Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 14:03
Static task
static1
Behavioral task
behavioral1
Sample
c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe
Resource
win11-20240802-en
General
-
Target
c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe
-
Size
323KB
-
MD5
5ac3358abe03a6faa36599fe785b85b2
-
SHA1
e79bf35157e110c81a43af2f3b54d7a015f613b3
-
SHA256
c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae
-
SHA512
dc64db8b7e6e1f6154f37c6cae0dec3ad1dd3e0a3160951c7e7af8fc943e3bde2573aca6654f73a7818fd74160c87296c6514465acc3013a4e679cf33183ae09
-
SSDEEP
6144:+7wpoNEo95MvVJDcDkpc1RJsaCAHX0BDQdX82mwM3xy:7poNRWFcDc2CA30pQdXhu3xy
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
45.91.202.63:25415
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4708-3-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exefilename.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation filename.exe -
Executes dropped EXE 2 IoCs
Processes:
filename.exePath.exepid process 3504 filename.exe 1496 Path.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exedescription pid process target process PID 1040 set thread context of 4708 1040 c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exeRegAsm.exefilename.exePath.execmd.exetimeout.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language filename.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Path.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1532 timeout.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
RegAsm.exepid process 4708 RegAsm.exe 4708 RegAsm.exe 4708 RegAsm.exe 4708 RegAsm.exe 4708 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RegAsm.exefilename.exePath.exedescription pid process Token: SeDebugPrivilege 4708 RegAsm.exe Token: SeDebugPrivilege 3504 filename.exe Token: SeDebugPrivilege 1496 Path.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exeRegAsm.exefilename.execmd.exedescription pid process target process PID 1040 wrote to memory of 4708 1040 c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe RegAsm.exe PID 1040 wrote to memory of 4708 1040 c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe RegAsm.exe PID 1040 wrote to memory of 4708 1040 c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe RegAsm.exe PID 1040 wrote to memory of 4708 1040 c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe RegAsm.exe PID 1040 wrote to memory of 4708 1040 c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe RegAsm.exe PID 1040 wrote to memory of 4708 1040 c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe RegAsm.exe PID 1040 wrote to memory of 4708 1040 c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe RegAsm.exe PID 1040 wrote to memory of 4708 1040 c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe RegAsm.exe PID 4708 wrote to memory of 3504 4708 RegAsm.exe filename.exe PID 4708 wrote to memory of 3504 4708 RegAsm.exe filename.exe PID 4708 wrote to memory of 3504 4708 RegAsm.exe filename.exe PID 3504 wrote to memory of 1496 3504 filename.exe Path.exe PID 3504 wrote to memory of 1496 3504 filename.exe Path.exe PID 3504 wrote to memory of 1496 3504 filename.exe Path.exe PID 3504 wrote to memory of 3744 3504 filename.exe cmd.exe PID 3504 wrote to memory of 3744 3504 filename.exe cmd.exe PID 3504 wrote to memory of 3744 3504 filename.exe cmd.exe PID 3744 wrote to memory of 1532 3744 cmd.exe timeout.exe PID 3744 wrote to memory of 1532 3744 cmd.exe timeout.exe PID 3744 wrote to memory of 1532 3744 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe"C:\Users\Admin\AppData\Local\Temp\c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\filename.exe"C:\Users\Admin\AppData\Local\Temp\filename.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\ProgramData\Path\Path.exe"C:\ProgramData\Path\Path.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA232.tmp.cmd""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\timeout.exetimeout 65⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1532
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
426KB
MD5556a8b2afef96f81acde6ca1a525650e
SHA1262909e4686aba13de7ca5a2bf187871fc4fe63b
SHA256b867d368d4597334a036b46816473be270d6779db2428aae75053af8cacf1e85
SHA51252a954cf545b6bfc2057a09b858074bd1dcedd75a3983dff14bc9e72b2da47c375f30568a9310e2751e57291e9186b39d5b8d228f855102631ab95f9743b33d9
-
Filesize
160B
MD5654ffd7a93934653fb9669a9f2d9e1aa
SHA1d9a9e8ca983c57277b8c26c8473e7baef4dbc3dd
SHA25691261ec499ef65029a19d3ba9df9e2fd728bd592920d7a821f5f7bb7cc3337ae
SHA512397dfac20b7cc60875a16101dd5bb2d717fe34b81e81f3e53c3190fb67a982cde9adeed612562a66deb94b9207444068a2e6819e04f7341fa05f3d68a0c5c825