Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2023 13:09
Static task
static1
Behavioral task
behavioral1
Sample
a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe
Resource
win10v2004-20230621-en
General
-
Target
a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe
-
Size
572KB
-
MD5
12564dba5b3178c75a6a96a582f94c5b
-
SHA1
003817ee6dac145edf947b062bc9b25653d32613
-
SHA256
a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a
-
SHA512
5402ce66c56b8612887a1f28e1f5bf695867b1993d61b8d2d03c01d8c01fb1f270b101e85358c65ed27fc7f037f780b1290cac010c107f8339e3393e3157e5b9
-
SSDEEP
12288:PMrcy90ic73VvlgFq5RMdM3pxSu2TaQIXpQSIimiD:3ynitggNZI3KdIx8
Malware Config
Extracted
redline
duza
83.97.73.129:19071
-
auth_value
787a4e3bbc78fd525526de1098cb0621
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
Processes:
x5268627.exex3887218.exef5282036.exepid process 1924 x5268627.exe 2932 x3887218.exe 2756 f5282036.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
x3887218.exea299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exex5268627.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x3887218.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x3887218.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x5268627.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5268627.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exex5268627.exex3887218.exedescription pid process target process PID 4272 wrote to memory of 1924 4272 a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe x5268627.exe PID 4272 wrote to memory of 1924 4272 a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe x5268627.exe PID 4272 wrote to memory of 1924 4272 a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe x5268627.exe PID 1924 wrote to memory of 2932 1924 x5268627.exe x3887218.exe PID 1924 wrote to memory of 2932 1924 x5268627.exe x3887218.exe PID 1924 wrote to memory of 2932 1924 x5268627.exe x3887218.exe PID 2932 wrote to memory of 2756 2932 x3887218.exe f5282036.exe PID 2932 wrote to memory of 2756 2932 x3887218.exe f5282036.exe PID 2932 wrote to memory of 2756 2932 x3887218.exe f5282036.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe"C:\Users\Admin\AppData\Local\Temp\a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5268627.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5268627.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3887218.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3887218.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5282036.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5282036.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5268627.exeFilesize
471KB
MD57c2022b431992b87c9bfe56acd958b2d
SHA12251d216822746bfdfb08845860f2ba964212301
SHA256bc98d50724270445861a310c2a15ffec6f1f2d5cbe72e3114757394920bae858
SHA512e9f8e2575a88cb669369fc0268e5d695a1e0e2778b8940fcc66b854150f71aa61d907948e545d3701036b13237f68d1bdb563e372c1c2e4d5891525c99e9a427
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5268627.exeFilesize
471KB
MD57c2022b431992b87c9bfe56acd958b2d
SHA12251d216822746bfdfb08845860f2ba964212301
SHA256bc98d50724270445861a310c2a15ffec6f1f2d5cbe72e3114757394920bae858
SHA512e9f8e2575a88cb669369fc0268e5d695a1e0e2778b8940fcc66b854150f71aa61d907948e545d3701036b13237f68d1bdb563e372c1c2e4d5891525c99e9a427
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3887218.exeFilesize
277KB
MD5a4abe97444471186b3406386fd6c7d2f
SHA1f0ba26aabd9d72f31d96a05ef7978245c34c34aa
SHA25656fbf1992e5615f8894f56738ed59770882115b07b77bee4ff0f16388f80f86c
SHA512746ec9f0a931371889ec09d8997287d2c9b2aec7844ba536037d9f6bcec575f6e05e3e1e62e8219969e91456d4f4042713a24016b89e020e13267fa74ee62762
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3887218.exeFilesize
277KB
MD5a4abe97444471186b3406386fd6c7d2f
SHA1f0ba26aabd9d72f31d96a05ef7978245c34c34aa
SHA25656fbf1992e5615f8894f56738ed59770882115b07b77bee4ff0f16388f80f86c
SHA512746ec9f0a931371889ec09d8997287d2c9b2aec7844ba536037d9f6bcec575f6e05e3e1e62e8219969e91456d4f4042713a24016b89e020e13267fa74ee62762
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5282036.exeFilesize
173KB
MD5a8a80fd5138a0bada9ae3f72f8daf7af
SHA1bbf4b9f3bc0099bea935f3fd1387bb524ab94b6b
SHA256aac3a769d9afeb55271d1e03ccb5d75bcabf125c2acd238f6993096d6382633c
SHA512af6f1949f52d7ddaee3a46b6d23550d47756d448ab80666699b4cb8e103382c4133cd015316d9d05f9591907d1a429a0a04007fa0ea1d36b4a46bf1b2c81d74a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5282036.exeFilesize
173KB
MD5a8a80fd5138a0bada9ae3f72f8daf7af
SHA1bbf4b9f3bc0099bea935f3fd1387bb524ab94b6b
SHA256aac3a769d9afeb55271d1e03ccb5d75bcabf125c2acd238f6993096d6382633c
SHA512af6f1949f52d7ddaee3a46b6d23550d47756d448ab80666699b4cb8e103382c4133cd015316d9d05f9591907d1a429a0a04007fa0ea1d36b4a46bf1b2c81d74a
-
memory/2756-154-0x0000000000D30000-0x0000000000D60000-memory.dmpFilesize
192KB
-
memory/2756-155-0x000000000AFF0000-0x000000000B608000-memory.dmpFilesize
6.1MB
-
memory/2756-156-0x000000000AB70000-0x000000000AC7A000-memory.dmpFilesize
1.0MB
-
memory/2756-157-0x000000000AAB0000-0x000000000AAC2000-memory.dmpFilesize
72KB
-
memory/2756-158-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB
-
memory/2756-159-0x000000000AB10000-0x000000000AB4C000-memory.dmpFilesize
240KB
-
memory/2756-160-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB