redline | d30d8079fdec2eef006c114eff8c6968c9c243a7af6f93f9dda43a31991f16e6

Analysis

max time kernel
139s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d30d8079fdec2eef006c114eff8c6968c9c243a7af6f93f9dda43a31991f16e6.exe
Size

1.0MB
MD5

c24f2fe24be664417f13029dbf45342f
SHA1

3aa2ce5befca1e764a925287bc912b7f9649dff3
SHA256

d30d8079fdec2eef006c114eff8c6968c9c243a7af6f93f9dda43a31991f16e6
SHA512

0f6df9f973f84022fd0001a15df05d6f44943a9752aa30add11fa225e6119c96f4b8b9f5a2ebeb25f891110316ea9831692ed08b43a7a0e822d2bc798bdcd017
SSDEEP

24576:gyDTFq3m9BV7CbmPDt6SZReUIX1Xg/pQFAhXPM:nDZZBmqLb4UIwp8Ah

Score

10^/10

redline narik evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

narik

77.91.124.82:19071

Attributes

auth_value
07924f5ef90576eb64faea857b8ba3e5

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q3018701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q3018701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q3018701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q3018701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q3018701.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	q3018701.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4820	z8815806.exe
396	z3680674.exe
4304	z7432453.exe
1560	z1655556.exe
3828	q3018701.exe
1456	r8533371.exe
3304	s8813346.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	q3018701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	q3018701.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z1655556.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d30d8079fdec2eef006c114eff8c6968c9c243a7af6f93f9dda43a31991f16e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8815806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3680674.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7432453.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3828	q3018701.exe
3828	q3018701.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3828	q3018701.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4820	5100	d30d8079fdec2eef006c114eff8c6968c9c243a7af6f93f9dda43a31991f16e6.exe	88
PID 5100 wrote to memory of 4820	5100	d30d8079fdec2eef006c114eff8c6968c9c243a7af6f93f9dda43a31991f16e6.exe	88
PID 5100 wrote to memory of 4820	5100	d30d8079fdec2eef006c114eff8c6968c9c243a7af6f93f9dda43a31991f16e6.exe	88
PID 4820 wrote to memory of 396	4820	z8815806.exe	89
PID 4820 wrote to memory of 396	4820	z8815806.exe	89
PID 4820 wrote to memory of 396	4820	z8815806.exe	89
PID 396 wrote to memory of 4304	396	z3680674.exe	91
PID 396 wrote to memory of 4304	396	z3680674.exe	91
PID 396 wrote to memory of 4304	396	z3680674.exe	91
PID 4304 wrote to memory of 1560	4304	z7432453.exe	92
PID 4304 wrote to memory of 1560	4304	z7432453.exe	92
PID 4304 wrote to memory of 1560	4304	z7432453.exe	92
PID 1560 wrote to memory of 3828	1560	z1655556.exe	93
PID 1560 wrote to memory of 3828	1560	z1655556.exe	93
PID 1560 wrote to memory of 3828	1560	z1655556.exe	93
PID 1560 wrote to memory of 1456	1560	z1655556.exe	94
PID 1560 wrote to memory of 1456	1560	z1655556.exe	94
PID 1560 wrote to memory of 1456	1560	z1655556.exe	94
PID 4304 wrote to memory of 3304	4304	z7432453.exe	95
PID 4304 wrote to memory of 3304	4304	z7432453.exe	95
PID 4304 wrote to memory of 3304	4304	z7432453.exe	95

C:\Users\Admin\AppData\Local\Temp\d30d8079fdec2eef006c114eff8c6968c9c243a7af6f93f9dda43a31991f16e6.exe
"C:\Users\Admin\AppData\Local\Temp\d30d8079fdec2eef006c114eff8c6968c9c243a7af6f93f9dda43a31991f16e6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8815806.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8815806.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3680674.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3680674.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7432453.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7432453.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4304
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1655556.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1655556.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3018701.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3018701.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8533371.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8533371.exe
        6⤵
        Executes dropped EXE
        
        PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8813346.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8813346.exe
        5⤵
        Executes dropped EXE
        
        PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8815806.exe

Filesize
933KB

MD5
94ddd284894c47a00d9bfc54a908d2a8

SHA1
5107497fc11765d06095ab0598ac2ffb85b96f36

SHA256
3baa461b72d516ce617b72499dd5751e0b38475159acac78c51be8d3746c9d87

SHA512
1ca7a424fa4cd64f7983a319ef1f72601910ad93cc29e1b6c8b2f4ab036aee325011a1ad1d74ef6d246e5b340947f2498bf89848ed15533f5ab68cadfb206119

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8815806.exe

Filesize
933KB

MD5
94ddd284894c47a00d9bfc54a908d2a8

SHA1
5107497fc11765d06095ab0598ac2ffb85b96f36

SHA256
3baa461b72d516ce617b72499dd5751e0b38475159acac78c51be8d3746c9d87

SHA512
1ca7a424fa4cd64f7983a319ef1f72601910ad93cc29e1b6c8b2f4ab036aee325011a1ad1d74ef6d246e5b340947f2498bf89848ed15533f5ab68cadfb206119

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3680674.exe

Filesize
707KB

MD5
22d31977bea8221d23ced1f5b237a77d

SHA1
182bef9c1225a87139e022924cc67f80278579cb

SHA256
9b1e9adab581b45b67cbd3d275450dd9895872afad6ffbfbac1b67be17dbfcdb

SHA512
2f75e725016adedc66c6330fe4d53de3471e8aff5d9f4bffc3482c688bdbfe63ff6cb9a711ee897f2ceb60e387925ab948b5bed274df10767f114b6399a489db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3680674.exe

Filesize
707KB

MD5
22d31977bea8221d23ced1f5b237a77d

SHA1
182bef9c1225a87139e022924cc67f80278579cb

SHA256
9b1e9adab581b45b67cbd3d275450dd9895872afad6ffbfbac1b67be17dbfcdb

SHA512
2f75e725016adedc66c6330fe4d53de3471e8aff5d9f4bffc3482c688bdbfe63ff6cb9a711ee897f2ceb60e387925ab948b5bed274df10767f114b6399a489db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7432453.exe

Filesize
481KB

MD5
d8dbc8083c241e2401c30d15de509f1d

SHA1
cda221560cc2eb4187dee33a99d401ee4fcfa6a1

SHA256
5cd67bdf1de1c0c723e51cebd24053440a76deafdae62239b8fa134bb720e3b1

SHA512
703d7f7de8f713038c24c079654a2586cf05ca62b95a05303c1b936c3540766e475caa6679956ce6ccae071986e5d0423faa46fb35518df1fd92abec01249b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7432453.exe

Filesize
481KB

MD5
d8dbc8083c241e2401c30d15de509f1d

SHA1
cda221560cc2eb4187dee33a99d401ee4fcfa6a1

SHA256
5cd67bdf1de1c0c723e51cebd24053440a76deafdae62239b8fa134bb720e3b1

SHA512
703d7f7de8f713038c24c079654a2586cf05ca62b95a05303c1b936c3540766e475caa6679956ce6ccae071986e5d0423faa46fb35518df1fd92abec01249b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8813346.exe

Filesize
174KB

MD5
2a2a17647a898b3e7cb2168890dc1dc3

SHA1
15fbb5a23a97ffd55cbbb785de4de59b9094fe52

SHA256
0b5af7ab3dd548108216f1fe78f29f2075080eb367c2af3c9c9f4dff038275dc

SHA512
5e198613804986b9a1bae4d542898d478b3dc8df069283ff277ca4784ef1a2e6e7dfbaf30830f122c80fbf20849aef27b1d00ef1ce71981f8a41affa8f99e7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8813346.exe

Filesize
174KB

MD5
2a2a17647a898b3e7cb2168890dc1dc3

SHA1
15fbb5a23a97ffd55cbbb785de4de59b9094fe52

SHA256
0b5af7ab3dd548108216f1fe78f29f2075080eb367c2af3c9c9f4dff038275dc

SHA512
5e198613804986b9a1bae4d542898d478b3dc8df069283ff277ca4784ef1a2e6e7dfbaf30830f122c80fbf20849aef27b1d00ef1ce71981f8a41affa8f99e7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1655556.exe

Filesize
325KB

MD5
a5a12893d8d91f82dae31765416aecee

SHA1
89c068480d124ca6bf4e51767affa0eed8882338

SHA256
1fb60f2d7de55943d13e95b6b2d0461c9d8cdd60356259b5b421eb919034baae

SHA512
83cead7ede67c960b011664450527c1d087e27a753bf84958084a77c68348922d25e6467e0406062735df56489b1036d90585cb0f5f6d54d62da8d7d17dda602

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1655556.exe

Filesize
325KB

MD5
a5a12893d8d91f82dae31765416aecee

SHA1
89c068480d124ca6bf4e51767affa0eed8882338

SHA256
1fb60f2d7de55943d13e95b6b2d0461c9d8cdd60356259b5b421eb919034baae

SHA512
83cead7ede67c960b011664450527c1d087e27a753bf84958084a77c68348922d25e6467e0406062735df56489b1036d90585cb0f5f6d54d62da8d7d17dda602

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3018701.exe

Filesize
184KB

MD5
171f05edd8303e14277c9cec8e322c5d

SHA1
6f54bff2cc83cd2f532a704736f4d06dedabb82a

SHA256
81977acabc010c182f5bac08bd64a944f2f0fdce68f0c7daf62354fcf24704c5

SHA512
0775d47f8a40de8ded7973c69e5c9ce03fccee8e5dc2a9e90b3958cc18c82dbc045d9769ad1c9cd0c7f535638e93e9b26e6f72eb62e6f2397bc83e761bf4f9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3018701.exe

Filesize
184KB

MD5
171f05edd8303e14277c9cec8e322c5d

SHA1
6f54bff2cc83cd2f532a704736f4d06dedabb82a

SHA256
81977acabc010c182f5bac08bd64a944f2f0fdce68f0c7daf62354fcf24704c5

SHA512
0775d47f8a40de8ded7973c69e5c9ce03fccee8e5dc2a9e90b3958cc18c82dbc045d9769ad1c9cd0c7f535638e93e9b26e6f72eb62e6f2397bc83e761bf4f9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8533371.exe

Filesize
141KB

MD5
38c544e8816670abd1d0b9e0a17aef1a

SHA1
9cbee1fd7a2284a6ce20ec7cd93ddf8486d7ff47

SHA256
27c2d571f616933ffa30b6b2adec75d87b4310682a13eb497ea1dd7dfbe5695e

SHA512
f063736f482c7f5171401cfc940afcd421b621bcc3af5a078dbfb3d92d112abb5a40a7d84e57204a9edebf47d038501d42bb8915eaac0bee02803efd12c89e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8533371.exe

Filesize
141KB

MD5
38c544e8816670abd1d0b9e0a17aef1a

SHA1
9cbee1fd7a2284a6ce20ec7cd93ddf8486d7ff47

SHA256
27c2d571f616933ffa30b6b2adec75d87b4310682a13eb497ea1dd7dfbe5695e

SHA512
f063736f482c7f5171401cfc940afcd421b621bcc3af5a078dbfb3d92d112abb5a40a7d84e57204a9edebf47d038501d42bb8915eaac0bee02803efd12c89e0b

Download Submit
memory/3304-87-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3304-82-0x0000000005050000-0x000000000515A000-memory.dmp

Filesize
1.0MB

Download
memory/3304-81-0x0000000005560000-0x0000000005B78000-memory.dmp

Filesize
6.1MB

Download
memory/3304-80-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/3304-79-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/3304-83-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3304-84-0x0000000004F60000-0x0000000004F72000-memory.dmp

Filesize
72KB

Download
memory/3304-85-0x0000000004FC0000-0x0000000004FFC000-memory.dmp

Filesize
240KB

Download
memory/3304-86-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/3828-54-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-56-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-60-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-62-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-64-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-66-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-67-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/3828-68-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/3828-69-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/3828-70-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/3828-72-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/3828-58-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-52-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-50-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-48-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-46-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-44-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-42-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-40-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-39-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3828-38-0x0000000004990000-0x0000000004F34000-memory.dmp

Filesize
5.6MB

Download
memory/3828-37-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/3828-36-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/3828-35-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download