Overview

overview

10

Static

static

3

0d6ae7d3e5...46.exe

windows10-2004-x64

10

14841ccb83...75.exe

windows10-2004-x64

10

18e108c298...24.exe

windows7-x64

3

18e108c298...24.exe

windows10-2004-x64

10

2945802616...90.exe

windows10-2004-x64

10

3278025d1e...83.exe

windows10-2004-x64

10

3977873bc2...45.exe

windows10-2004-x64

10

3ee99efba0...30.exe

windows7-x64

3

3ee99efba0...30.exe

windows10-2004-x64

10

4111ebb7fa...25.exe

windows7-x64

3

4111ebb7fa...25.exe

windows10-2004-x64

10

5f784993eb...f4.exe

windows10-2004-x64

10

614cff5590...9a.exe

windows10-2004-x64

10

6286d393c9...52.exe

windows7-x64

3

6286d393c9...52.exe

windows10-2004-x64

10

6db47e7857...ad.exe

windows10-2004-x64

10

a0808edece...c8.exe

windows7-x64

3

a0808edece...c8.exe

windows10-2004-x64

10

a510057561...96.exe

windows10-2004-x64

10

d5f7db4382...70.exe

windows10-2004-x64

10

da4db9abb9...ce.exe

windows7-x64

3

da4db9abb9...ce.exe

windows10-2004-x64

10

ebfcc654cd...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 11:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a510057561b44d36bd440745b4ad2a685c2d3db022032dc54586c96a3cae4896.exe

  • Size

    769KB

  • MD5

    bae0e7cc8632ec0d3567370dbd9c1888

  • SHA1

    097e313faf79ed043a66e80f181303d3156291df

  • SHA256

    a510057561b44d36bd440745b4ad2a685c2d3db022032dc54586c96a3cae4896

  • SHA512

    a3f5598565af81f2c5c485dde39705011db7a1572ab437c43a73116c4063a5a6932842315ced8c4ac1aa6f2b64a0c162830143c098ce9c372517560c253fdd72

  • SSDEEP

    12288:hMrvy90390YhABZS1mX5sMfUnpJrvfKMJjeFGKcBKjiNJ93UOEknWR4+:ayIPhABZQm1fGJLKM+GLBKjmnnNW++

Score
10/10
redlinemixaevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes
  • auth_value

    9d14534b25ac495ab25b59800acf3bb2

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a510057561b44d36bd440745b4ad2a685c2d3db022032dc54586c96a3cae4896.exe
    "C:\Users\Admin\AppData\Local\Temp\a510057561b44d36bd440745b4ad2a685c2d3db022032dc54586c96a3cae4896.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2752601.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2752601.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0295313.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0295313.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8785240.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8785240.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1152
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5257898.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5257898.exe
          4⤵
          • Executes dropped EXE
          PID:1668
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4020,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:8
    1⤵
      PID:4184

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2752601.exe
      Filesize

      488KB

      MD5

      fa694f09ad9cbc795cf5847c2aad65ca

      SHA1

      82c92871b9455cf04223964abf1e99cc611fe9cd

      SHA256

      08cbe5ab70ca678ca3ae75e50cfad977ef28f6f68ea4f2aed97db697d832e82c

      SHA512

      60f6ad53e2b13cc98874f625402df92c0d1278a50c479bcd703ce25b45d8eec747b1df972bc0b1a9bfa2df1fc5e75dfddcd38ba039f95d6a2fe23746cc5660f3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0295313.exe
      Filesize

      316KB

      MD5

      473f819209e2b739e186e49c007b0500

      SHA1

      a0a9d81885ff41dd92727df0edea5f8956d3cc9b

      SHA256

      ea47879989afdae64e6a2fd1bdd521ed8a7eee7611d92cfa24311d7f31d22c93

      SHA512

      54401da33c393750646bd884ec253603b8cfb358b66ac8da6676c06d37d14cbcc89b84656a903bded8b8f3b50e024ebfbb7411635f715c275c7d6c9bafa92a13

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8785240.exe
      Filesize

      184KB

      MD5

      d4c640fb500618ad6c9fc5fe7d3e784d

      SHA1

      850df0880e1685ce709b44afbbb365cab4f0fec4

      SHA256

      a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

      SHA512

      a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5257898.exe
      Filesize

      168KB

      MD5

      9c82d0e3f5532b2d92d444d089b0e2f4

      SHA1

      02ed918b046380208e03890940ed2c183537cb27

      SHA256

      74e2e262a4e787bb8bc5f79088998cec212ea46227691c8a9e8dc93578ac09f9

      SHA512

      6368b124156b610a5b83fcae9b10236eae42f7777da753a506c65519352990f032af8e7737b9a024e5a5581991a66ba7f3876699a112c8b61730400b0f10726c

      Download Submit

    • memory/1152-51-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-29-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-48-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-22-0x0000000004960000-0x0000000004F04000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1152-49-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-45-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-43-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-41-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-39-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-37-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-35-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-33-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-31-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-23-0x0000000004F50000-0x0000000004F6C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1152-27-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-25-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-24-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-21-0x0000000002350000-0x000000000236E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1668-56-0x0000000000130000-0x000000000015E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1668-57-0x0000000004950000-0x0000000004956000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1668-58-0x0000000005200000-0x0000000005818000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1668-59-0x0000000004CF0000-0x0000000004DFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1668-60-0x0000000004C00000-0x0000000004C12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1668-61-0x0000000004C60000-0x0000000004C9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1668-62-0x0000000004CA0000-0x0000000004CEC000-memory.dmp

      Filesize

      304KB

      Download