Overview

overview

10

Static

static

3

05ada3c7bb...76.exe

windows7-x64

10

05ada3c7bb...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2023 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05ada3c7bb54efda0f84ce338d7558a6000e4bffc6e640d5ac2c25f6b1504976.exe

  • Size

    735KB

  • MD5

    1c9179fad34aa4dd246b5ebd3539b7b1

  • SHA1

    04d1a165e2e7dc2f1736223a9cfe1ad7aebacb6a

  • SHA256

    05ada3c7bb54efda0f84ce338d7558a6000e4bffc6e640d5ac2c25f6b1504976

  • SHA512

    ead9b21f1df264c0fff816a6e11eba1c747cf16bb7dcc65c766f203a848e31b7e882edfc36bee62f6e22eb0639470bed72022759012204c92fb5919251e60edd

  • SSDEEP

    12288:hMrqy90LcnW2YHevd7sSQ3lcPnQgP7ya7NkVBV20IxE:DyA2YHevd7sSI2f5Pua+I0qE

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05ada3c7bb54efda0f84ce338d7558a6000e4bffc6e640d5ac2c25f6b1504976.exe
    "C:\Users\Admin\AppData\Local\Temp\05ada3c7bb54efda0f84ce338d7558a6000e4bffc6e640d5ac2c25f6b1504976.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6096298.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6096298.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:740
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4781078.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4781078.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9099813.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9099813.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2320
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2430684.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2430684.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4664
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5412639.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5412639.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2016
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4440
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 140
              6⤵
              • Program crash
              PID:3464
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2518448.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2518448.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1580
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2016 -ip 2016
    1⤵
      PID:2856

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6096298.exe
      Filesize

      530KB

      MD5

      1f9604ac6e8813bd470effe801645717

      SHA1

      55a84f4f7ead50c7a504583f01e712d28a84b32b

      SHA256

      16ace01729c158d36ea8b868f609571007b6e9dc7a5e31c34fa80b8e7b345bb1

      SHA512

      965faad7a4dc7e1751422bb42d5e871f14cfa7aa6a0099c8a4b1ac0cf1bdbbdbb7d01f0bacf2935d486d90c2adbb949aea6a32a5a031bc2c51601f0bc5cdb5f5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6096298.exe
      Filesize

      530KB

      MD5

      1f9604ac6e8813bd470effe801645717

      SHA1

      55a84f4f7ead50c7a504583f01e712d28a84b32b

      SHA256

      16ace01729c158d36ea8b868f609571007b6e9dc7a5e31c34fa80b8e7b345bb1

      SHA512

      965faad7a4dc7e1751422bb42d5e871f14cfa7aa6a0099c8a4b1ac0cf1bdbbdbb7d01f0bacf2935d486d90c2adbb949aea6a32a5a031bc2c51601f0bc5cdb5f5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4781078.exe
      Filesize

      357KB

      MD5

      914b3e47a1473d8a5e27783fb574e3db

      SHA1

      670f60929526815b3abe90d07682f192b0baaef3

      SHA256

      23f10e283baad79fa53ecdceb74ddafb4e600969dc1f33fc1a72f6b42d77fe10

      SHA512

      a8446541303fa6da230c8ca29f3ed243eca491390ccbe46f0fada4a33301c2d804e54e3dd66c0d083e347663d5331f80801591ec3f3458984133abcc48ac6470

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4781078.exe
      Filesize

      357KB

      MD5

      914b3e47a1473d8a5e27783fb574e3db

      SHA1

      670f60929526815b3abe90d07682f192b0baaef3

      SHA256

      23f10e283baad79fa53ecdceb74ddafb4e600969dc1f33fc1a72f6b42d77fe10

      SHA512

      a8446541303fa6da230c8ca29f3ed243eca491390ccbe46f0fada4a33301c2d804e54e3dd66c0d083e347663d5331f80801591ec3f3458984133abcc48ac6470

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2518448.exe
      Filesize

      172KB

      MD5

      010f6fc9b85ff42f75b2726b5bb47925

      SHA1

      2e28aaa0cbf1b86741d02d85d52a22cf70a4f2e4

      SHA256

      d8c38dd478151b99a427744d8fe372c3dacaf5df03c844c3b9dee82d9e8b281e

      SHA512

      73e5c9f77961ec44b3c67ab6985a03eed483d9fb0282de9cb2c36a85f794d6697ef0fb64d29761c2b9105b111a156639bd3a8b24657f2617be1099e62e51ab5e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2518448.exe
      Filesize

