Resubmissions
20-05-2024 13:36
240520-qv95eacd59 10Analysis
-
max time kernel
16s -
max time network
19s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-05-2024 13:36
Behavioral task
behavioral1
Sample
RedlineBuilder.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
RedlineBuilder.exe
Resource
win11-20240419-en
General
-
Target
RedlineBuilder.exe
-
Size
308KB
-
MD5
128cbb0f113189a8af347f14cb223357
-
SHA1
7472ff8bcf4b6ab90e30ec0352f0ecb44c655cf7
-
SHA256
a392dc6ad27dbc999aef5db8efaa63a65e570ca3bff7a79c5053ce7b7ba41a0e
-
SHA512
1bddf607e1e8ef32d39e16fcb9d9d87573f61ceee9a898c287ad236beaea818b223a28196395145a7b3eca5883e5da5b3a3dc0273fd66d64e103c24739868b35
-
SSDEEP
3072:+gccZqf7D34up/0+mAxkynW2Qlg7g6B1fA0PuTVAtkxzr3RceqiOL2bBOAK:AcZqf7DIWnGN8B1fA0GTV8khkL
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4468-1-0x0000000000230000-0x0000000000284000-memory.dmp family_redline -
Program crash 1 IoCs
pid pid_target Process procid_target 2320 4468 WerFault.exe 78 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4564 msedge.exe 4564 msedge.exe 1540 msedge.exe 1540 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4828 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1540 wrote to memory of 4016 1540 msedge.exe 89 PID 1540 wrote to memory of 4016 1540 msedge.exe 89 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 2480 1540 msedge.exe 90 PID 1540 wrote to memory of 4564 1540 msedge.exe 91 PID 1540 wrote to memory of 4564 1540 msedge.exe 91 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92 PID 1540 wrote to memory of 4156 1540 msedge.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe"C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe"1⤵PID:4468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 8922⤵
- Program crash
PID:2320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4468 -ip 44681⤵PID:1768
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa7e4e3cb8,0x7ffa7e4e3cc8,0x7ffa7e4e3cd82⤵PID:4016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:2480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:82⤵PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:12⤵PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:12⤵PID:2700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,9786820790101289028,10641250323611041063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:12⤵PID:4780
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5040
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d0f84c55517d34a91f12cccf1d3af583
SHA152bd01e6ab1037d31106f8bf6e2552617c201cea
SHA2569a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c
SHA51294764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171
-
Filesize
152B
MD5ade01a8cdbbf61f66497f88012a684d1
SHA19ff2e8985d9a101a77c85b37c4ac9d4df2525a1f
SHA256f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5
SHA512fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b
-
Filesize
5KB
MD5f8910666e378418e963429d0b095bbc7
SHA10fc56c8bc69b500600ba9434bc5be4f2bd1c1c56
SHA2565573919ae9d5f87e52b599e485f636c20e3f4bb8f72fea2cbaa09e4d615e4ef2
SHA512e6bac0f4f407ebc8f2a497b5115536af8cbd681fccd1178aa87070933c50f23efea8af5b9cb66b8027db1e3b985f918058ac61dc14a4d5e4cc73c3dddbe3c675
-
Filesize
5KB
MD5211ea47f71718a08f771ea451e188118
SHA1131f05940fc61be766fe104837ea6afc4714460e
SHA2564753007c9d8b6cc4acc1a672a90e06f4bdbec674dccf69646060863bd1d80825
SHA512913d182bde31b6c5d75e25c369f1c1cf78deadfccee44d44b18e927d654bcf252ad45669fd95d24eb78c31f4d80e89ffbb4c1880f43f1b69a8e65930e8037eac
-
Filesize
10KB
MD525e2b9e98e6985fbb279ab84d40e6aeb
SHA1b4e9b677a19d5891cd753ff7666b1c79a6c47b83
SHA25689cc78f9b1aaaadcf30bb71099098f7e6474a61efb938853251b79759f27115c
SHA5129bf75f4479a553bc90c38a6a0259212171bc0957b7c94ae2b649456486c60e1467b3801f3cc69741e2911180e4fdda5e8133e9751035688799a75a030e23d635
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD518951ad4190ed728ba23e932e0c6e0db
SHA1fa2d16fcbc3defd07cb8f21d8ea4793a21f261f0
SHA25666607b009c345a8e70fc1e58ab8a13bbea0e370c8d75f16d2cce5b876a748915
SHA512a67237089efa8615747bdc6cfe0afc977dc54cfd624a8d2e5124a441c204f1ec58ee7cfbbc105ddc2c18d4f254b9e124d71630bcdba0253d41a96890104f2fff
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5ee87a5df2cec41353233851e9956d539
SHA1cdd287b4be58f5ee3464c31c9f073daad13f2eb7
SHA2562c25ce8141d1e6e601907a4d54f367ba7f6032c9596d24b30a245d94b719c880
SHA5123afe8451239bbfa4c7cd6ad4e123d8558aba43a570998ef76834dd12b8b0266a4c9dc7bf57dd9a903208a029f3a0ae54822f1ba1d29414615bdcea963b062379