Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-11-2024 23:27
General
-
Target
6b22786187e242f25a3432440e61dc0b94f31ef6137b0a6ed0c9eacb694cac52.exe
-
Size
1.1MB
-
MD5
957405e615c07450d6ca83e683f4e5f7
-
SHA1
371440308982995a09dba20a6156ed84e184f495
-
SHA256
6b22786187e242f25a3432440e61dc0b94f31ef6137b0a6ed0c9eacb694cac52
-
SHA512
a8264a5428351fbeee65c89768633a6eebd2331b570a35caa04bed8129758b7f0d2b6cb698daa03ecee82d7c4b9117161fe929825920da970cacdb3369aa5b4d
-
SSDEEP
24576:Ey7bJVhSH+r17B0FkMJ9x1C630Vz5un7cpM9nM30I+Q3Xn34k:TPA2RB0Fkox1t0VJuHq34
Malware Config
Extracted
redline
doma
185.161.248.75:4132
-
auth_value
8be53af7f78567706928d0abef953ef4
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b22786187e242f25a3432440e61dc0b94f31ef6137b0a6ed0c9eacb694cac52.exe"C:\Users\Admin\AppData\Local\Temp\6b22786187e242f25a3432440e61dc0b94f31ef6137b0a6ed0c9eacb694cac52.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9499963.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9499963.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9208094.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9208094.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3640099.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3640099.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4148670.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4148670.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD5f5ebd86146b1f03a5e8fe7ca9a0ffe55
SHA1e4c382f20b00fe1fd50b127a8b05a3a7da63f336
SHA25650cd0361f6cceab470d5c2c6d72fd21a1139924f476d83b4b367b6fdb0545085
SHA51293ab1618b777327939b789e0f0a55768eac38a46333164f27ebce2653aade6327a412056dfd9d2445823f9d2fda13493be9a6b349e76cf0a5b64227146bbb61f
-
Filesize
304KB
MD568e79ef387b8bc8eb7d900b6fcdbb56b
SHA172da07f500328cfafe100f7562c3534d19e64255
SHA2563bf7f981355128928c06c3551acbd79428ee388335bba00fb485aab16a485770
SHA512154903da756b14469d96e80b71033464d49efaa03caa11eeb63646888b1d8ef91c26bf5cbdf37812f918e7108a408115e571d816e51e200d279f1093dbca7779
-
Filesize
183KB
MD575df6a4aaf5c63bc4f42ac5ec8ecc76a
SHA18d9da11aa11364c1b580b12faa446403f527ff83
SHA256d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05
SHA51272d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe
-
Filesize
145KB
MD5c8d5b2903b5e9b8c86d0a72889bd365b
SHA182c00795b6b4417f551e0ffc2a22bff43dc4a1c5
SHA256b1fc765041483d51a8fffc4d4d0dd6da40fa1dabb62bb26b643ea8986f3abb9b
SHA512cd4d85ebd3f1a3935ca407ebaf9f911af12ef23ef2cf1ac9c4fc540b627941aba335c399afe2e5b302273c1129ec4f32cbc8d43e0aef1b5cd0bdded9b1668a7d
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
168KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
5.6MB
-
Filesize
120KB