Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 20:07
Static task
static1
Behavioral task
behavioral1
Sample
8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exe
Resource
win10v2004-20230220-en
General
-
Target
8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exe
-
Size
724KB
-
MD5
9d3b877dc78b1e4a6a9607cb26feebb3
-
SHA1
4c1662a5d1af7793fc383eb4880b7e7a7a1cd690
-
SHA256
8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7
-
SHA512
65258a4fc7b7a75688241b5b2ac7a369225ab052d8c53a65abb1ce9411f6e6a4cdd1f32ddeadc85ca47228596439b85611a7abfcfc109690a3e82380fba9cd3e
-
SSDEEP
12288:xMr+y90Vq6HgwwUDO7KAAj+OAEobhACbn4Ze9JCsimEznsf:DyWqugw/RAAfkyGnAsREznE
Malware Config
Extracted
redline
maxi
83.97.73.126:19048
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
AppLaunch.exea5573660.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5573660.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5573660.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5573660.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a5573660.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5573660.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5573660.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
v5851755.exev2766674.exev6742234.exea5573660.exeb5555248.exec2333900.exepid process 2880 v5851755.exe 4648 v2766674.exe 1632 v6742234.exe 3244 a5573660.exe 1600 b5555248.exe 1320 c2333900.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
a5573660.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5573660.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
v6742234.exe8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exev5851755.exev2766674.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v6742234.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5851755.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v5851755.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v2766674.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v2766674.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v6742234.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b5555248.exedescription pid process target process PID 1600 set thread context of 3484 1600 b5555248.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4352 1600 WerFault.exe b5555248.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
a5573660.exeAppLaunch.exec2333900.exepid process 3244 a5573660.exe 3244 a5573660.exe 3484 AppLaunch.exe 3484 AppLaunch.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe 1320 c2333900.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a5573660.exeAppLaunch.exec2333900.exedescription pid process Token: SeDebugPrivilege 3244 a5573660.exe Token: SeDebugPrivilege 3484 AppLaunch.exe Token: SeDebugPrivilege 1320 c2333900.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exev5851755.exev2766674.exev6742234.exeb5555248.exedescription pid process target process PID 4940 wrote to memory of 2880 4940 8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exe v5851755.exe PID 4940 wrote to memory of 2880 4940 8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exe v5851755.exe PID 4940 wrote to memory of 2880 4940 8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exe v5851755.exe PID 2880 wrote to memory of 4648 2880 v5851755.exe v2766674.exe PID 2880 wrote to memory of 4648 2880 v5851755.exe v2766674.exe PID 2880 wrote to memory of 4648 2880 v5851755.exe v2766674.exe PID 4648 wrote to memory of 1632 4648 v2766674.exe v6742234.exe PID 4648 wrote to memory of 1632 4648 v2766674.exe v6742234.exe PID 4648 wrote to memory of 1632 4648 v2766674.exe v6742234.exe PID 1632 wrote to memory of 3244 1632 v6742234.exe a5573660.exe PID 1632 wrote to memory of 3244 