Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
6f4f7db0f95e16b745df4034d1b2dc00N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6f4f7db0f95e16b745df4034d1b2dc00N.exe
Resource
win10v2004-20240709-en
General
-
Target
6f4f7db0f95e16b745df4034d1b2dc00N.exe
-
Size
684KB
-
MD5
6f4f7db0f95e16b745df4034d1b2dc00
-
SHA1
3a791995b4e6dccf55d2ebc63af8688aa2b40bfe
-
SHA256
034d5d766b238babd10e5d830ed4cdf7e89a4101a6b5ac562207bc1462216e36
-
SHA512
019866af4b6cc07c0b6eac17248247700eecfa3fdc60907f0ce6383e3a4abc28de4e6acc21c3dd2d0b0b224c95c70de397ee740fdd50c8aafa5a1ef8cc39470e
-
SSDEEP
12288:4nADcvRLJ9/qrXlUe2GL34GdQId1YWZzp6fnXCLNGMqsmGAmR:rgZt9/qri3G7Q5Ap6P45mZ
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1652-1-0x0000000000400000-0x0000000000484000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6f4f7db0f95e16b745df4034d1b2dc00N.exedescription pid process target process PID 3136 set thread context of 1652 3136 6f4f7db0f95e16b745df4034d1b2dc00N.exe RegAsm.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6f4f7db0f95e16b745df4034d1b2dc00N.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f4f7db0f95e16b745df4034d1b2dc00N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegAsm.exepid process 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe 1652 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1652 RegAsm.exe Token: SeBackupPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeBackupPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeBackupPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeBackupPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeBackupPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeBackupPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe Token: SeSecurityPrivilege 1652 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6f4f7db0f95e16b745df4034d1b2dc00N.exedescription pid process target process PID 3136 wrote to memory of 1652 3136 6f4f7db0f95e16b745df4034d1b2dc00N.exe RegAsm.exe PID 3136 wrote to memory of 1652 3136 6f4f7db0f95e16b745df4034d1b2dc00N.exe RegAsm.exe PID 3136 wrote to memory of 1652 3136 6f4f7db0f95e16b745df4034d1b2dc00N.exe RegAsm.exe PID 3136 wrote to memory of 1652 3136 6f4f7db0f95e16b745df4034d1b2dc00N.exe RegAsm.exe PID 3136 wrote to memory of 1652 3136 6f4f7db0f95e16b745df4034d1b2dc00N.exe RegAsm.exe PID 3136 wrote to memory of 1652 3136 6f4f7db0f95e16b745df4034d1b2dc00N.exe RegAsm.exe PID 3136 wrote to memory of 1652 3136 6f4f7db0f95e16b745df4034d1b2dc00N.exe RegAsm.exe PID 3136 wrote to memory of 1652 3136 6f4f7db0f95e16b745df4034d1b2dc00N.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f4f7db0f95e16b745df4034d1b2dc00N.exe"C:\Users\Admin\AppData\Local\Temp\6f4f7db0f95e16b745df4034d1b2dc00N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652