Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2023, 13:58
Static task
static1
Behavioral task
behavioral1
Sample
7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe
Resource
win10v2004-20230915-en
General
-
Target
7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe
-
Size
1.0MB
-
MD5
2b93b37d76b5c1e2505269178244f698
-
SHA1
611242a662d48070e35f8a27a3aa064db65b0be4
-
SHA256
7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc
-
SHA512
d030d526eb817dd9151e1e40079f29ea711be7b636b41574cc0034e1211fdc260ec81644d13417c7ccfc1df88668f9e211063521317caa8e3d9f4fc83b2f3b7d
-
SSDEEP
24576:qy4lQcjbX99MKasX4puRZrpkpSoAcZMn:x4lQcLlasX4CZt0Rr
Malware Config
Extracted
redline
tuxiu
77.91.124.82:19071
-
auth_value
29610cdad07e7187eec70685a04b89fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000023266-33.dat family_redline behavioral1/files/0x0006000000023266-35.dat family_redline behavioral1/memory/808-36-0x0000000000070000-0x00000000000A0000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 708 x0034734.exe 4384 x9023988.exe 4200 x7019421.exe 4188 g9434273.exe 808 h3997627.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0034734.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x9023988.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x7019421.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4188 set thread context of 1460 4188 g9434273.exe 88 -
Program crash 2 IoCs
pid pid_target Process procid_target 1452 4188 WerFault.exe 86 4512 1460 WerFault.exe 88 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3516 wrote to memory of 708 3516 7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe 82 PID 3516 wrote to memory of 708 3516 7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe 82 PID 3516 wrote to memory of 708 3516 7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe 82 PID 708 wrote to memory of 4384 708 x0034734.exe 84 PID 708 wrote to memory of 4384 708 x0034734.exe 84 PID 708 wrote to memory of 4384 708 x0034734.exe 84 PID 4384 wrote to memory of 4200 4384 x9023988.exe 85 PID 4384 wrote to memory of 4200 4384 x9023988.exe 85 PID 4384 wrote to memory of 4200 4384 x9023988.exe 85 PID 4200 wrote to memory of 4188 4200 x7019421.exe 86 PID 4200 wrote to memory of 4188 4200 x7019421.exe 86 PID 4200 wrote to memory of 4188 4200 x7019421.exe 86 PID 4188 wrote to memory of 1460 4188 g9434273.exe 88 PID 4188 wrote to memory of 1460 4188 g9434273.exe 88 PID 4188 wrote to memory of 1460 4188 g9434273.exe 88 PID 4188 wrote to memory of 1460 4188 g9434273.exe 88 PID 4188 wrote to memory of 1460 4188 g9434273.exe 88 PID 4188 wrote to memory of 1460 4188 g9434273.exe 88 PID 4188 wrote to memory of 1460 4188 g9434273.exe 88 PID 4188 wrote to memory of 1460 4188 g9434273.exe 88 PID 4188 wrote to memory of 1460 4188 g9434273.exe 88 PID 4188 wrote to memory of 1460 4188 g9434273.exe 88 PID 4200 wrote to memory of 808 4200 x7019421.exe 94 PID 4200 wrote to memory of 808 4200 x7019421.exe 94 PID 4200 wrote to memory of 808 4200 x7019421.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe"C:\Users\Admin\AppData\Local\Temp\7f1d00a862354132c7fd1d687127029e2def00fff1c86859d93297e1040744cc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0034734.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0034734.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9023988.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9023988.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7019421.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7019421.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9434273.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9434273.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 2007⤵
- Program crash
PID:4512
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 5566⤵
- Program crash
PID:1452
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3997627.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3997627.exe5⤵
- Executes dropped EXE
PID:808
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4188 -ip 41881⤵PID:1836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1460 -ip 14601⤵PID:3356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
933KB
MD5d2d49ce8ab4d9c9da068672d2f080f12
SHA1f731ba50ab39f03b5d647dd64f1a8f4327c5d24f
SHA2567df7db2dd3b7bde622195590a4823b29a4bca07e549d89427f1e3dbffe01f469
SHA51204eaf923f7dd881382baf379fa838ad52718766e84b124c47f6fd723a0aad87c2a045b81e8540a24cbcb54db341200c798a227062d1ac031959c8a362fbdcdfb
-
Filesize
933KB
MD5d2d49ce8ab4d9c9da068672d2f080f12
SHA1f731ba50ab39f03b5d647dd64f1a8f4327c5d24f
SHA2567df7db2dd3b7bde622195590a4823b29a4bca07e549d89427f1e3dbffe01f469
SHA51204eaf923f7dd881382baf379fa838ad52718766e84b124c47f6fd723a0aad87c2a045b81e8540a24cbcb54db341200c798a227062d1ac031959c8a362fbdcdfb
-
Filesize
629KB
MD55f0c18a1d80569b22766bdf64193e708
SHA194cf13ef1c163c2acafd80ab9c20875cb28b9e1c
SHA2561d66bb529be98d1c8cc5dfdae3384ade01c215a31cd59b050c4062ed830183aa
SHA512f9e0c53d49c5e0088ecd4427b0f328c6330c8d6bd495cb89d29ddf2f58272c5f01d2d87136ffb7ca6e975ecc73f93df2fba56dc6913de1b0888b1120498c9e74
-
Filesize
629KB
MD55f0c18a1d80569b22766bdf64193e708
SHA194cf13ef1c163c2acafd80ab9c20875cb28b9e1c
SHA2561d66bb529be98d1c8cc5dfdae3384ade01c215a31cd59b050c4062ed830183aa
SHA512f9e0c53d49c5e0088ecd4427b0f328c6330c8d6bd495cb89d29ddf2f58272c5f01d2d87136ffb7ca6e975ecc73f93df2fba56dc6913de1b0888b1120498c9e74
-
Filesize
443KB
MD5b00ff1d91cf2aa2d12053c03efddc9e0
SHA1ba57f93a520f718fbd96130553aee1c4f348026a
SHA25614b900d674f85163139ce4c1440a1ebd331719b4fb7948e5c258e136cc878c8d
SHA5127d38275b052af5e4c8d0ab1018e8cc883dae5a5f96a50e286290b91aa33fc3ca4e43dd65533024f80990a6c5f0c2f39cd2d08d1ea2567cf171504bd75a10f80e
-
Filesize
443KB
MD5b00ff1d91cf2aa2d12053c03efddc9e0
SHA1ba57f93a520f718fbd96130553aee1c4f348026a
SHA25614b900d674f85163139ce4c1440a1ebd331719b4fb7948e5c258e136cc878c8d
SHA5127d38275b052af5e4c8d0ab1018e8cc883dae5a5f96a50e286290b91aa33fc3ca4e43dd65533024f80990a6c5f0c2f39cd2d08d1ea2567cf171504bd75a10f80e
-
Filesize
700KB
MD5779ee8c566e614b7215a24f34f138f3f
SHA1c56bb2d2dbbb2908e7e88028bbe3de903c42e415
SHA256c0f70df2140dc739191a44e9fb6298825ff57a4a79e541a8ead6c9fca688f698
SHA51206ffa4a893ee10ec3e1f3c5041357a95c1f5f01671cb83deb5ca02fcc8ab7b516823dec1b1baa278708c92cdaaa8bf89ceb2e958514893836d2eda091cf51265
-
Filesize
700KB
MD5779ee8c566e614b7215a24f34f138f3f
SHA1c56bb2d2dbbb2908e7e88028bbe3de903c42e415
SHA256c0f70df2140dc739191a44e9fb6298825ff57a4a79e541a8ead6c9fca688f698
SHA51206ffa4a893ee10ec3e1f3c5041357a95c1f5f01671cb83deb5ca02fcc8ab7b516823dec1b1baa278708c92cdaaa8bf89ceb2e958514893836d2eda091cf51265
-
Filesize
174KB
MD58666c247137e6c98c2a17d541521a590
SHA1463593cb6eaa2719891c22ecb59456ea60ccb347
SHA2569685ec124e8300775fc939805f7339b372b9d82722df9af250c6a8dcb0c1aa8b
SHA512797ff05b8ce8c4b711db2a547e04399acba910ce7988202a8293432ba22a179f3dcfee7b1d9ee97bcdcc9cddc26de08084d02296e278410c60ef3e3817fca337
-
Filesize
174KB
MD58666c247137e6c98c2a17d541521a590
SHA1463593cb6eaa2719891c22ecb59456ea60ccb347
SHA2569685ec124e8300775fc939805f7339b372b9d82722df9af250c6a8dcb0c1aa8b
SHA512797ff05b8ce8c4b711db2a547e04399acba910ce7988202a8293432ba22a179f3dcfee7b1d9ee97bcdcc9cddc26de08084d02296e278410c60ef3e3817fca337