1632 v6742234.exe a5573660.exe PID 1632 wrote to memory of 1600 1632 v6742234.exe b5555248.exe PID 1632 wrote to memory of 1600 1632 v6742234.exe b5555248.exe PID 1632 wrote to memory of 1600 1632 v6742234.exe b5555248.exe PID 1600 wrote to memory of 3484 1600 b5555248.exe AppLaunch.exe PID 1600 wrote to memory of 3484 1600 b5555248.exe AppLaunch.exe PID 1600 wrote to memory of 3484 1600 b5555248.exe AppLaunch.exe PID 1600 wrote to memory of 3484 1600 b5555248.exe AppLaunch.exe PID 1600 wrote to memory of 3484 1600 b5555248.exe AppLaunch.exe PID 4648 wrote to memory of 1320 4648 v2766674.exe c2333900.exe PID 4648 wrote to memory of 1320 4648 v2766674.exe c2333900.exe PID 4648 wrote to memory of 1320 4648 v2766674.exe c2333900.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exe"C:\Users\Admin\AppData\Local\Temp\8c0a4bfe6b7d24892769e0338f425435769e6b2ae3a9af2905491634a643b4e7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5851755.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5851755.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2766674.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2766674.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6742234.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6742234.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5573660.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5573660.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5555248.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5555248.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1406⤵
- Program crash
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2333900.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2333900.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1600 -ip 16001⤵PID:4384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5851755.exeFilesize
523KB
MD51e170d3bc2a0a02972a25eeab5248d14
SHA1db8481b20acf0e87350456ef6ca97fcc1bab6d65
SHA256005fb98de26f32a9f288ba6d8fe60c72022b395855556babd79b12a9f0f3256e
SHA512718da67c56321912ea96d59172f2a9bb9e4b439ba8b7692dd354f06beaa4ebb6291f0eb8e65b7ba72c26dd9e3dd3a524ee0c25469ba5141b48ff2941d7860c32
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5851755.exeFilesize
523KB
MD51e170d3bc2a0a02972a25eeab5248d14
SHA1db8481b20acf0e87350456ef6ca97fcc1bab6d65
SHA256005fb98de26f32a9f288ba6d8fe60c72022b395855556babd79b12a9f0f3256e
SHA512718da67c56321912ea96d59172f2a9bb9e4b439ba8b7692dd354f06beaa4ebb6291f0eb8e65b7ba72c26dd9e3dd3a524ee0c25469ba5141b48ff2941d7860c32
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2766674.exeFilesize
351KB
MD5aceb134aab78e5979fc85c3e188019a3
SHA1b8f54c2f3adde1faf7575f869be688f46bce4f17
SHA2561d790ee043d64b632f5c1a46163f6a533a57685bddc0a25ca5720c1c543dbd44
SHA5125dec8920a87034e5d996077d3fb5e79d1d69e8ebff89c56d33892c8cb5b36a34a591164f67f667340ba7964f9cc87cf69230d4aabd96ea84ab8b92b34fbf29e7
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2766674.exeFilesize
351KB
MD5aceb134aab78e5979fc85c3e188019a3
SHA1b8f54c2f3adde1faf7575f869be688f46bce4f17
SHA2561d790ee043d64b632f5c1a46163f6a533a57685bddc0a25ca5720c1c543dbd44
SHA5125dec8920a87034e5d996077d3fb5e79d1d69e8ebff89c56d33892c8cb5b36a34a591164f67f667340ba7964f9cc87cf69230d4aabd96ea84ab8b92b34fbf29e7
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2333900.exeFilesize
172KB
MD52347cfd8f815fa52d48acd8394468e73
SHA15fe05b16536ab71ce7d8720a64c49324f5e068dd
SHA2568905355047b919a09fbf9b1e21d9c2c72cfdcfa44887b006cd7ad64acb05eff4
SHA5122dce8952f8fd50e321c58859d7ae9365bd924112b618ad11f975e9f8cc1e38d95e9314731af6b158eee1726ef40d6dc7326647d0514501ea2014efdee31e6424
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2333900.exeFilesize
172KB
MD52347cfd8f815fa52d48acd8394468e73
