Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
13-05-2024 10:00
General
-
Target
45af188d235d1046544f5d37f950851a088373ba96053250f62b51f24faf22c0.exe
-
Size
488KB
-
MD5
e7d13d29726acf30c95c3713ce4b304b
-
SHA1
7a072a9638ba547e25d80cc4984c436b60cd1179
-
SHA256
45af188d235d1046544f5d37f950851a088373ba96053250f62b51f24faf22c0
-
SHA512
4966540b0a8f23be47bf6f57067eed271f95b17ae6a85e007f020eae286e2e0c1bd66a8e3f28e575abe2054a654f6ddae4c2985be414a4419ed8ef347e20c530
-
SSDEEP
12288:fMrmy902pcCuYEm/7HyjkjzKlO8eaxOTuKob:FytEcjx8eaxOTunb
Malware Config
Extracted
redline
debro
185.161.248.75:4132
-
auth_value
18c2c191aebfde5d1787ec8d805a01a8
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\45af188d235d1046544f5d37f950851a088373ba96053250f62b51f24faf22c0.exe"C:\Users\Admin\AppData\Local\Temp\45af188d235d1046544f5d37f950851a088373ba96053250f62b51f24faf22c0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7563485.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7563485.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0950715.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0950715.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9855743.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9855743.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
316KB
MD5f4ab419fe0ec588cd73be7d2453fd89f
SHA1d16b306445962fa9457bac9871813321fd43d0cc
SHA25642f53acaac143c0dc23d3b1f603e96b42301e6fe138cc5cbee3f2db8f619ba33
SHA51285b8e503ad455cc21cbf225f3b15e8596b1718068a902c7250761697f215eee8447196b6ad5a719c3957e461ad8e8ca5b416f94491f318bd82121b6c3313c64d
-
Filesize
184KB
MD5d4c640fb500618ad6c9fc5fe7d3e784d
SHA1850df0880e1685ce709b44afbbb365cab4f0fec4
SHA256a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b
SHA512a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd
-
Filesize
168KB
MD5d95e337166edfc9070272b1b284ae733
SHA1cc9282eea85cf1cfa305cda699867e9e07f662ce
SHA256a0bef41172510834fbb36bfca0eb621ff221b5c515b61f5865c702bc1ff63afd
SHA5129fe79ffca70870a86974f2daae544785cdbfe98ddbd0d9299ce9ad93e99e2035355b1d095f4ce2fb27933f9a51b6179112a1420ca2c97a14911ec0aa4710bd7d
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
120KB
-
Filesize
88KB
-
Filesize
5.6MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB