Overview

overview

10

Static

static

3

02e044f33d...05.exe

windows7-x64

10

02e044f33d...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-06-2023 10:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02e044f33dcb6f529b9a2cab9399a005.exe

  • Size

    772KB

  • MD5

    02e044f33dcb6f529b9a2cab9399a005

  • SHA1

    26160bacfe6b9bae3dbe09f1bd49e351ac421589

  • SHA256

    e447ae1f8224e2b964c69128ec258560a374151a8ee932670feb7a2670163682

  • SHA512

    0efd491f73eaf13fd489c04a349c09a90dcb52cf5706eb806df9ac49fd60d3297e27f77a9fff422e4b41c2902dfea43f9494088db29de0194c2545521a8889f2

  • SSDEEP

    24576:sy7vAUKqx3rIKX0OMHZp6oqAgM34iaqR:b0UKqrX0D5p6oqo9a

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.129:19068

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02e044f33dcb6f529b9a2cab9399a005.exe
    "C:\Users\Admin\AppData\Local\Temp\02e044f33dcb6f529b9a2cab9399a005.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0405136.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0405136.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6573730.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6573730.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4446936.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4446936.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3760
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5163199.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5163199.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1424
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0275657.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0275657.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1272
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4828
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 152
              6⤵
              • Program crash
              PID:3640
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9324746.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9324746.exe
          4⤵
          • Executes dropped EXE
          PID:2788
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1272 -ip 1272
    1⤵
      PID:116

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0405136.exe
      Filesize

      549KB

      MD5

      9ec2233496a9c5fd2bce561f5c89ebd2

      SHA1

      620e0258a02689040acd61b3e476effab05d8667

      SHA256

      f7b8e00844d4c777b7103a6bf92cc5a67a495df0d4b4ebe5487ac513a7495cfa

      SHA512

      e60c0c8ed3cc43d149b61f784ef4f12936c95b331468ee6852cfceae246eb944f071bb7ea126f67abdacda558ef8f55218aca5d0788ac92c31babc6ad6677670

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0405136.exe
      Filesize

      549KB

      MD5

      9ec2233496a9c5fd2bce561f5c89ebd2

      SHA1

      620e0258a02689040acd61b3e476effab05d8667

      SHA256

      f7b8e00844d4c777b7103a6bf92cc5a67a495df0d4b4ebe5487ac513a7495cfa

      SHA512

      e60c0c8ed3cc43d149b61f784ef4f12936c95b331468ee6852cfceae246eb944f071bb7ea126f67abdacda558ef8f55218aca5d0788ac92c31babc6ad6677670

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6573730.exe
      Filesize

      377KB

      MD5

      c7c5c5289d705f59c2a9867efebf8f3a

      SHA1

      8a6371d077529d4402de763940bb17f57f5e6e78

      SHA256

      befefd833bca12a1d05fb369848f0e01f9ce520999151822ca84ad1f09005dd8

      SHA512

      c8fad052364b49c1bd2fe8c96265967d393a05bda6f71f62df03733c393534a651ee2abd283e8da2873e85237c82a4e274db2f4d7b1ded8bbf6e54fe4260eee7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6573730.exe
      Filesize

      377KB

      MD5

      c7c5c5289d705f59c2a9867efebf8f3a

      SHA1

      8a6371d077529d4402de763940bb17f57f5e6e78

      SHA256

      befefd833bca12a1d05fb369848f0e01f9ce520999151822ca84ad1f09005dd8

      SHA512

      c8fad052364b49c1bd2fe8c96265967d393a05bda6f71f62df03733c393534a651ee2abd283e8da2873e85237c82a4e274db2f4d7b1ded8bbf6e54fe4260eee7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9324746.exe
      Filesize

      172KB

      MD5

      98a688d0cfa03147c49f9c0afdb06c89

      SHA1

      d302b0bf93681315804bc83078d58ff2f65d1fb3

      SHA256

      9ecc9f77511fc7985a02ac17988473c0268a7cbdef2044ae807b66b1c442a44b

      SHA512

      0502453f98bf1150f4a01780fdae6c7677b9f5cacc49dffc69cb60252664d63fab08b9d4534c6df77f2e84de198483eebfe79c0506a936eb4ae1f3dd0aeead19

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9324746.exe
      Filesize

      172KB

      MD5

      98a688d0cfa03147c49f9c0afdb06c89

      SHA1

      d302b0bf93681315804bc83078d58ff2f65d1fb3

      SHA256

      9ecc9f77511fc7985a02ac17988473c0268a7cbdef2044ae807b66b1c442a44b

      SHA512

      0502453f98bf1150f4a01780fdae6c7677b9f5cacc49dffc69cb60252664d63fab08b9d4534c6df77f2e84de198483eebfe79c0506a936eb4ae1f3dd0aeead19

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4446936.exe
      Filesize

      221KB

      MD5

      0aba90473adfd6b70a5238ab204b1957

      SHA1

      cbb3e986a04c46f100088ec3b54c1c3d9ae7ca60

      SHA256

      498bdd35a121545e7057f88db58c2d32f4bc28ae8f821b87b324f20a64158787

      SHA512

      f9bbcde8019532995ecb7bf369b084d1f97926e9d2cfbab54736aff64251ccf8c618bcb6f2980eec6907d43ec009b8669d5691d7748a47c354b46736d8086a97

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4446936.exe
      Filesize

      221KB

      MD5

      0aba90473adfd6b70a5238ab204b1957

      SHA1

      cbb3e986a04c46f100088ec3b54c1c3d9ae7ca60

      SHA256

      498bdd35a121545e7057f88db58c2d32f4bc28ae8f821b87b324f20a64158787

      SHA512

      f9bbcde8019532995ecb7bf369b084d1f97926e9d2cfbab54736aff64251ccf8c618bcb6f2980eec6907d43ec009b8669d5691d7748a47c354b46736d8086a97

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5163199.exe
      Filesize

      14KB

      MD5

      7096f4f04b13a72a77898aa25885228d

      SHA1

      e7a5d2785d2fdaa07af3404aad30a533270bb0d5

      SHA256

      967fec8e4941a64b2a4cff09431b330eb5ad72af68c1898fd8a02b7072f501a7

      SHA512

      a68c595b49774d2d8927f9ba108dabf9eb54e94578547f976d4cdae7249da6db32d7d1477a542f049bdd43dc74c5ea32e1e9bee6d70b59a744c6c23c0b48506e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5163199.exe
      Filesize

      14KB

      MD5

      7096f4f04b13a72a77898aa25885228d

      SHA1

      e7a5d2785d2fdaa07af3404aad30a533270bb0d5

      SHA256

      967fec8e4941a64b2a4cff09431b330eb5ad72af68c1898fd8a02b7072f501a7

      SHA512

      a68c595b49774d2d8927f9ba108dabf9eb54e94578547f976d4cdae7249da6db32d7d1477a542f049bdd43dc74c5ea32e1e9bee6d70b59a744c6c23c0b48506e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0275657.exe
      Filesize

      148KB

      MD5

      319854863f58438f17c56de870e6a868

      SHA1

      66817a3aa1996a9fd178818d2c9345526ac2a0d4

      SHA256

      2caca525528e6347200f752bf82d67c5e24818c2717e400eb1994ed585523deb

      SHA512

      c76ff6d790f9222b1d96786de5be3a25098737e9fa7b4e9bb278fbd7deae3f041e8bf37eeeb7b25f4e55dd364de84d4fc29d1b3993b0be59a65d953652a395b4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0275657.exe
      Filesize

      148KB

      MD5

      319854863f58438f17c56de870e6a868

      SHA1

      66817a3aa1996a9fd178818d2c9345526ac2a0d4

      SHA256

      2caca525528e6347200f752bf82d67c5e24818c2717e400eb1994ed585523deb

      SHA512

      c76ff6d790f9222b1d96786de5be3a25098737e9fa7b4e9bb278fbd7deae3f041e8bf37eeeb7b25f4e55dd364de84d4fc29d1b3993b0be59a65d953652a395b4

      Download Submit
    • memory/1424-161-0x0000000000DD0000-0x0000000000DDA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2788-174-0x0000000000C30000-0x0000000000C60000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2788-175-0x000000000B030000-0x000000000B648000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2788-176-0x000000000ABB0000-0x000000000ACBA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2788-177-0x000000000AAF0000-0x000000000AB02000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2788-178-0x0000000005570000-0x0000000005580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2788-179-0x000000000AB50000-0x000000000AB8C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2788-181-0x0000000005570000-0x0000000005580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4828-166-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download