Overview

overview

10

Static

static

3

6514103594...96.exe

windows7-x64

10

6514103594...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-06-2023 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65141035941017854ad4ac7a2ad9ff6e553da933a2311843f2144366946a2796.exe

  • Size

    739KB

  • MD5

    302b0f6d712eba3d1a0b8ebf8dc98aec

  • SHA1

    6c564fafa65f2ab0b6bd5ea791cac254ab7cf331

  • SHA256

    65141035941017854ad4ac7a2ad9ff6e553da933a2311843f2144366946a2796

  • SHA512

    4d1e5352ecf82540e3ee2b065bb3ca32b1bac2d5291eeb94a8d896b89369b86b09f68943fde2ca6ac50aac2d629bfd8b74f5565c790d7834f2e53368fff634c6

  • SSDEEP

    12288:IMrWy90kbJ6cC+DS6NYfJBBHjUmHzf7J3NPS/qygFBreKIvBCJW5yoQP:eyNJTDSdPbN3NPGqyyBrkIJIyvP

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65141035941017854ad4ac7a2ad9ff6e553da933a2311843f2144366946a2796.exe
    "C:\Users\Admin\AppData\Local\Temp\65141035941017854ad4ac7a2ad9ff6e553da933a2311843f2144366946a2796.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7531338.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7531338.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263717.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263717.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5183631.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5183631.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1308
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3031433.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3031433.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2792
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3728369.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3728369.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1656
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2016
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 140
              6⤵
              • Program crash
              PID:1280
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3276124.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3276124.exe
          4⤵
          • Executes dropped EXE
          PID:4432
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1656 -ip 1656
    1⤵
      PID:2240

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7531338.exe
      Filesize

      532KB

      MD5

      9f3cba9132e818f87b82bfd1dec1ef44

      SHA1

      a62c86a3a16263279074a6646cfcfc2778b89899

      SHA256

      27ea521651300c184d2c57a793e81301b1324b4917981bacbc61e17352a6365f

      SHA512

      be66a8c534a2ef754c0ceda136abc54d74453cf7ee7ad8918c46ba62fa7617c2ebfe88f8022f6e2aacd32cd632164b688218fb3b1172b7e991e237e17a47de3e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7531338.exe
      Filesize

      532KB

      MD5

      9f3cba9132e818f87b82bfd1dec1ef44

      SHA1

      a62c86a3a16263279074a6646cfcfc2778b89899

      SHA256

      27ea521651300c184d2c57a793e81301b1324b4917981bacbc61e17352a6365f

      SHA512

      be66a8c534a2ef754c0ceda136abc54d74453cf7ee7ad8918c46ba62fa7617c2ebfe88f8022f6e2aacd32cd632164b688218fb3b1172b7e991e237e17a47de3e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263717.exe
      Filesize

      359KB

      MD5

      8ddd700c9c58bcbd61948ece8102ce15

      SHA1

      60d9e88620ad374384020bd11a3e23db380e2981

      SHA256

      33c336e8ba629bcc31057daba0ae8c010e73d559a9209792833ef49213507560

      SHA512

      8b95247a00a9621a794d86f8be57208acc6447bb1ab86d3c1c51d55f2e130da8130984aac7f6640fb45f4f3500091f7d2ad76874c3c37296ba6c8956ff6bd48f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9263717.exe
      Filesize

      359KB

      MD5

      8ddd700c9c58bcbd61948ece8102ce15

      SHA1

      60d9e88620ad374384020bd11a3e23db380e2981

      SHA256

      33c336e8ba629bcc31057daba0ae8c010e73d559a9209792833ef49213507560

      SHA512

      8b95247a00a9621a794d86f8be57208acc6447bb1ab86d3c1c51d55f2e130da8130984aac7f6640fb45f4f3500091f7d2ad76874c3c37296ba6c8956ff6bd48f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3276124.exe
      Filesize

      172KB

      MD5

      7c412cfbd52a7cdc085f22d008303140

      SHA1

      97b64b26e4ae34360f4642b823e1a2d66d3be7d7

      SHA256

      0adfdaf7ffac50f3e5bfebe95f1a33552447ca7d800080f767f9b3b8d1780135

      SHA512

      84f4b21f1df6cef5b39ca541af4a5615d8e9d6ef2749454a04fd65cdfd9b2179697417987cdc57584611405505fb54dd64a632f23108d0bb664b13ed67e6cb22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3276124.exe
      Filesize

      172KB

      MD5

      7c412cfbd52a7cdc085f22d008303140

      SHA1

      97b64b26e4ae34360f4642b823e1a2d66d3be7d7

      SHA256

      0adfdaf7ffac50f3e5bfebe95f1a33552447ca7d800080f767f9b3b8d1780135

      SHA512

      84f4b21f1df6cef5b39ca541af4a5615d8e9d6ef2749454a04fd65cdfd9b2179697417987cdc57584611405505fb54dd64a632f23108d0bb664b13ed67e6cb22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5183631.exe
      Filesize

      204KB

      MD5

      025ea76ef219cf2e4595af6f23a0e034

      SHA1

      f3a77c3bb4fb22b3412b798351e73ef9190d3578

      SHA256

      c54ddd3e51f87225c221176cc14df29777e6d17d59e8cc024ccdffced861ae13

      SHA512

      91c697dcec32c107bec0b5b97c6e2b8c998fed38aa74dc446d131eabc4b9e7fa009fc75eca257d00937dd42727b348de0a8626f4dae79ea0a3cf4cb904f9a432

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5183631.exe
      Filesize

      204KB

      MD5

      025ea76ef219cf2e4595af6f23a0e034

      SHA1

      f3a77c3bb4fb22b3412b798351e73ef9190d3578

      SHA256

      c54ddd3e51f87225c221176cc14df29777e6d17d59e8cc024ccdffced861ae13

      SHA512

      91c697dcec32c107bec0b5b97c6e2b8c998fed38aa74dc446d131eabc4b9e7fa009fc75eca257d00937dd42727b348de0a8626f4dae79ea0a3cf4cb904f9a432

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3031433.exe
      Filesize

      13KB

      MD5

      b98df5064ab62453b88540430ad97abe

      SHA1

      5c5dea6c3ca46227479d50917e155d13d4564c27

      SHA256

      d487ea328b6c6a98a959bca8ebeaac10cea1ff9b202a1448d09be034cd328664

      SHA512

      e4bafc90cf556acd3edb994ee9bf578a771d6c13e81cf9935dfff3201e897ab968caf9ddb230229d595d65df1b4f10d3076b4be13ecd4b7af62d6f0c11cb3dca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3031433.exe
      Filesize

      13KB

      MD5

      b98df5064ab62453b88540430ad97abe

      SHA1

      5c5dea6c3ca46227479d50917e155d13d4564c27

      SHA256

      d487ea328b6c6a98a959bca8ebeaac10cea1ff9b202a1448d09be034cd328664

      SHA512

      e4bafc90cf556acd3edb994ee9bf578a771d6c13e81cf9935dfff3201e897ab968caf9ddb230229d595d65df1b4f10d3076b4be13ecd4b7af62d6f0c11cb3dca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3728369.exe
      Filesize

      120KB

      MD5

      bb3d19feded6b3f3b78efdec80fc3aba

      SHA1

      b115c21e2304ae26d0f56917fa798d7bf784ba24

      SHA256

      61310e75dcf5e3c0975ce16622d4f0568e32fa9fd45ae3e49d7e9f27498ab547

      SHA512

      9b7f76c158e9f24c34e8cbaff7ee1a0a647b3cde59e341f055cb9238e1947cfcaeb19596957fa9544ab0988614a50b77f62ebc689d7281f543ab84bde517c69b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3728369.exe
      Filesize

      120KB

      MD5

      bb3d19feded6b3f3b78efdec80fc3aba

      SHA1

      b115c21e2304ae26d0f56917fa798d7bf784ba24

      SHA256

      61310e75dcf5e3c0975ce16622d4f0568e32fa9fd45ae3e49d7e9f27498ab547

      SHA512

      9b7f76c158e9f24c34e8cbaff7ee1a0a647b3cde59e341f055cb9238e1947cfcaeb19596957fa9544ab0988614a50b77f62ebc689d7281f543ab84bde517c69b

      Download Submit

    • memory/2016-167-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2792-161-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4432-175-0x00000000006B0000-0x00000000006E0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4432-176-0x000000000A9A0000-0x000000000AFB8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4432-177-0x000000000A4F0000-0x000000000A5FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4432-178-0x000000000A430000-0x000000000A442000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4432-179-0x000000000A490000-0x000000000A4CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4432-180-0x0000000004EF0000-0x0000000004F00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4432-182-0x0000000004EF0000-0x0000000004F00000-memory.dmp

      Filesize

      64KB

      Download