 2312 a3d0a0d0193e4b72db476ca8fa311e40cdbf132dcff95716a35285c264cf17af.exe v2233067.exe PID 2312 wrote to memory of 2832 2312 a3d0a0d0193e4b72db476ca8fa311e40cdbf132dcff95716a35285c264cf17af.exe v2233067.exe PID 2312 wrote to memory of 2832 2312 a3d0a0d0193e4b72db476ca8fa311e40cdbf132dcff95716a35285c264cf17af.exe v2233067.exe PID 2832 wrote to memory of 4116 2832 v2233067.exe v7379772.exe PID 2832 wrote to memory of 4116 2832 v2233067.exe v7379772.exe PID 2832 wrote to memory of 4116 2832 v2233067.exe v7379772.exe PID 4116 wrote to memory of 1212 4116 v7379772.exe v8607736.exe PID 4116 wrote to memory of 1212 4116 v7379772.exe v8607736.exe PID 4116 wrote to memory of 1212 4116 v7379772.exe v8607736.exe PID 1212 wrote to memory of 1668 1212 v8607736.exe a1023556.exe PID 1212 wrote to memory of 1668 1212 v8607736.exe a1023556.exe PID 1212 wrote to memory of 4088 1212 v8607736.exe b9712082.exe PID 1212 wrote to memory of 4088 1212 v8607736.exe b9712082.exe PID 1212 wrote to memory of 4088 1212 v8607736.exe b9712082.exe PID 4088 wrote to memory of 432 4088 b9712082.exe AppLaunch.exe PID 4088 wrote to memory of 432 4088 b9712082.exe AppLaunch.exe PID 4088 wrote to memory of 432 4088 b9712082.exe AppLaunch.exe PID 4088 wrote to memory of 432 4088 b9712082.exe AppLaunch.exe PID 4088 wrote to memory of 432 4088 b9712082.exe AppLaunch.exe PID 4116 wrote to memory of 376 4116 v7379772.exe c8906249.exe PID 4116 wrote to memory of 376 4116 v7379772.exe c8906249.exe PID 4116 wrote to memory of 376 4116 v7379772.exe c8906249.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3d0a0d0193e4b72db476ca8fa311e40cdbf132dcff95716a35285c264cf17af.exe"C:\Users\Admin\AppData\Local\Temp\a3d0a0d0193e4b72db476ca8fa311e40cdbf132dcff95716a35285c264cf17af.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2233067.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2233067.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7379772.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7379772.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8607736.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8607736.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1023556.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1023556.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9712082.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9712082.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 5806⤵
- Program crash
PID:364 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8906249.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8906249.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4088 -ip 40881⤵PID:228
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2233067.exeFilesize
531KB
MD5f83a9fb8a2670c32324430db57ff7e8c
SHA1f3aec9372f943a00c0c7d3e3850af7ea52d0c711
SHA2560e6d463a540b7d043bc032ea78d7df73a483a0947237e8c3dd4c00164b407cb8
SHA51214bd650469fca6d926becda2ae11dbb51d70437d658e71262a31974e8a161464c5e30fdc8454fe681cf113bf57ff0cbca31c7e54d3e2957c4c08f1d9c40e9a74
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2233067.exeFilesize
531KB
MD5f83a9fb8a2670c32324430db57ff7e8c
SHA1f3aec9372f943a00c0c7d3e3850af7ea52d0c711
SHA2560e6d463a540b7d043bc032ea78d7df73a483a0947237e8c3dd4c00164b407cb8
SHA51214bd650469fca6d926becda2ae11dbb51d70437d658e71262a31974e8a161464c5e30fdc8454fe681cf113bf57ff0cbca31c7e54d3e2957c4c08f1d9c40e9a74
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7379772.exeFilesize
359KB
MD596576fabccee571d9f31a8745668cc56
SHA19d07f89c5201c58c6b23e1ab9396bf1dd9efc4cf
SHA25691363d6fe10df5393c4b89a9d341251b56521c828d5e339b28eb57390ce38eae
SHA51278d27a65da9f3542740c5e36962e9187802754e449e4498686b72674a0e332ad9ca98a6476825e9d45a62fbeb9e37ff7a9aebf4d621408fb557723d71b902754
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7379772.exeFilesize
359KB
MD596576fabccee571d9f31a8745668cc56
SHA19d07f89c5201c58c6b23e1ab9396bf1dd9efc4cf
SHA25691363d6fe10df5393c4b89a9d341251b56521c828d5e339b28eb57390ce38eae
SHA51278d27a65da9f3542740c5e36962e9187802754e449e4498686b72674a0e332ad9ca98a6476825e9d45a62fbeb9e37ff7a9aebf4d621408fb557723d71b902754
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8906249.exeFilesize
172KB
MD51bbc4fbab1eca451721757329c4963e7
SHA15b4b3f96823f7eab41b586c6a04da5885ffd7798
SHA256c3fb48c2a883280eea3aee2e31080e3e55df9c075519ff9e8637c206feb60553
SHA5126ec133cb3e6c363629544f081d0cc79dbd37b87fc328075ad86fc804c1723d4a2035087a97e5605458e4323dab46c4bad537ac745b7c69a2309e986999975f95
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8906249.exeFilesize
172KB
MD51bbc4fbab1eca451721757329c4963e7
SHA15b4b3f96823f7eab41b586c6a04da5885ffd7798
SHA256c3fb48c2a883280eea3aee2e31080e3e55df9c075519ff9e8637c206feb60553
SHA5126ec133cb3e6c363629544f081d0cc79dbd37b87fc328075ad86fc804c1723d4a2035087a97e5605458e4323dab46c4bad537ac745b7c69a2309e986999975f95
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8607736.exeFilesize
203KB
MD57113f5be594facaa33e2ad4ac767b9e6
SHA1b11e4a9be584c5c5ebcc8cf30a6eca4a955e9b6e
SHA2560d7d531f9755dbdc566d8b86f08c232dd7f6473bff4d9d873522a8042e21dc44
SHA5129deaf99e4d675293f9038c428dd627e4147e297c56c200e1883e06c005c68dd38e43aa13325392188f9a8ed54dd51f12317b279338c40608a5adb95c1db61697
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8607736.exeFilesize
203KB
MD57113f5be594facaa33e2ad4ac767b9e6
SHA1b11e4a9be584c5c5ebcc8cf30a6eca4a955e9b6e
SHA2560d7d531f9755dbdc566d8b86f08c232dd7f6473bff4d9d873522a8042e21dc44
SHA5129deaf99e4d675293f9038c428dd627e4147e297c56c200e1883e06c005c68dd38e43aa13325392188f9a8ed54dd51f12317b279338c40608a5adb95c1db61697
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1023556.exeFilesize
14KB
MD55bb2d14439565d1c616dde9d17dbe93c
SHA1cd5edc52cc1297b52eb7b649312c93554aceb874
SHA256f3bcfd293a3e276eba3e30ed31400f196af5ac8bebbff8c6a0c414c620dc5538
SHA5126cc0144978db85b3be89140286d2a6493eb1c714a574c6fbd6609c9d0b9442069daf93c513d803c7c8aaaaa3d1073c31a53a2b22e9a4b41704ff3f6e54964cb2
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1023556.exeFilesize
14KB
MD55bb2d14439565d1c616dde9d17dbe93c
SHA1cd5edc52cc1297b52eb7b649312c93554aceb874
SHA256f3bcfd293a3e276eba3e30ed31400f196af5ac8bebbff8c6a0c414c620dc5538
SHA5126cc0144978db85b3be89140286d2a6493eb1c714a574c6fbd6609c9d0b9442069daf93c513d803c7c8aaaaa3d1073c31a53a2b22e9a4b41704ff3f6e54964cb2
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9712082.exeFilesize
120KB
MD55233c9f519ea54a62de4122ed19fb4ec
SHA1a564971ed562d25accaee00c4fc71441efc4f951
SHA2560408dbe84bb738853588b143fac731d5e761d732cfb86bad7b237144b6cb1ea9
SHA51262944e9161cd871323d326d1872409afd24a483c4e79f05d7153269a06a13cd5152aa35d88ab025901e9b1975ab4855e09dd4f8015eb37319e5c8e2979954cdc
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9712082.exeFilesize
120KB
MD55233c9f519ea54a62de4122ed19fb4ec
SHA1a564971ed562d25accaee00c4fc71441efc4f951
SHA2560408dbe84bb738853588b143fac731d5e761d732cfb86bad7b237144b6cb1ea9
SHA51262944e9161cd871323d326d1872409afd24a483c4e79f05d7153269a06a13cd5152aa35d88ab025901e9b1975ab4855e09dd4f8015eb37319e5c8e2979954cdc
-
memory/376-175-0x00000000003C0000-0x00000000003F0000-memory.dmpFilesize
192KB
-
memory/376-180-0x0000000004D80000-0x0000000004D90000-memory.dmpFilesize
64KB
-
memory/376-189-0x0000000004D80000-0x0000000004D90000-memory.dmpFilesize
64KB
-
memory/376-176-0x000000000A830000-0x000000000AE48000-memory.dmpFilesize
6.1MB
-
memory/376-177-0x000000000A340000-0x000000000A44A000-memory.dmpFilesize
1.0MB
-
memory/376-178-0x000000000A280000-0x000000000A292000-memory.dmpFilesize
72KB
-
memory/376-179-0x000000000A2E0000-0x000000000A31C000-memory.dmpFilesize
240KB
-
memory/376-188-0x000000000B410000-0x000000000B460000-memory.dmpFilesize
320KB
-
memory/376-181-0x000000000A6F0000-0x000000000A766000-memory.dmpFilesize
472KB
-
memory/376-182-0x000000000AE50000-0x000000000AEE2000-memory.dmpFilesize
584KB
-
memory/376-183-0x000000000B4A0000-0x000000000BA44000-memory.dmpFilesize
5.6MB
-
memory/376-184-0x000000000AF60000-0x000000000AFC6000-memory.dmpFilesize
408KB
-
memory/376-185-0x000000000BC20000-0x000000000BDE2000-memory.dmpFilesize
1.8MB
-
memory/376-187-0x000000000C320000-0x000000000C84C000-memory.dmpFilesize
5.2MB
-
memory/432-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1668-161-0x0000000000290000-0x000000000029A000-memory.dmpFilesize
40KB