Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 20:53
Static task
static1
Behavioral task
behavioral1
Sample
3189a59a276fdb460ad64c9cf79e440cd1afd0735a58a129acbc8b4184317e2a.exe
Resource
win10v2004-20241007-en
General
-
Target
3189a59a276fdb460ad64c9cf79e440cd1afd0735a58a129acbc8b4184317e2a.exe
-
Size
874KB
-
MD5
9a1735015de8ca1a8ae942d8441628dc
-
SHA1
1352ccd140d376cb993bbf5590f41aab8ab8513f
-
SHA256
3189a59a276fdb460ad64c9cf79e440cd1afd0735a58a129acbc8b4184317e2a
-
SHA512
5c3c96b1390cf93cf5f71579e180c2e81d6443c4452b4134e25b1ff1545eecc512cc1f6a5d4b4c269846d9bb833374bf54e74a04ca93637e34633c9aabb79296
-
SSDEEP
24576:FyL+AXG8e34d0Epz3ssEt7MQqFqCUsx1wQNC5sd6ejy:gL+AXne3u/EtI9FqMC7+
Malware Config
Extracted
redline
dedu
185.161.248.75:4132
-
auth_value
43fb2cf55df7896aeff6ce27ec070fea
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k6668171.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k6668171.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k6668171.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k6668171.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k6668171.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k6668171.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cc3-54.dat family_redline behavioral1/memory/4416-56-0x0000000000E30000-0x0000000000E5A000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 756 y6601455.exe 2396 y5498507.exe 1260 k6668171.exe 4416 l2108268.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k6668171.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k6668171.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3189a59a276fdb460ad64c9cf79e440cd1afd0735a58a129acbc8b4184317e2a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y6601455.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y5498507.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3189a59a276fdb460ad64c9cf79e440cd1afd0735a58a129acbc8b4184317e2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y6601455.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y5498507.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k6668171.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l2108268.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1260 k6668171.exe 1260 k6668171.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1260 k6668171.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4420 wrote to memory of 756 4420 3189a59a276fdb460ad64c9cf79e440cd1afd0735a58a129acbc8b4184317e2a.exe 86 PID 4420 wrote to memory of 756 4420 3189a59a276fdb460ad64c9cf79e440cd1afd0735a58a129acbc8b4184317e2a.exe 86 PID 4420 wrote to memory of 756 4420 3189a59a276fdb460ad64c9cf79e440cd1afd0735a58a129acbc8b4184317e2a.exe 86 PID 756 wrote to memory of 2396 756 y6601455.exe 87 PID 756 wrote to memory of 2396 756 y6601455.exe 87 PID 756 wrote to memory of 2396 756 y6601455.exe 87 PID 2396 wrote to memory of 1260 2396 y5498507.exe 88 PID 2396 wrote to memory of 1260 2396 y5498507.exe 88 PID 2396 wrote to memory of 1260 2396 y5498507.exe 88 PID 2396 wrote to memory of 4416 2396 y5498507.exe 92 PID 2396 wrote to memory of 4416 2396 y5498507.exe 92 PID 2396 wrote to memory of 4416 2396 y5498507.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\3189a59a276fdb460ad64c9cf79e440cd1afd0735a58a129acbc8b4184317e2a.exe"C:\Users\Admin\AppData\Local\Temp\3189a59a276fdb460ad64c9cf79e440cd1afd0735a58a129acbc8b4184317e2a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6601455.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6601455.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5498507.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5498507.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6668171.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6668171.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2108268.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2108268.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4416
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
476KB
MD55b76e680bdf2a7cf111053331ed1615b
SHA167ce9c1f2377f3270b9632346964d06d8f3ea4d5
SHA256a55d3137f7dcb22068edd28684a709e721d5dcb8e1c5e0514bdeb54cf822a39e
SHA512c5a24a76c01497d659afabc39ede2caa29f629901812edabc7d7b411cb0a2c62206fbd1b53de1b4b1406f3c138ca703d43f716016d8110bcfccdc749d8fa40fb
-
Filesize
305KB
MD5754f30df7c7de56bbfab9494e4fd89d4
SHA10e5d744cb1d3a3c4e87f3c55020b32df2824a253
SHA256609d83d9c3cf9002734439b7667678a409a9538abd39dd3e1c8987d3ab4d009c
SHA5128abe11f83f52e6c7435d04af08261dade6cabab35d30cdfb52b8677e5d5a3e2ca002df2a00b2244c78e2846fa3642d27cc470ad35c25c50ba1348308a487d168
-
Filesize
183KB
MD5d18dd7e957d8eab39abe21eefd498331
SHA12d7b11252dbb1ed8cefff8d63d447b0f697a0060
SHA25657f8f54609021997865fed724894ad76b78b39a48a51b47a1d97a92eb836c440
SHA512c383080be8f9fbb5fd313204cc47ca9ecca8b6148362aa5ef76c219217971184472d0c4be2f1d7e9c9fbee561079b34357346507ddb882d779b06741a5ad0581
-
Filesize
145KB
MD5f0657763ae5ba6f6ce8d2976d3176ae8
SHA102a00768bb4cde187f862c70bebc810fe627b25f
SHA256aaea85eeac53339b7e109dc54d4288f841aa77ec55c39db7fa7f210b6ca32006
SHA5127d60c01b5424f6ba9e54e982e05e47d780f40ff43cea8f71e1a5554ed30d78ac36c107fe4f072a345fcbebfdd14ae31a2906abc47ee29682cf8d6d96480b79ad