Analysis
-
max time kernel
137s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20230831-en -
resource tags
arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system -
submitted
12-09-2023 10:55
Static task
static1
Behavioral task
behavioral1
Sample
730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe
Resource
win10-20230831-en
General
-
Target
730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe
-
Size
662KB
-
MD5
1ed3b89ce055490ab9d70ca02d71ebb0
-
SHA1
427137db27b5febe5e08c1e9325d6f73c79e68da
-
SHA256
730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01
-
SHA512
666b6b9a85ed230ea4a5a6e08f2b19daebcb68d3f600cf60b3f3c453887828fd9e4d20667ecc572b144e9c4c1947f4e7bbf6c40a7efc1c79c7a9fa70e7f3170e
-
SSDEEP
12288:YMrPy90dJ0rhb8I/c9hg29FURqzlEf7b7df3oYgpriGq/2Q:XyuJ0rhwI/Ma29nzlkb7dfopp6OQ
Malware Config
Extracted
redline
lada
77.91.124.82:19071
-
auth_value
252f78fed0684205b098417688fa33e2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
Processes:
y8005731.exey3752219.exem5502380.exen5685214.exepid process 2716 y8005731.exe 4856 y3752219.exe 4428 m5502380.exe 2732 n5685214.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exey8005731.exey3752219.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y8005731.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y3752219.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exey8005731.exey3752219.exedescription pid process target process PID 4432 wrote to memory of 2716 4432 730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe y8005731.exe PID 4432 wrote to memory of 2716 4432 730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe y8005731.exe PID 4432 wrote to memory of 2716 4432 730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe y8005731.exe PID 2716 wrote to memory of 4856 2716 y8005731.exe y3752219.exe PID 2716 wrote to memory of 4856 2716 y8005731.exe y3752219.exe PID 2716 wrote to memory of 4856 2716 y8005731.exe y3752219.exe PID 4856 wrote to memory of 4428 4856 y3752219.exe m5502380.exe PID 4856 wrote to memory of 4428 4856 y3752219.exe m5502380.exe PID 4856 wrote to memory of 4428 4856 y3752219.exe m5502380.exe PID 4856 wrote to memory of 2732 4856 y3752219.exe n5685214.exe PID 4856 wrote to memory of 2732 4856 y3752219.exe n5685214.exe PID 4856 wrote to memory of 2732 4856 y3752219.exe n5685214.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe"C:\Users\Admin\AppData\Local\Temp\730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8005731.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8005731.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3752219.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3752219.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5502380.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5502380.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5685214.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5685214.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8005731.exeFilesize
560KB
MD55911efd37d8e225934767b127fb5189b
SHA1e421abf7b6aa5142b7b42b811ae54e384126b3d9
SHA256e8ad3a8e522e652b31f7025095a920ca10af6f9a60074c79c2f27b06b702f109
SHA5121d911e645d7230dd6df394fe2fda947f0fb6bf008d6caff864233301e10efae46a2483085c761415e0d085ff756c5847681793362ec4e74b5aef50543f037368
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8005731.exeFilesize
560KB
MD55911efd37d8e225934767b127fb5189b
SHA1e421abf7b6aa5142b7b42b811ae54e384126b3d9
SHA256e8ad3a8e522e652b31f7025095a920ca10af6f9a60074c79c2f27b06b702f109
SHA5121d911e645d7230dd6df394fe2fda947f0fb6bf008d6caff864233301e10efae46a2483085c761415e0d085ff756c5847681793362ec4e74b5aef50543f037368
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3752219.exeFilesize
272KB
MD5726fa26a88a1b7c66618edaaa90f4b25
SHA17002d08106999f709d8554eda0bc282f99fb1853
SHA2568f8b36940cec398f4ddc7f6c2bd8688513973ab86104d6dbe6528f79ea6d7491
SHA512232823720cd406529eff43805956fde2d12d37d3c6b572b11fc10e7050f2deac1db70dec46eabc00c88a1b9f0688ad3f480100060f33f8ffd3b21c989b006ab8
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3752219.exeFilesize
272KB
MD5726fa26a88a1b7c66618edaaa90f4b25
SHA17002d08106999f709d8554eda0bc282f99fb1853
SHA2568f8b36940cec398f4ddc7f6c2bd8688513973ab86104d6dbe6528f79ea6d7491
SHA512232823720cd406529eff43805956fde2d12d37d3c6b572b11fc10e7050f2deac1db70dec46eabc00c88a1b9f0688ad3f480100060f33f8ffd3b21c989b006ab8
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5502380.exeFilesize
142KB
MD595c15514dc5935ece6d461abc131c134
SHA11d4072474b8e3080a506b7d26eb36860aeeba385
SHA2567f083065a22dfd6a9f87777b81f55eb0f5abbbb043f371c72acf224484b7489d
SHA512ca0d13fafae44be29ddbf18fed7e072f057dde6e730221bf3099d5c77fa559b7e8d9bd217eacdadb060b4aaab20a70740e21d086ce6508d85ba5525f941cc9f1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5502380.exeFilesize
142KB
MD595c15514dc5935ece6d461abc131c134
SHA11d4072474b8e3080a506b7d26eb36860aeeba385
SHA2567f083065a22dfd6a9f87777b81f55eb0f5abbbb043f371c72acf224484b7489d
SHA512ca0d13fafae44be29ddbf18fed7e072f057dde6e730221bf3099d5c77fa559b7e8d9bd217eacdadb060b4aaab20a70740e21d086ce6508d85ba5525f941cc9f1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5685214.exeFilesize
174KB
MD582b87916b108486eb40d064dc4998a6a
SHA183c756bbd367599429d5ebd78c2d0602210be7de
SHA25695df9fa15294d0d74014ce47743676be345df96e02174da08f9aac6cff894daf
SHA51237b36d141bd4cfa76a88bcf25807938f9b08683adc3a10a804544427d018bf7ae1bce2fb0f5074552792fee6fd281f1d8d00cdef7d592c78b8c7dd8a3f43c357
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5685214.exeFilesize
174KB
MD582b87916b108486eb40d064dc4998a6a
SHA183c756bbd367599429d5ebd78c2d0602210be7de
SHA25695df9fa15294d0d74014ce47743676be345df96e02174da08f9aac6cff894daf
SHA51237b36d141bd4cfa76a88bcf25807938f9b08683adc3a10a804544427d018bf7ae1bce2fb0f5074552792fee6fd281f1d8d00cdef7d592c78b8c7dd8a3f43c357
-
memory/2732-24-0x0000000000CE0000-0x0000000000D10000-memory.dmpFilesize
192KB
-
memory/2732-25-0x0000000073340000-0x0000000073A2E000-memory.dmpFilesize
6.9MB
-
memory/2732-26-0x0000000002F70000-0x0000000002F76000-memory.dmpFilesize
24KB
-
memory/2732-27-0x0000000005BE0000-0x00000000061E6000-memory.dmpFilesize
6.0MB
-
memory/2732-28-0x00000000056E0000-0x00000000057EA000-memory.dmpFilesize
1.0MB
-
memory/2732-29-0x0000000005600000-0x0000000005612000-memory.dmpFilesize
72KB
-
memory/2732-30-0x0000000005660000-0x000000000569E000-memory.dmpFilesize
248KB
-
memory/2732-31-0x00000000057F0000-0x000000000583B000-memory.dmpFilesize
300KB
-
memory/2732-32-0x0000000073340000-0x0000000073A2E000-memory.dmpFilesize
6.9MB