redline | dd74fc070214b6f1667286415ceca29f7bf867bae4414be55ba0a22cccb38558

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2023 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd74fc070214b6f1667286415ceca29f7bf867bae4414be55ba0a22cccb38558.exe
Size

714KB
MD5

0e14a8a891137c58d81a87a840b402db
SHA1

7faec023698dfcc71eeb83b90bec3f56fd68e54e
SHA256

dd74fc070214b6f1667286415ceca29f7bf867bae4414be55ba0a22cccb38558
SHA512

8221ffdb1c6de10625aa55a2b72d5bfd20fa6cc57e3edd7654040059ad28f7f3df42b7f98d0bcdd020e30ca0f4f63d9111ff1b241dab83ee7af857ef46e81afc
SSDEEP

12288:fMrpy90+sBjvwSS2gBENcZ5Vb9M1de8nwxP2XFxvkQtYs4embt:Wy8J4SSHlZ5p6bnQP2j4s4eit

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1860	z5764717.exe
800	z0016693.exe
3036	z0640110.exe
5064	r0447947.exe
2652	s7343534.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dd74fc070214b6f1667286415ceca29f7bf867bae4414be55ba0a22cccb38558.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5764717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0016693.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0640110.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1860	1856	dd74fc070214b6f1667286415ceca29f7bf867bae4414be55ba0a22cccb38558.exe	83
PID 1856 wrote to memory of 1860	1856	dd74fc070214b6f1667286415ceca29f7bf867bae4414be55ba0a22cccb38558.exe	83
PID 1856 wrote to memory of 1860	1856	dd74fc070214b6f1667286415ceca29f7bf867bae4414be55ba0a22cccb38558.exe	83
PID 1860 wrote to memory of 800	1860	z5764717.exe	84
PID 1860 wrote to memory of 800	1860	z5764717.exe	84
PID 1860 wrote to memory of 800	1860	z5764717.exe	84
PID 800 wrote to memory of 3036	800	z0016693.exe	85
PID 800 wrote to memory of 3036	800	z0016693.exe	85
PID 800 wrote to memory of 3036	800	z0016693.exe	85
PID 3036 wrote to memory of 5064	3036	z0640110.exe	86
PID 3036 wrote to memory of 5064	3036	z0640110.exe	86
PID 3036 wrote to memory of 5064	3036	z0640110.exe	86
PID 3036 wrote to memory of 2652	3036	z0640110.exe	87
PID 3036 wrote to memory of 2652	3036	z0640110.exe	87
PID 3036 wrote to memory of 2652	3036	z0640110.exe	87

C:\Users\Admin\AppData\Local\Temp\dd74fc070214b6f1667286415ceca29f7bf867bae4414be55ba0a22cccb38558.exe
"C:\Users\Admin\AppData\Local\Temp\dd74fc070214b6f1667286415ceca29f7bf867bae4414be55ba0a22cccb38558.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5764717.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5764717.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0016693.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0016693.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0640110.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0640110.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0447947.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0447947.exe
        5⤵
        Executes dropped EXE
        
        PID:5064
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7343534.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7343534.exe
        5⤵
        Executes dropped EXE
        
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5764717.exe

Filesize
598KB

MD5
79febfddf9dd754ecc0bfad5961af1ba

SHA1
473b64b8158928d1bcb5644a9c7ff239d4ae6c3e

SHA256
99045f0cf8ba3dd4708813f6b549ac7cd3da116d3709d5b2a088b80052835927

SHA512
f9ae77e5dd5988285232322865b927759706850c9566a4f435d46519f54b00a0f1508d963b6834af9f48394b0691d70f35debb89282558cc2da0539aeb1a0d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5764717.exe

Filesize
598KB

MD5
79febfddf9dd754ecc0bfad5961af1ba

SHA1
473b64b8158928d1bcb5644a9c7ff239d4ae6c3e

SHA256
99045f0cf8ba3dd4708813f6b549ac7cd3da116d3709d5b2a088b80052835927

SHA512
f9ae77e5dd5988285232322865b927759706850c9566a4f435d46519f54b00a0f1508d963b6834af9f48394b0691d70f35debb89282558cc2da0539aeb1a0d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0016693.exe

Filesize
372KB

MD5
67ca54c1314593fd57f3410573e58d5a

SHA1
207af22b029251d20de227056fc47b6814f4b305

SHA256
f6240740d513e97c4c19b5648240b59b158b3091a1da3e847c342c243fbab76a

SHA512
50edf8154b291593689e7af3112ce69eea74a897ff7eeeb8c339665a0f044b2f1f036c7bf02ff3cd827c9aef0821f1b5c4334a6bb3c0a95b2ffda8007f48b1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0016693.exe

Filesize
372KB

MD5
67ca54c1314593fd57f3410573e58d5a

SHA1
207af22b029251d20de227056fc47b6814f4b305

SHA256
f6240740d513e97c4c19b5648240b59b158b3091a1da3e847c342c243fbab76a

SHA512
50edf8154b291593689e7af3112ce69eea74a897ff7eeeb8c339665a0f044b2f1f036c7bf02ff3cd827c9aef0821f1b5c4334a6bb3c0a95b2ffda8007f48b1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0640110.exe

Filesize
271KB

MD5
f329753517764a0f8136a381933462a2

SHA1
38aaa1eba39d5008d3db9e98a9b2f793f586b3d7

SHA256
6f939e732e358019f139eb551c1caffda1f02cf3cc1576944c5d8fe8cc67298f

SHA512
a557f3c9995b9e84fbe606bbae1b83fd61c075dd0ffa6d084dafb803fe0e34c94b333495d8adfbbed9014aee988c3fdd554be383986cbb3920a7594ab91638f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0640110.exe

Filesize
271KB

MD5
f329753517764a0f8136a381933462a2

SHA1
38aaa1eba39d5008d3db9e98a9b2f793f586b3d7

SHA256
6f939e732e358019f139eb551c1caffda1f02cf3cc1576944c5d8fe8cc67298f

SHA512
a557f3c9995b9e84fbe606bbae1b83fd61c075dd0ffa6d084dafb803fe0e34c94b333495d8adfbbed9014aee988c3fdd554be383986cbb3920a7594ab91638f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0447947.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0447947.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7343534.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7343534.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/2652-164-0x0000000000C00000-0x0000000000C30000-memory.dmp

Filesize
192KB

Download
memory/2652-165-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2652-166-0x0000000005C10000-0x0000000006228000-memory.dmp

Filesize
6.1MB

Download
memory/2652-167-0x0000000005780000-0x000000000588A000-memory.dmp

Filesize
1.0MB

Download
memory/2652-168-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/2652-169-0x00000000056C0000-0x00000000056D2000-memory.dmp

Filesize
72KB

Download
memory/2652-170-0x0000000005720000-0x000000000575C000-memory.dmp

Filesize
240KB

Download
memory/2652-171-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2652-172-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads