Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414.exe
Resource
win10v2004-20241007-en
General
-
Target
2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414.exe
-
Size
479KB
-
MD5
e821de3920101930f276babb770be5d9
-
SHA1
946be878107032eea4d9d487e6689bf60b421eba
-
SHA256
2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414
-
SHA512
43eee2b89a56e8d1db9d07ca1e73dedd34642273bc6dd528284fe1cde5c98436dd193ac82e5eec210ed203e238a80ce36737496ada192e373c912503882ac82b
-
SSDEEP
12288:8Mr4y90IFnDSTEnL0kJmCNqN2cFVwcBw8g:EyPFIk7qEcFec7g
Malware Config
Extracted
redline
diwer
217.196.96.101:4132
-
auth_value
42abfa9e4f2e290c8bdbc776fd9bb6ad
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2275454.exe family_redline behavioral1/memory/2460-15-0x00000000006B0000-0x00000000006E0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
x2358444.exeg2275454.exepid process 3036 x2358444.exe 2460 g2275454.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414.exex2358444.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x2358444.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414.exex2358444.exeg2275454.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x2358444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2275454.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414.exex2358444.exedescription pid process target process PID 2176 wrote to memory of 3036 2176 2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414.exe x2358444.exe PID 2176 wrote to memory of 3036 2176 2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414.exe x2358444.exe PID 2176 wrote to memory of 3036 2176 2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414.exe x2358444.exe PID 3036 wrote to memory of 2460 3036 x2358444.exe g2275454.exe PID 3036 wrote to memory of 2460 3036 x2358444.exe g2275454.exe PID 3036 wrote to memory of 2460 3036 x2358444.exe g2275454.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414.exe"C:\Users\Admin\AppData\Local\Temp\2dc4a356558b229e53998e6c114b3697aa1cf08f3da6122b2d3c5b01c9790414.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2358444.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2358444.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2275454.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2275454.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD50840e9dcd75121c32a5d7a4871500152
SHA167ce5ce53304bf284ccfba27e6a1cdb8b360c63b
SHA256bc028e2f41ebb0838fc5eec10ccf90383ca4cc4cbc4d8d19e5d7cb5599b132bc
SHA5124675cae3742ed62ce3d997f4879db2337e01b68671a08339722e7f134ea742eeffd4b080ceff27c0e6413569e23f78d65961364e426786efe3fe4d3214e5f8ee
-
Filesize
168KB
MD5fec626e1ddc4aac7e6e26cf97d0fd3f0
SHA1e240626ac0158f3da482f1d078c134e47b46af8c
SHA256c828367fe1ab48ba851da06cbe9397babb915cf52c4ab135818088c85bff164a
SHA512caa37fda143f48e644586ed1042583136df32b19129cb59a7e37dbec578c46aa74fa9c2d644119da85f7860c6f9ed03bd967dc8dd16203ed6f9df5cd04e693f4