Overview

overview

10

Static

static

3

d947b533d0...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 23:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d947b533d06ba7324b0c3eacb1334f4ebe66c74995b16cb15c7a8a22f7ab3b10.exe

  • Size

    1.1MB

  • MD5

    343052f390d293ecabe995a70836c0dd

  • SHA1

    6444fa46a5047447304638cf64eedbbab630060c

  • SHA256

    d947b533d06ba7324b0c3eacb1334f4ebe66c74995b16cb15c7a8a22f7ab3b10

  • SHA512

    1258817059c1bd1b86fd87dd6f5995d4e39e2391c362789655956ca05a9a545ec5be5c241722b0a6521fe270da10b3eb4766fb6c980dc46380ae102f5628ee7f

  • SSDEEP

    24576:uyTSI0CHFCgFktR/LwVMsv9D5vKzx2QNg+m:9GykgFkr/LjsvmxD

Score
10/10
redlinedomadiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes
  • auth_value

    8be53af7f78567706928d0abef953ef4

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d947b533d06ba7324b0c3eacb1334f4ebe66c74995b16cb15c7a8a22f7ab3b10.exe
    "C:\Users\Admin\AppData\Local\Temp\d947b533d06ba7324b0c3eacb1334f4ebe66c74995b16cb15c7a8a22f7ab3b10.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0811930.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0811930.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6140389.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6140389.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1913178.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1913178.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1472
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6634860.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6634860.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0811930.exe
    Filesize

    749KB

    MD5

    4d9d3178f655891e86b45af7050c2b86

    SHA1

    51af9ac90499f5720d89fed68f220acc82818c26

    SHA256

    f4a2b482286206b654225874df44aa379fa5d6903bcb1692c234149c87f23d0a

    SHA512

    7756239644252588bc705d381bd9066a71322ede080026ea705c434c2d1383a44b84f6e498fedf1615463fffee35c3a57204d9f837f34cffe65a3a13a267b1a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6140389.exe
    Filesize

    304KB

    MD5

    92ba990bc987ac1969fe38d777385e2f

    SHA1

    02f9c805856ec4d99228ffc9cf7d5e64363772fc

    SHA256

    3468c9e83910147d68754e267c6029cf002ca4f6d11880b312dc3d51cbfb7bb0

    SHA512

    517cc23b91b0925d0e2fd92463aea53347a59d6687230ddec700d9bdd2ff161b48749dba75d9a1b00dddb36c74efc866b76aa8fe64f79d95d95a58854650580e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1913178.exe
    Filesize

    183KB

    MD5

    75df6a4aaf5c63bc4f42ac5ec8ecc76a

    SHA1

    8d9da11aa11364c1b580b12faa446403f527ff83

    SHA256

    d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

    SHA512

    72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6634860.exe
    Filesize

    145KB

    MD5

    ccb3343985135d42f8bd6de99ea46aa2

    SHA1

    21cdcb89a4b94836d8d9897b595159911aae3c81

    SHA256

    33aed69d7c76f37770ee4f58b7450133bda5fbd3f56ba6ff96e9f4e10a5b49e8

    SHA512

    4bbddce9a170765d352d5204cba4b1f2c2bff3e6d16279029797289f485340417061a2eef024a623c290bba0348775ad0ee866a3aa7eb9d542b4b02d2ea71096

    Download Submit

  • memory/1472-49-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-43-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-35-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-22-0x0000000004990000-0x0000000004F34000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1472-47-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-46-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-51-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-33-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-31-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-27-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-25-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-23-0x0000000004F50000-0x0000000004F6C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1472-41-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-39-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-37-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-29-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-24-0x0000000004F50000-0x0000000004F66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1472-21-0x00000000020B0000-0x00000000020CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4236-56-0x0000000000360000-0x000000000038A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4236-57-0x00000000052D0000-0x00000000058E8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4236-58-0x0000000004E30000-0x0000000004F3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4236-59-0x0000000004D60000-0x0000000004D72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4236-60-0x0000000004DC0000-0x0000000004DFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4236-61-0x0000000004F40000-0x0000000004F8C000-memory.dmp

    Filesize

    304KB

    Download