redline | 5f629b437246d8ec6086620d1d3c61f5d9dcfb352448e2f88a8aae996361a765

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2023 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f629b437246d8ec6086620d1d3c61f5d9dcfb352448e2f88a8aae996361a765.exe
Size

936KB
MD5

f0e0bbbfa57023d41eeb46c4a5cb3dbc
SHA1

b34788e8ed24df9d31642cbd9ca50f241d68ccfa
SHA256

5f629b437246d8ec6086620d1d3c61f5d9dcfb352448e2f88a8aae996361a765
SHA512

0d3d53bcd8a2929979fc2be47188a3f809c5de1910a0d6c5f3b560eb6a1da31a07bf914307dd9e334c1ea2b349f063316258d486df4b910b91aa6fa0d378da9e
SSDEEP

24576:MyhpdWQ9J3JrK1aHXNBjTFOy2SAFN+KZY4:7hvWQFrB7jT0HzjY

Score

10^/10

redline narik evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

narik

77.91.124.82:19071

Attributes

auth_value
07924f5ef90576eb64faea857b8ba3e5

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9082356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9082356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9082356.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a9082356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9082356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9082356.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3292	v2856206.exe
3332	v8050460.exe
2088	v7514760.exe
3960	v6568728.exe
976	a9082356.exe
3624	b6940357.exe
2232	c7637824.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a9082356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9082356.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8050460.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7514760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6568728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f629b437246d8ec6086620d1d3c61f5d9dcfb352448e2f88a8aae996361a765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2856206.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
976	a9082356.exe
976	a9082356.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	a9082356.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 3292	2708	5f629b437246d8ec6086620d1d3c61f5d9dcfb352448e2f88a8aae996361a765.exe	82
PID 2708 wrote to memory of 3292	2708	5f629b437246d8ec6086620d1d3c61f5d9dcfb352448e2f88a8aae996361a765.exe	82
PID 2708 wrote to memory of 3292	2708	5f629b437246d8ec6086620d1d3c61f5d9dcfb352448e2f88a8aae996361a765.exe	82
PID 3292 wrote to memory of 3332	3292	v2856206.exe	84
PID 3292 wrote to memory of 3332	3292	v2856206.exe	84
PID 3292 wrote to memory of 3332	3292	v2856206.exe	84
PID 3332 wrote to memory of 2088	3332	v8050460.exe	85
PID 3332 wrote to memory of 2088	3332	v8050460.exe	85
PID 3332 wrote to memory of 2088	3332	v8050460.exe	85
PID 2088 wrote to memory of 3960	2088	v7514760.exe	86
PID 2088 wrote to memory of 3960	2088	v7514760.exe	86
PID 2088 wrote to memory of 3960	2088	v7514760.exe	86
PID 3960 wrote to memory of 976	3960	v6568728.exe	87
PID 3960 wrote to memory of 976	3960	v6568728.exe	87
PID 3960 wrote to memory of 976	3960	v6568728.exe	87
PID 3960 wrote to memory of 3624	3960	v6568728.exe	88
PID 3960 wrote to memory of 3624	3960	v6568728.exe	88
PID 3960 wrote to memory of 3624	3960	v6568728.exe	88
PID 2088 wrote to memory of 2232	2088	v7514760.exe	89
PID 2088 wrote to memory of 2232	2088	v7514760.exe	89
PID 2088 wrote to memory of 2232	2088	v7514760.exe	89

C:\Users\Admin\AppData\Local\Temp\5f629b437246d8ec6086620d1d3c61f5d9dcfb352448e2f88a8aae996361a765.exe
"C:\Users\Admin\AppData\Local\Temp\5f629b437246d8ec6086620d1d3c61f5d9dcfb352448e2f88a8aae996361a765.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2856206.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2856206.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8050460.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8050460.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7514760.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7514760.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6568728.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6568728.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3960
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9082356.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9082356.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6940357.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6940357.exe
        6⤵
        Executes dropped EXE
        
        PID:3624
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7637824.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7637824.exe
        5⤵
        Executes dropped EXE
        
        PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2856206.exe

Filesize
830KB

MD5
f6926fda9b8443485b6ebe56ab022350

SHA1
3ef31a1c2526c3ac31aa78da85c9c9b20b996744

SHA256
fa04a7601f1e0bd6f4723829e93278aa30cf611c7b99c986158796a81bc4353b

SHA512
0d28c569ab1d17a80daa1cdbf073979e3852c7bcce3ee3faa8d02392be728d60ab8fd0f32ad8e862574bb493203b8e6423ecde1d93f102945fa3d69047d8ad07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2856206.exe

Filesize
830KB

MD5
f6926fda9b8443485b6ebe56ab022350

SHA1
3ef31a1c2526c3ac31aa78da85c9c9b20b996744

SHA256
fa04a7601f1e0bd6f4723829e93278aa30cf611c7b99c986158796a81bc4353b

SHA512
0d28c569ab1d17a80daa1cdbf073979e3852c7bcce3ee3faa8d02392be728d60ab8fd0f32ad8e862574bb493203b8e6423ecde1d93f102945fa3d69047d8ad07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8050460.exe

Filesize
606KB

MD5
d8f0c0f6c8678612984ca92d5a923985

SHA1
77408493119eaf599fe13fe3b47d88dde13eab52

SHA256
e3eeff75e039057b1ec70cec7fa8988234b23fbe2b8298b68b0cc52292dd6933

SHA512
94ed86ce2acce639f2202502cc7a764e571830b5ba93630d4d0a0a754140a32a6b313b90bc1ca9a881a2473a3d8d773322424b630e82b6d1366d2834159a6b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8050460.exe

Filesize
606KB

MD5
d8f0c0f6c8678612984ca92d5a923985

SHA1
77408493119eaf599fe13fe3b47d88dde13eab52

SHA256
e3eeff75e039057b1ec70cec7fa8988234b23fbe2b8298b68b0cc52292dd6933

SHA512
94ed86ce2acce639f2202502cc7a764e571830b5ba93630d4d0a0a754140a32a6b313b90bc1ca9a881a2473a3d8d773322424b630e82b6d1366d2834159a6b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7514760.exe

Filesize
481KB

MD5
e6f2801291ea9f0047840ae04b471c95

SHA1
c1cbd9bddb34fd436d1c4949ad8c6ae5dc0fd9a7

SHA256
1ce45dc39b37b7c45c95d63cc70f30480d342f900d6432141708633dccc47af4

SHA512
23c2b3140e8994dcbc0c9fbc28e2b08bfa26ce1e3290c8d7df94b1fb3fccca3ee9bb320ea7450daf05328cc5d362c87b63d11931e46cdcd690224bc3cdc20fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7514760.exe

Filesize
481KB

MD5
e6f2801291ea9f0047840ae04b471c95

SHA1
c1cbd9bddb34fd436d1c4949ad8c6ae5dc0fd9a7

SHA256
1ce45dc39b37b7c45c95d63cc70f30480d342f900d6432141708633dccc47af4

SHA512
23c2b3140e8994dcbc0c9fbc28e2b08bfa26ce1e3290c8d7df94b1fb3fccca3ee9bb320ea7450daf05328cc5d362c87b63d11931e46cdcd690224bc3cdc20fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7637824.exe

Filesize
174KB

MD5
42571e02a8a0d53cb002ce05deacf4bd

SHA1
8397b7d02d2d53f233aff38cea762f4706324d27

SHA256
f1642f41d9c32221d5398a154da26009aa6bbbf049f14163de90844a32352425

SHA512
cd71fbf8d55f62647eddfd49a0e7788de2a18ed1d16a5a3864c03363c7c6c22fcae0dab497052b2825a11eceade39970a436522fff11cef161f9ea6d4b0d5ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7637824.exe

Filesize
174KB

MD5
42571e02a8a0d53cb002ce05deacf4bd

SHA1
8397b7d02d2d53f233aff38cea762f4706324d27

SHA256
f1642f41d9c32221d5398a154da26009aa6bbbf049f14163de90844a32352425

SHA512
cd71fbf8d55f62647eddfd49a0e7788de2a18ed1d16a5a3864c03363c7c6c22fcae0dab497052b2825a11eceade39970a436522fff11cef161f9ea6d4b0d5ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6568728.exe

Filesize
325KB

MD5
0a4cf5fd8c1f653e7548b2a9b2887291

SHA1
9c4726208a197b8280f3400dc1c8bd9be55c14cb

SHA256
c619915d5140d33caa0e869b919074a6c94ed4d17779f236fdeb113f44936693

SHA512
e98ff5cff164cf2fc0d98ead0c6e38dc267aa4e8de1652357960fffaf00f0f89d4e7deb32d76eacb44cd9b92973e70a719a57ae89b603da1c5c507f816bef767

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6568728.exe

Filesize
325KB

MD5
0a4cf5fd8c1f653e7548b2a9b2887291

SHA1
9c4726208a197b8280f3400dc1c8bd9be55c14cb

SHA256
c619915d5140d33caa0e869b919074a6c94ed4d17779f236fdeb113f44936693

SHA512
e98ff5cff164cf2fc0d98ead0c6e38dc267aa4e8de1652357960fffaf00f0f89d4e7deb32d76eacb44cd9b92973e70a719a57ae89b603da1c5c507f816bef767

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9082356.exe

Filesize
184KB

MD5
0fc812cf32b3d6f7592d79ce020f2b3e

SHA1
110d6a457f2c0ee0f5b88d531f0413a6025a4f5c

SHA256
ededfccd2bf870716ae6b64106e321e905832fd18fb02d008494a236060c5b50

SHA512
67acca9d9b45342885a95fe00b39b16f9a0740067dfefdb44cc93716439c80baf9712b2ba4696014ae36e7fe66ff92f72cb05c7122c01fe037800acbe1e2dd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9082356.exe

Filesize
184KB

MD5
0fc812cf32b3d6f7592d79ce020f2b3e

SHA1
110d6a457f2c0ee0f5b88d531f0413a6025a4f5c

SHA256
ededfccd2bf870716ae6b64106e321e905832fd18fb02d008494a236060c5b50

SHA512
67acca9d9b45342885a95fe00b39b16f9a0740067dfefdb44cc93716439c80baf9712b2ba4696014ae36e7fe66ff92f72cb05c7122c01fe037800acbe1e2dd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6940357.exe

Filesize
140KB

MD5
cfdc581c377047a78b01f5d1a8a3b236

SHA1
9678a5b7eea88c90a38b3690e63573aa88d938b1

SHA256
74cf987ebfd2ba1143080526c07afd0bd753f265c7c90738fcec2dea18720bac

SHA512
254420dde135e7d5543a1b399dd3a185c76180d56e7b30b18b9587c9ba48350ef2179e422325f2f05335f698930b3f54b4167fc348fef82499541b4b68de315f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6940357.exe

Filesize
140KB

MD5
cfdc581c377047a78b01f5d1a8a3b236

SHA1
9678a5b7eea88c90a38b3690e63573aa88d938b1

SHA256
74cf987ebfd2ba1143080526c07afd0bd753f265c7c90738fcec2dea18720bac

SHA512
254420dde135e7d5543a1b399dd3a185c76180d56e7b30b18b9587c9ba48350ef2179e422325f2f05335f698930b3f54b4167fc348fef82499541b4b68de315f

Download Submit
memory/976-36-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/976-67-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/976-39-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-48-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-46-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-66-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-64-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-62-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-60-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-58-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-56-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-54-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-52-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-50-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-44-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-40-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-68-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/976-70-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/976-42-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/976-38-0x0000000004970000-0x0000000004F14000-memory.dmp

Filesize
5.6MB

Download
memory/976-37-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/976-35-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/2232-78-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/2232-77-0x0000000000FF0000-0x0000000001020000-memory.dmp

Filesize
192KB

Download
memory/2232-79-0x000000000B460000-0x000000000BA78000-memory.dmp

Filesize
6.1MB

Download
memory/2232-80-0x000000000AFA0000-0x000000000B0AA000-memory.dmp

Filesize
1.0MB

Download
memory/2232-81-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/2232-82-0x000000000AEE0000-0x000000000AEF2000-memory.dmp

Filesize
72KB

Download
memory/2232-83-0x000000000AF40000-0x000000000AF7C000-memory.dmp

Filesize
240KB

Download
memory/2232-84-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/2232-85-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download