      172KB

      MD5

      010f6fc9b85ff42f75b2726b5bb47925

      SHA1

      2e28aaa0cbf1b86741d02d85d52a22cf70a4f2e4

      SHA256

      d8c38dd478151b99a427744d8fe372c3dacaf5df03c844c3b9dee82d9e8b281e

      SHA512

      73e5c9f77961ec44b3c67ab6985a03eed483d9fb0282de9cb2c36a85f794d6697ef0fb64d29761c2b9105b111a156639bd3a8b24657f2617be1099e62e51ab5e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9099813.exe
      Filesize

      202KB

      MD5

      d621be7a110e1805793fec1c07238b85

      SHA1

      05dbec1f90e63c4a1f711ba68b88eb1267691c48

      SHA256

      7e7a9ece83453947781587f02dc2d90e09cddecfd9143f4cdb3c6153c948a418

      SHA512

      12e999afa1663b86923ec24fd00bb93cc2c8e10da689f24e6ae2398180fa4a35684997ffb9bb64bb8c42613fb06e88edbd5466bc32924ad0a2232aeb398f47fc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9099813.exe
      Filesize

      202KB

      MD5

      d621be7a110e1805793fec1c07238b85

      SHA1

      05dbec1f90e63c4a1f711ba68b88eb1267691c48

      SHA256

      7e7a9ece83453947781587f02dc2d90e09cddecfd9143f4cdb3c6153c948a418

      SHA512

      12e999afa1663b86923ec24fd00bb93cc2c8e10da689f24e6ae2398180fa4a35684997ffb9bb64bb8c42613fb06e88edbd5466bc32924ad0a2232aeb398f47fc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2430684.exe
      Filesize

      12KB

      MD5

      93875b44398c62948decc62d45e84af9

      SHA1

      7b4fed98b263cfb1bc1722d182cdbb6a96454cfa

      SHA256

      ced5a32e8b3d74ba04fd0e6ba432f7057554efb5e97e1c589d81c8457125d5b0

      SHA512

      fcf1bce36b71715c47b82f9fbe401125eb57d0776578ccef96e1363191e48c0b5c87c6a51c1c1e34b9ca71a3fe92deae6e937e5acd6fa94d3c951da8e1d0d168

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2430684.exe
      Filesize

      12KB

      MD5

      93875b44398c62948decc62d45e84af9

      SHA1

      7b4fed98b263cfb1bc1722d182cdbb6a96454cfa

      SHA256

      ced5a32e8b3d74ba04fd0e6ba432f7057554efb5e97e1c589d81c8457125d5b0

      SHA512

      fcf1bce36b71715c47b82f9fbe401125eb57d0776578ccef96e1363191e48c0b5c87c6a51c1c1e34b9ca71a3fe92deae6e937e5acd6fa94d3c951da8e1d0d168

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5412639.exe
      Filesize

      117KB

      MD5

      3da2da571a146859786e77b2ea37c7c3

      SHA1

      c9c82d175a24cdf30e34d6d85a929a37307a6726

      SHA256

      34772b490ac57a20b4b198ad442d6176cc044df3d72c297e22007bac2150c2e2

      SHA512

      40a7aee629c171c798a97e62d23370dabd52359ba4fb9b2ed45ed71f750e3168d37bb02695f2b1a1a3e36838bb68bccc19074f8d2b6c79bf0ffcf1332e47e97d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5412639.exe
      Filesize

      117KB

      MD5

      3da2da571a146859786e77b2ea37c7c3

      SHA1

      c9c82d175a24cdf30e34d6d85a929a37307a6726

      SHA256

      34772b490ac57a20b4b198ad442d6176cc044df3d72c297e22007bac2150c2e2

      SHA512

      40a7aee629c171c798a97e62d23370dabd52359ba4fb9b2ed45ed71f750e3168d37bb02695f2b1a1a3e36838bb68bccc19074f8d2b6c79bf0ffcf1332e47e97d

      Download Submit
    • memory/1580-175-0x0000000000D70000-0x0000000000DA0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1580-180-0x0000000005880000-0x00000000058BC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1580-189-0x0000000006D50000-0x0000000006DA0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1580-176-0x0000000005E60000-0x0000000006478000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1580-177-0x0000000005950000-0x0000000005A5A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1580-178-0x0000000005600000-0x0000000005612000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1580-179-0x0000000005630000-0x0000000005640000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1580-188-0x0000000005630000-0x0000000005640000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1580-181-0x0000000005C80000-0x0000000005CF6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1580-182-0x0000000005DA0000-0x0000000005E32000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1580-183-0x0000000006E20000-0x00000000073C4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1580-184-0x0000000006480000-0x00000000064E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1580-185-0x0000000006B80000-0x0000000006D42000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1580-186-0x0000000008FF0000-0x000000000951C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4440-167-0x00000000007A0000-0x00000000007AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4664-161-0x0000000000360000-0x000000000036A000-memory.dmp
      Filesize

      40KB

      Download