Overview

overview

10

Static

static

3

220f464b76...f3.exe

windows10-2004-x64

10

2743aa58ac...22.exe

windows7-x64

3

2743aa58ac...22.exe

windows10-2004-x64

10

2ce9158850...93.exe

windows10-2004-x64

10

2d1e7e578c...8f.exe

windows7-x64

3

2d1e7e578c...8f.exe

windows10-2004-x64

10

6a183f77b9...7d.exe

windows10-2004-x64

10

7727481721...74.exe

windows7-x64

3

7727481721...74.exe

windows10-2004-x64

10

951f93d281...f8.exe

windows7-x64

3

951f93d281...f8.exe

windows10-2004-x64

10

9bba18a180...52.exe

windows10-2004-x64

10

a467111c1a...4b.exe

windows10-2004-x64

10

b6b30a924e...0b.exe

windows10-2004-x64

10

bdacff51fa...2b.exe

windows10-2004-x64

10

c37c4fe673...eb.exe

windows10-2004-x64

10

d0f3f32b61...38.exe

windows7-x64

3

d0f3f32b61...38.exe

windows10-2004-x64

10

d353176614...e5.exe

windows10-2004-x64

10

d49811a818...06.exe

windows7-x64

3

d49811a818...06.exe

windows10-2004-x64

10

db044599ba...af.exe

windows7-x64

3

db044599ba...af.exe

windows10-2004-x64

10

e3c9a1721d...3b.exe

windows10-2004-x64

10

ea47879989...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 10:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ce9158850627f9719e666b3f93a1508443159828dcc0aab91110d608c67b893.exe

  • Size

    488KB

  • MD5

    e497999210c7a29f76267bf656a8d5a8

  • SHA1

    179871c4f25eab45c4590d4392f43109b0436dba

  • SHA256

    2ce9158850627f9719e666b3f93a1508443159828dcc0aab91110d608c67b893

  • SHA512

    9518cf7b92a4b4b56632437bb45950a9e529fe75e2749e404fdf0eb234e462752c3592b59063c511ab4630dbd9238cf8dc8ae94f53d77e9d8cd6e5364e9f88f3

  • SSDEEP

    12288:7Mr6y90Pn98+bCRM+vppKT9t4flMp1NPBL:dyAHCtjBfcrPp

Score
10/10
redlinemixaevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes
  • auth_value

    9d14534b25ac495ab25b59800acf3bb2

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ce9158850627f9719e666b3f93a1508443159828dcc0aab91110d608c67b893.exe
    "C:\Users\Admin\AppData\Local\Temp\2ce9158850627f9719e666b3f93a1508443159828dcc0aab91110d608c67b893.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1694605.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1694605.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1379948.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1379948.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1760
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3800856.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3800856.exe
        3⤵
        • Executes dropped EXE
        PID:3484
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
    1⤵
      PID:1128

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1694605.exe
      Filesize

      316KB

      MD5

      84f06ccdbb2d5fdb2a49f4aa9c49fb28

      SHA1

      67b4bc46fd5f6e120e66f80032ffdc0784a7a11a

      SHA256

      780b058af6732aa20709cf7841a9cc4247bdce901004852db8d887b88a51324c

      SHA512

      2d43be1b3a9b4aec3ab56749046bcffb677bba146ad6a070c439ed330e3cead493b1827948ee41de2d010e14d79af62222a4e20876a379f2e5d4995b0d5914dc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1379948.exe
      Filesize

      184KB

      MD5

      d4c640fb500618ad6c9fc5fe7d3e784d

      SHA1

      850df0880e1685ce709b44afbbb365cab4f0fec4

      SHA256

      a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

      SHA512

      a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3800856.exe
      Filesize

      168KB

      MD5

      07fe7318aae84b6406c0f57ad3c3f660

      SHA1

      1f0c50e5a66c56c101601c4cd37666bc6e9b1969

      SHA256

      4e38ea31924b937cb440ea5a09dfa554b27e0dc6be06159777b627ccdcaa7d7c

      SHA512

      5708b88ed17113d128e80ef39de3444b66e87b0ab89c592019afbe0bdb095f55d7138bbfddeed2ff1fb2f426d618ae780875bf8558927cd0b86404a236c20b0f

      Download Submit

    • memory/1760-34-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-17-0x0000000004B80000-0x0000000005124000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1760-30-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-18-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1760-19-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-24-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-47-0x00000000741B0000-0x0000000074960000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1760-46-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-44-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-42-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-40-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-38-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-36-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-15-0x0000000002170000-0x000000000218E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1760-32-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-16-0x00000000741B0000-0x0000000074960000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1760-28-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-26-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-22-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-20-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1760-48-0x00000000741B0000-0x0000000074960000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1760-50-0x00000000741B0000-0x0000000074960000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1760-14-0x00000000741BE000-0x00000000741BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3484-54-0x0000000000070000-0x000000000009E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3484-55-0x0000000002270000-0x0000000002276000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3484-56-0x000000000A3C0000-0x000000000A9D8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3484-57-0x0000000009EE0000-0x0000000009FEA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3484-58-0x0000000009E10000-0x0000000009E22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3484-59-0x0000000009E70000-0x0000000009EAC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3484-60-0x00000000021F0000-0x000000000223C000-memory.dmp

      Filesize

      304KB

      Download