Overview

overview

10

Static

static

3

0cc30df7f6...35.exe

windows10-2004-x64

10

149cd41e04...01.exe

windows10-2004-x64

10

224cc5582a...c7.exe

windows10-2004-x64

10

2489ba0556...26.exe

windows10-2004-x64

10

24bb66f25f...0a.exe

windows7-x64

3

24bb66f25f...0a.exe

windows10-2004-x64

10

3ec1481872...d9.exe

windows10-2004-x64

10

44efe38f04...65.exe

windows10-2004-x64

10

58538be19f...b1.exe

windows10-2004-x64

10

585b7ec0bc...17.exe

windows10-2004-x64

10

5f9071e3a8...93.exe

windows7-x64

3

5f9071e3a8...93.exe

windows10-2004-x64

10

628eb5e58d...90.exe

windows10-2004-x64

10

6aa8d5d0d6...df.exe

windows10-2004-x64

10

77b8709187...06.exe

windows7-x64

3

77b8709187...06.exe

windows10-2004-x64

10

80a61aa8cf...4c.exe

windows10-2004-x64

94a701520b...a3.exe

windows10-2004-x64

10

a28e9417b3...3c.exe

windows10-2004-x64

10

d9d3f90c8c...39.exe

windows7-x64

3

d9d3f90c8c...39.exe

windows10-2004-x64

10

f02b51da6b...9b.exe

windows10-2004-x64

10

f358ce518b...e2.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a28e9417b361c758d0b891938a206a546508d3343b8205873f07d50ee02a0b3c.exe

  • Size

    769KB

  • MD5

    8732cc39ea99d0615df368eaa4c20abc

  • SHA1

    4141a2bf5cff04f0362e8b3ba852048bd27b793d

  • SHA256

    a28e9417b361c758d0b891938a206a546508d3343b8205873f07d50ee02a0b3c

  • SHA512

    c4548dafe3362f9ae224fc9c7f70f344d1fd965fd38ac69cf274e0fc230543f4468cd016ecf6c610c8bacf5f730c3c0200d04d5c84eb11fc9a2abbd2d7f11328

  • SSDEEP

    12288:hMruy90qIRYa76rKOTZCfFruHWUXstomukpf7YXch7QSqTkE/8lroHl:XydicKQZCFigam9fMsh7oAMAoHl

Score
10/10
redlinemixaevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes
  • auth_value

    9d14534b25ac495ab25b59800acf3bb2

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a28e9417b361c758d0b891938a206a546508d3343b8205873f07d50ee02a0b3c.exe
    "C:\Users\Admin\AppData\Local\Temp\a28e9417b361c758d0b891938a206a546508d3343b8205873f07d50ee02a0b3c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2522644.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2522644.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0565523.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0565523.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:384
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2051526.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2051526.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2116
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8991923.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8991923.exe
          4⤵
          • Executes dropped EXE
          PID:720
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:4792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2522644.exe
    Filesize

    488KB

    MD5

    247f9586f4eb5afd06c97ca283661ab6

    SHA1

    9614ca472a7578dbaf82123454cc7f3ec227d631

    SHA256

    e50229ae810e4ca9fea69dbb2c9c964cfb85ddd1a8bd885bf8beedb496393253

    SHA512

    68f235922e3de20809160638b3acefaf02c0b260925ced641bb041cf8aa758077fad048fd4c06c54edbe3563b0ba96a6d86c7b763985501b7ea5a9bab89e6470

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0565523.exe
    Filesize

    316KB

    MD5

    78c5fed6720bb71a532cfc30f99a1ae3

    SHA1

    de307b619e6e40f9ebea86a79fd3af1b6d8f02d3

    SHA256

    a1fa8776d2234540b4b06a6175a58b01a25370868f808e796d7bcbfdfeacebff

    SHA512

    34cff8dac371277878e88971060be5df1ab7c51fa829f91ba09dba1f5e8dc119b466aba95586fd25d589f61c054f6d434a8b09176006a6a6e3e4257c70dcc5ce

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2051526.exe
    Filesize

    184KB

    MD5

    d4c640fb500618ad6c9fc5fe7d3e784d

    SHA1

    850df0880e1685ce709b44afbbb365cab4f0fec4

    SHA256

    a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

    SHA512

    a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8991923.exe
    Filesize

    168KB

    MD5

    451663ed9afb726647c8db185da671ff

    SHA1

    5af25150891354f29a6ce1dd63609d2603adde60

    SHA256

    cf2e3d105554107c3585dc9540ab6f27b2ab98297c4c9076510e29da174dc50c

    SHA512

    8edada9a79d5b8229ca218dbcfe01267a766dc653bc855e39952dadcd97de534db61717f8f17661ab51b050517fb3d4b0d3e8464f73a1296b4e66c452d3fa2da

    Download Submit

  • memory/720-62-0x0000000002630000-0x000000000267C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/720-61-0x000000000A0B0000-0x000000000A0EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/720-60-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/720-59-0x000000000A180000-0x000000000A28A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/720-58-0x000000000A690000-0x000000000ACA8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/720-57-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/720-56-0x0000000000290000-0x00000000002BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2116-25-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-24-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-40-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-37-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-35-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-33-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-31-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-29-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-27-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-41-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-43-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-47-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-49-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-51-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-45-0x00000000049A0000-0x00000000049B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-23-0x00000000049A0000-0x00000000049BC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2116-22-0x00000000049F0000-0x0000000004F94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2116-21-0x0000000002170000-0x000000000218E000-memory.dmp

    Filesize

    120KB

    Download