Analysis
-
max time kernel
128s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
27-06-2023 02:42
Static task
static1
Behavioral task
behavioral1
Sample
v5084366.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
v5084366.exe
Resource
win10v2004-20230621-en
General
-
Target
v5084366.exe
-
Size
749KB
-
MD5
d13cdcc7a3e4b53c6353806332e2a38c
-
SHA1
3c077fca0e2c0164d0b3e64bf736ff657617eb64
-
SHA256
4d84a8443fa38a0e67764103a311bf6a6a69683b9686cc4d861a88566d4c4f71
-
SHA512
5a58fe0028a274999ed288adc9be7a584c1c76c2ef4dc3df6f44e67b9aeb475499135449c1ec9adf4ec2413dc4e6ec6d87ae2134311ccafd0ad75c0c44e8af70
-
SSDEEP
12288:RMrMy90V4IbzNlS1XPir2vE3tknE7xwgT/L8hjAog2vr+YAbYb:5yg4IvvStqavOknsq6j8yogYr/AM
Malware Config
Extracted
redline
maxi
83.97.73.122:19062
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Processes:
a3426371.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3426371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3426371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3426371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3426371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3426371.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a3426371.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
Processes:
v3439787.exea3426371.exeb7297900.exepid process 2044 v3439787.exe 1508 a3426371.exe 316 b7297900.exe -
Loads dropped DLL 6 IoCs
Processes:
v5084366.exev3439787.exea3426371.exeb7297900.exepid process 1244 v5084366.exe 2044 v3439787.exe 2044 v3439787.exe 1508 a3426371.exe 2044 v3439787.exe 316 b7297900.exe -
Processes:
a3426371.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features a3426371.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a3426371.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
v5084366.exev3439787.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" v5084366.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce v3439787.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3439787.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce v5084366.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a3426371.exepid process 1508 a3426371.exe 1508 a3426371.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a3426371.exedescription pid process Token: SeDebugPrivilege 1508 a3426371.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
v5084366.exev3439787.exedescription pid process target process PID 1244 wrote to memory of 2044 1244 v5084366.exe v3439787.exe PID 1244 wrote to memory of 2044 1244 v5084366.exe v3439787.exe PID 1244 wrote to memory of 2044 1244 v5084366.exe v3439787.exe PID 1244 wrote to memory of 2044 1244 v5084366.exe v3439787.exe PID 1244 wrote to memory of 2044 1244 v5084366.exe v3439787.exe PID 1244 wrote to memory of 2044 1244 v5084366.exe v3439787.exe PID 1244 wrote to memory of 2044 1244 v5084366.exe v3439787.exe PID 2044 wrote to memory of 1508 2044 v3439787.exe a3426371.exe PID 2044 wrote to memory of 1508 2044 v3439787.exe a3426371.exe PID 2044 wrote to memory of 1508 2044 v3439787.exe a3426371.exe PID 2044 wrote to memory of 1508 2044 v3439787.exe a3426371.exe PID 2044 wrote to memory of 1508 2044 v3439787.exe a3426371.exe PID 2044 wrote to memory of 1508 2044 v3439787.exe a3426371.exe PID 2044 wrote to memory of 1508 2044 v3439787.exe a3426371.exe PID 2044 wrote to memory of 316 2044 v3439787.exe b7297900.exe PID 2044 wrote to memory of 316 2044 v3439787.exe b7297900.exe PID 2044 wrote to memory of 316 2044 v3439787.exe b7297900.exe PID 2044 wrote to memory of 316 2044 v3439787.exe b7297900.exe PID 2044 wrote to memory of 316 2044 v3439787.exe b7297900.exe PID 2044 wrote to memory of 316 2044 v3439787.exe b7297900.exe PID 2044 wrote to memory of 316 2044 v3439787.exe b7297900.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\v5084366.exe"C:\Users\Admin\AppData\Local\Temp\v5084366.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3439787.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3439787.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3426371.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3426371.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7297900.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7297900.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
305KB
MD5a266b9b8ecb3ee0394b4287b24b42259
SHA132bacbfd2e17f7b514c3dc8791c0deed296d438f
SHA256fca5220b9770970cae6b7472fcc1adf7d8740c1105851a2d28b4ee50fc77aebb
SHA512bbfd210fdbe1d4730bee3c25d994a61a49d02bb06e3c47f9637930a25a66ada1107ce65edbb7f32457f21cb8ffac4bf01262daa1c66ac30d98e2659e4f96cd1f
-
Filesize
305KB
MD5a266b9b8ecb3ee0394b4287b24b42259
SHA132bacbfd2e17f7b514c3dc8791c0deed296d438f
SHA256fca5220b9770970cae6b7472fcc1adf7d8740c1105851a2d28b4ee50fc77aebb
SHA512bbfd210fdbe1d4730bee3c25d994a61a49d02bb06e3c47f9637930a25a66ada1107ce65edbb7f32457f21cb8ffac4bf01262daa1c66ac30d98e2659e4f96cd1f
-
Filesize
185KB
MD57d2a4f1c088908e87dd8d7935cc6f094
SHA19cc267650862a01dfad47c00511e5e14e44e088f
SHA256377e62d9d877e2fcfbcbb11a3f0b0e4e062574f57cc30f797b9f447b3104ec83
SHA512a50460795e6764bd7d07a4e69bfcf579268063cd0885f9b62e4010ba219c6c807d234e478ab48dac61983b63cb413d31f545053df8c4840063bc886c215c5584
-
Filesize
185KB
MD57d2a4f1c088908e87dd8d7935cc6f094
SHA19cc267650862a01dfad47c00511e5e14e44e088f
SHA256377e62d9d877e2fcfbcbb11a3f0b0e4e062574f57cc30f797b9f447b3104ec83
SHA512a50460795e6764bd7d07a4e69bfcf579268063cd0885f9b62e4010ba219c6c807d234e478ab48dac61983b63cb413d31f545053df8c4840063bc886c215c5584
-
Filesize
145KB
MD5c57b1dcdc09d6f2024fc7f879cada615
SHA19ca7169888f1284c856dbaa756c2e03baa9d7295
SHA256ac01ff3025f6009bd8a5e84dea8bd605e2b63395c51ee79019afd935382641e0
SHA5122fb459e80391e96fd23869b12665ba259a732c8bb5fae9f8166a5eb0a5a516107bc77fe75d1b43cdce9e5619ba742099d141673e33081b9050323c95efdceb4f
-
Filesize
145KB
MD5c57b1dcdc09d6f2024fc7f879cada615
SHA19ca7169888f1284c856dbaa756c2e03baa9d7295
SHA256ac01ff3025f6009bd8a5e84dea8bd605e2b63395c51ee79019afd935382641e0
SHA5122fb459e80391e96fd23869b12665ba259a732c8bb5fae9f8166a5eb0a5a516107bc77fe75d1b43cdce9e5619ba742099d141673e33081b9050323c95efdceb4f
-
Filesize
305KB
MD5a266b9b8ecb3ee0394b4287b24b42259
SHA132bacbfd2e17f7b514c3dc8791c0deed296d438f
SHA256fca5220b9770970cae6b7472fcc1adf7d8740c1105851a2d28b4ee50fc77aebb
SHA512bbfd210fdbe1d4730bee3c25d994a61a49d02bb06e3c47f9637930a25a66ada1107ce65edbb7f32457f21cb8ffac4bf01262daa1c66ac30d98e2659e4f96cd1f
-
Filesize
305KB
MD5a266b9b8ecb3ee0394b4287b24b42259
SHA132bacbfd2e17f7b514c3dc8791c0deed296d438f
SHA256fca5220b9770970cae6b7472fcc1adf7d8740c1105851a2d28b4ee50fc77aebb
SHA512bbfd210fdbe1d4730bee3c25d994a61a49d02bb06e3c47f9637930a25a66ada1107ce65edbb7f32457f21cb8ffac4bf01262daa1c66ac30d98e2659e4f96cd1f
-
Filesize
185KB
MD57d2a4f1c088908e87dd8d7935cc6f094
SHA19cc267650862a01dfad47c00511e5e14e44e088f
SHA256377e62d9d877e2fcfbcbb11a3f0b0e4e062574f57cc30f797b9f447b3104ec83
SHA512a50460795e6764bd7d07a4e69bfcf579268063cd0885f9b62e4010ba219c6c807d234e478ab48dac61983b63cb413d31f545053df8c4840063bc886c215c5584
-
Filesize
185KB
MD57d2a4f1c088908e87dd8d7935cc6f094
SHA19cc267650862a01dfad47c00511e5e14e44e088f
SHA256377e62d9d877e2fcfbcbb11a3f0b0e4e062574f57cc30f797b9f447b3104ec83
SHA512a50460795e6764bd7d07a4e69bfcf579268063cd0885f9b62e4010ba219c6c807d234e478ab48dac61983b63cb413d31f545053df8c4840063bc886c215c5584
-
Filesize
145KB
MD5c57b1dcdc09d6f2024fc7f879cada615
SHA19ca7169888f1284c856dbaa756c2e03baa9d7295
SHA256ac01ff3025f6009bd8a5e84dea8bd605e2b63395c51ee79019afd935382641e0
SHA5122fb459e80391e96fd23869b12665ba259a732c8bb5fae9f8166a5eb0a5a516107bc77fe75d1b43cdce9e5619ba742099d141673e33081b9050323c95efdceb4f
-
Filesize
145KB
MD5c57b1dcdc09d6f2024fc7f879cada615
SHA19ca7169888f1284c856dbaa756c2e03baa9d7295
SHA256ac01ff3025f6009bd8a5e84dea8bd605e2b63395c51ee79019afd935382641e0
SHA5122fb459e80391e96fd23869b12665ba259a732c8bb5fae9f8166a5eb0a5a516107bc77fe75d1b43cdce9e5619ba742099d141673e33081b9050323c95efdceb4f