SHA15fe05b16536ab71ce7d8720a64c49324f5e068dd
SHA2568905355047b919a09fbf9b1e21d9c2c72cfdcfa44887b006cd7ad64acb05eff4
SHA5122dce8952f8fd50e321c58859d7ae9365bd924112b618ad11f975e9f8cc1e38d95e9314731af6b158eee1726ef40d6dc7326647d0514501ea2014efdee31e6424
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6742234.exeFilesize
196KB
MD5f2da1d8a39219638e11e1c4bcb410bd0
SHA17f5accb287483f79a648e556e4b93d8b8482069b
SHA2562ab0eae199040fc243632b55e58b62baed27510f22311833cdca3a14929873fc
SHA51269cf0bb04d361c5e576fcf989efa3d49fafd6e266b32ea247045167e19aee811d939f226d9bcec56edb098b1775b37319f762df9b329fe810374fb9a1e909f62
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6742234.exeFilesize
196KB
MD5f2da1d8a39219638e11e1c4bcb410bd0
SHA17f5accb287483f79a648e556e4b93d8b8482069b
SHA2562ab0eae199040fc243632b55e58b62baed27510f22311833cdca3a14929873fc
SHA51269cf0bb04d361c5e576fcf989efa3d49fafd6e266b32ea247045167e19aee811d939f226d9bcec56edb098b1775b37319f762df9b329fe810374fb9a1e909f62
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5573660.exeFilesize
14KB
MD53bccd804c1bd6f719ca5e8a46222d054
SHA1dcc669aa8a072aef141ee3330557adae5c77df62
SHA2563d7077875bcaf79becf7780c2372da7e788c858b0788758047a1db6927ba465d
SHA512d7d9b28e976985226654a781eb83c9bcc97f66d8a61700e6e8e07aee00fbf66c405ecc19eb6ced396410c77b0936eb3a10d5ce762205503088f97f2e4c4e301c
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5573660.exeFilesize
14KB
MD53bccd804c1bd6f719ca5e8a46222d054
SHA1dcc669aa8a072aef141ee3330557adae5c77df62
SHA2563d7077875bcaf79becf7780c2372da7e788c858b0788758047a1db6927ba465d
SHA512d7d9b28e976985226654a781eb83c9bcc97f66d8a61700e6e8e07aee00fbf66c405ecc19eb6ced396410c77b0936eb3a10d5ce762205503088f97f2e4c4e301c
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5555248.exeFilesize
101KB
MD5cbc1553499df7e1e9042668c327b0a3b
SHA18272cf599cc1b309540bf75446dc6d8287a15686
SHA2569dc44e720b95ecb86e2d65140bf71955a6681dba0bbfc5d83bbceaeed810ca67
SHA51243efc5becd8b7cf5fe88152d5fd4807f1c481dbf4aa83fcdeda814888586ec78e997e2af47ab39c550c251964ed0087cec8373189ff038c1e682c5df493c72b6
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5555248.exeFilesize
101KB
MD5cbc1553499df7e1e9042668c327b0a3b
SHA18272cf599cc1b309540bf75446dc6d8287a15686
SHA2569dc44e720b95ecb86e2d65140bf71955a6681dba0bbfc5d83bbceaeed810ca67
SHA51243efc5becd8b7cf5fe88152d5fd4807f1c481dbf4aa83fcdeda814888586ec78e997e2af47ab39c550c251964ed0087cec8373189ff038c1e682c5df493c72b6
-
memory/1320-175-0x00000000007B0000-0x00000000007E0000-memory.dmpFilesize
192KB
-
memory/1320-180-0x0000000005060000-0x0000000005070000-memory.dmpFilesize
64KB
-
memory/1320-189-0x0000000008A20000-0x0000000008F4C000-memory.dmpFilesize
5.2MB
-
memory/1320-176-0x0000000005790000-0x0000000005DA8000-memory.dmpFilesize
6.1MB
-
memory/1320-177-0x0000000005280000-0x000000000538A000-memory.dmpFilesize
1.0MB
-
memory/1320-178-0x0000000005000000-0x0000000005012000-memory.dmpFilesize
72KB
-
memory/1320-179-0x0000000005170000-0x00000000051AC000-memory.dmpFilesize
240KB
-
memory/1320-188-0x0000000006650000-0x0000000006812000-memory.dmpFilesize
1.8MB
-
memory/1320-181-0x0000000005480000-0x00000000054F6000-memory.dmpFilesize
472KB
-
memory/1320-182-0x00000000055A0000-0x0000000005632000-memory.dmpFilesize
584KB
-
memory/1320-183-0x0000000005500000-0x0000000005566000-memory.dmpFilesize
408KB
-
memory/1320-184-0x0000000006850000-0x0000000006DF4000-memory.dmpFilesize
5.6MB
-
memory/1320-186-0x0000000006430000-0x0000000006480000-memory.dmpFilesize
320KB
-
memory/1320-187-0x0000000005060000-0x0000000005070000-memory.dmpFilesize
64KB
-
memory/3244-161-0x0000000000D60000-0x0000000000D6A000-memory.dmpFilesize
40KB
-
memory/3484-167-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB