Overview

overview

10

Static

static

3

51f0ef264a...2a.exe

windows7-x64

10

51f0ef264a...2a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-06-2023 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51f0ef264a73c56b191eeeca19c29cd70d445e5b2f110176d9c21a681838c42a.exe

  • Size

    738KB

  • MD5

    2c7c2abddadddc4eb190d66c65412fe8

  • SHA1

    0aaa7f6509d1f33da676a510b06a2c0379818f20

  • SHA256

    51f0ef264a73c56b191eeeca19c29cd70d445e5b2f110176d9c21a681838c42a

  • SHA512

    9589372d81d7056b9b88b93297ad3b85600d7e5bfce224bde022f9cf669bc7fa45dbad60376d3a3834c79615c2ac509d9b9471f0513fd313e8a58d4887bb4e1f

  • SSDEEP

    12288:OMrey90ArTyG78Vwy8jsyFFXI0NB5VXeK+YyoiS42wtiBKcjZUK/jUE7:cyTTyG7V/DNHteaCPViBj2SUc

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51f0ef264a73c56b191eeeca19c29cd70d445e5b2f110176d9c21a681838c42a.exe
    "C:\Users\Admin\AppData\Local\Temp\51f0ef264a73c56b191eeeca19c29cd70d445e5b2f110176d9c21a681838c42a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1301757.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1301757.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3773963.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3773963.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4384
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7613995.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7613995.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4832
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3123480.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3123480.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0913336.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0913336.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4404
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1248
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 140
              6⤵
              • Program crash
              PID:4180
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6165058.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6165058.exe
          4⤵
          • Executes dropped EXE
          PID:3132
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4404 -ip 4404
    1⤵
      PID:184

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1301757.exe
      Filesize

      530KB

      MD5

      e838f46c214df26dea95b351871ab89c

      SHA1

      f42d738d427614d16a3b1e8c8aef49ba36597f1b

      SHA256

      56a1b6d901d51a444f197f1a96965ba25c6b10fb013ab9ad43dc6c4aeb5842c5

      SHA512

      8d61ff467f3462524d498a2714879171a837d754e48bc356176a66f584b7fa223aacaafd54740ef7ea20fd7492d19adaec0e40bb884037e6b01d5ce00705ee0e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1301757.exe
      Filesize

      530KB

      MD5

      e838f46c214df26dea95b351871ab89c

      SHA1

      f42d738d427614d16a3b1e8c8aef49ba36597f1b

      SHA256

      56a1b6d901d51a444f197f1a96965ba25c6b10fb013ab9ad43dc6c4aeb5842c5

      SHA512

      8d61ff467f3462524d498a2714879171a837d754e48bc356176a66f584b7fa223aacaafd54740ef7ea20fd7492d19adaec0e40bb884037e6b01d5ce00705ee0e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3773963.exe
      Filesize

      358KB

      MD5

      18393a0e5299404cd43efa14606ab1bf

      SHA1

      89dd0b01e217700145ba3e249937cb773c5ef745

      SHA256

      4aa199efb75aaf578bcbda4affa640400d4ecfc84344c9166c2e33c245ab06e3

      SHA512

      b964621b9d0599987f00bab1eb37570ff7f147cc25e9995a2e87222bc16549618394e2e91787a9e96085099ef641cbf600cdcab89ac63c692badc2839bfccbfb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3773963.exe
      Filesize

      358KB

      MD5

      18393a0e5299404cd43efa14606ab1bf

      SHA1

      89dd0b01e217700145ba3e249937cb773c5ef745

      SHA256

      4aa199efb75aaf578bcbda4affa640400d4ecfc84344c9166c2e33c245ab06e3

      SHA512

      b964621b9d0599987f00bab1eb37570ff7f147cc25e9995a2e87222bc16549618394e2e91787a9e96085099ef641cbf600cdcab89ac63c692badc2839bfccbfb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6165058.exe
      Filesize

      172KB

      MD5

      761fe098c5dcbbb2021a482cd456513c

      SHA1

      6e71014d495a0ad6595ba563710d96b752e56d2a

      SHA256

      6866f7cb133363538e5b98cdd84f33a5a41a23af7e634dbec106b7ed14aee8c7

      SHA512

      f767469f180ccfd681b7dc93a9d176da3c39ee21a0f236eaf1d2dd7480ed307e88c01824fce4b8f9e92c0282a7e2061252424ba603b31490d97936635b3920c5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6165058.exe
      Filesize

      172KB

      MD5

      761fe098c5dcbbb2021a482cd456513c

      SHA1

      6e71014d495a0ad6595ba563710d96b752e56d2a

      SHA256

      6866f7cb133363538e5b98cdd84f33a5a41a23af7e634dbec106b7ed14aee8c7

      SHA512

      f767469f180ccfd681b7dc93a9d176da3c39ee21a0f236eaf1d2dd7480ed307e88c01824fce4b8f9e92c0282a7e2061252424ba603b31490d97936635b3920c5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7613995.exe
      Filesize

      203KB

      MD5

      eaafab340cdd9a4bea1bb905427bedf9

      SHA1

      cc5628d0a3d589491ea13a43f1b818b86c6aeddf

      SHA256

      715f18d78b94b0dafadfd8459823abaf1743e6861543e0a2cbabb60868f5f71e

      SHA512

      44eec6231724ac9ac250865cc37fe50bab4d446a5e47b8ac4bdb61d573a08da25e6d721e3f01716eb097bbba82f1fb95b3c5e26f8383e4190104bfaef7c50c0b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7613995.exe
      Filesize

      203KB

      MD5

      eaafab340cdd9a4bea1bb905427bedf9

      SHA1

      cc5628d0a3d589491ea13a43f1b818b86c6aeddf

      SHA256

      715f18d78b94b0dafadfd8459823abaf1743e6861543e0a2cbabb60868f5f71e

      SHA512

      44eec6231724ac9ac250865cc37fe50bab4d446a5e47b8ac4bdb61d573a08da25e6d721e3f01716eb097bbba82f1fb95b3c5e26f8383e4190104bfaef7c50c0b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3123480.exe
      Filesize

      14KB

      MD5

      13bb1050cb1fa2d3263f9422b79def57

      SHA1

      bff2f071cff1ab27efed250242583125f72e0df2

      SHA256

      dac3aa5b2044097a446696c530ecd52e85fb93c8ff224e5087d9702a04d54730

      SHA512

      c1536cf93eefe79829396806fd9f82793b3b386ff84cde005072fef28276442322b3d5f5c43b82fd10a2988ef7e44c34ae74efc75f46e4ee9c190f45cf6a3fa6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3123480.exe
      Filesize

      14KB

      MD5

      13bb1050cb1fa2d3263f9422b79def57

      SHA1

      bff2f071cff1ab27efed250242583125f72e0df2

      SHA256

      dac3aa5b2044097a446696c530ecd52e85fb93c8ff224e5087d9702a04d54730

      SHA512

      c1536cf93eefe79829396806fd9f82793b3b386ff84cde005072fef28276442322b3d5f5c43b82fd10a2988ef7e44c34ae74efc75f46e4ee9c190f45cf6a3fa6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0913336.exe
      Filesize

      120KB

      MD5

      2c9bdeb490f0a005396310963308384f

      SHA1

      fe6c8ea1ebec0ffe341d7cfad24f5c60e29c6fa9

      SHA256

      cb92a7173338e61544e85a15afa9a78c0391255148bae87a3ef89dcc2caa6388

      SHA512

      0710ff334783c65ec2b89f1b537b0d2b98c785fda2b571778d0e142360c092aa8d585fce1923d9ccd822dc5c5adfb11b215b349e7c2c14e95b6762a6a83b4b06

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0913336.exe
      Filesize

      120KB

      MD5

      2c9bdeb490f0a005396310963308384f

      SHA1

      fe6c8ea1ebec0ffe341d7cfad24f5c60e29c6fa9

      SHA256

      cb92a7173338e61544e85a15afa9a78c0391255148bae87a3ef89dcc2caa6388

      SHA512

      0710ff334783c65ec2b89f1b537b0d2b98c785fda2b571778d0e142360c092aa8d585fce1923d9ccd822dc5c5adfb11b215b349e7c2c14e95b6762a6a83b4b06

      Download Submit
    • memory/1248-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1536-161-0x0000000000F10000-0x0000000000F1A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3132-175-0x0000000000260000-0x0000000000290000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3132-176-0x000000000A530000-0x000000000AB48000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3132-177-0x000000000A0A0000-0x000000000A1AA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3132-178-0x0000000009FE0000-0x0000000009FF2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3132-180-0x000000000A040000-0x000000000A07C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3132-179-0x0000000004B80000-0x0000000004B90000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3132-182-0x0000000004B80000-0x0000000004B90000-memory.dmp
      Filesize

      64KB

      Download