redline | 66821762b2a591d0a9feba7726e852660e185a1f158f742fc459ee129cad4226

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe
Size

479KB
MD5

4097f39b2f4df3413e17f2edde16ef80
SHA1

87034f08e1d3d5a39d2c9b1ee55de70ab782b9e3
SHA256

66821762b2a591d0a9feba7726e852660e185a1f158f742fc459ee129cad4226
SHA512

9a655ad0d7381e050006f6468d68aee3534e5205b7ebed9c79a9aa51fc0a5f5849aecd1186c39b9fa7c6990f61eb77b3a3e8dc07064688cc3331efaec05d9712
SSDEEP

12288:YMrcy90XjE0KA0o4heYFe86n5xXT2ayW93iD:UygL0YY4Lj2aeD

Score

10^/10

redline dumud infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023429-12.dat	family_redline
behavioral1/memory/4456-15-0x0000000000D50000-0x0000000000D80000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
1656	x3167573.exe
4456	g7847907.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3167573.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1656	1320	4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe	83
PID 1320 wrote to memory of 1656	1320	4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe	83
PID 1320 wrote to memory of 1656	1320	4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe	83
PID 1656 wrote to memory of 4456	1656	x3167573.exe	84
PID 1656 wrote to memory of 4456	1656	x3167573.exe	84
PID 1656 wrote to memory of 4456	1656	x3167573.exe	84

C:\Users\Admin\AppData\Local\Temp\4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4097f39b2f4df3413e17f2edde16ef80_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3167573.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3167573.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7847907.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7847907.exe
    3⤵
    - Executes dropped EXE
    PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3167573.exe

Filesize
307KB

MD5
b16e53bf8c31df4612c6d929fe180180

SHA1
89b65a826c47294d98c3377d4255588874e126d8

SHA256
7d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77

SHA512
c0b0173bf1440693c36fa7c0cbc76ba8643a2487694eb69255181433d69b29ffcf6089c49604600331570ad5a886f176052e79e7dbcc5e4219e0db4e17fb49b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7847907.exe

Filesize
168KB

MD5
81f68822d19104305bdd0882aba3403e

SHA1
d94d613353d62c5df63f5df88185c47dd307346a

SHA256
c1874b4ff67ae37ad64be9f96b29c74c981575880f73521825cafd32c0123e99

SHA512
f6808c8fe0d0bf3b23cb197af13600b57e7cc38b4cb833edbb4a9a33871b12538a40db2c885244ea276d764db4b00a476108daf59a6229bb14274dabc021a116

Download Submit
memory/4456-14-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

Filesize
4KB

Download
memory/4456-15-0x0000000000D50000-0x0000000000D80000-memory.dmp

Filesize
192KB

Download
memory/4456-16-0x0000000001540000-0x0000000001546000-memory.dmp

Filesize
24KB

Download
memory/4456-17-0x0000000005E10000-0x0000000006428000-memory.dmp

Filesize
6.1MB

Download
memory/4456-18-0x0000000005900000-0x0000000005A0A000-memory.dmp

Filesize
1.0MB

Download
memory/4456-19-0x0000000005810000-0x0000000005822000-memory.dmp

Filesize
72KB

Download
memory/4456-20-0x0000000005870000-0x00000000058AC000-memory.dmp

Filesize
240KB

Download
memory/4456-21-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4456-22-0x0000000005A10000-0x0000000005A5C000-memory.dmp

Filesize
304KB

Download
memory/4456-23-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

Filesize
4KB

Download
memory/4456-24-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads