Overview

overview

10

Static

static

3

8811c70c33...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8811c70c333468024f208d2de581e0e8387653980fdc15cf7c6564c2dc134156.exe

  • Size

    1.1MB

  • MD5

    062c6511014f1aa596138ae8112058b3

  • SHA1

    458a98f9be2697b2cdcc4ca382accdd5e4578bd5

  • SHA256

    8811c70c333468024f208d2de581e0e8387653980fdc15cf7c6564c2dc134156

  • SHA512

    b42dc96ec2ea2d43f389af9ec47eba8fa5796dab9c2ad3635bcf043b0b9377327ba4916471c50b7cf8267b6f95aa1a5a23f53c86ec6fecf92658886082558a71

  • SSDEEP

    24576:LytjaKUU1ySw9FkZ61h45v0/Oovem1PB/n5SgkTGOU:+p9UU1y9FkZ61exjoBPBkiO

Score
10/10
redlinedomadiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes
  • auth_value

    8be53af7f78567706928d0abef953ef4

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8811c70c333468024f208d2de581e0e8387653980fdc15cf7c6564c2dc134156.exe
    "C:\Users\Admin\AppData\Local\Temp\8811c70c333468024f208d2de581e0e8387653980fdc15cf7c6564c2dc134156.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2998180.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2998180.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8925082.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8925082.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0591768.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0591768.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5004
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3142054.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3142054.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2998180.exe
    Filesize

    748KB

    MD5

    2789406c1f976bc9ab326a3b85344115

    SHA1

    afc0598602ae160aafdec7aacbb6fd35ffa57828

    SHA256

    a82063ed5b7cffae5351ad522376474be318912be0550c7f7506cd7b609bf8c9

    SHA512

    86da5ae674c6c43e664046be479036b8e58d1758fa15b61e1ff477534fd4ab17b105ca249fa27a39fc643b2d02246ef1104ae5369ffc253908ff7f35280d430b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8925082.exe
    Filesize

    304KB

    MD5

    e223cdb80638a9ff7ec9c43276eaff3e

    SHA1

    d477db4ad013eed4698cfc7e97f99597d78591a3

    SHA256

    3aae4372db32ef08b6d99d5f23419fe4a9692f0ad811fd417329ea7f5f8227de

    SHA512

    060dc13264ac5fac1fed8ea6ca2b6fbdb71f57a2309aad581833d60b69fd56b9ed5574537b5b2c9d52ee3a696bf21fea58b07a66fc0a1af55329559e628a3dfa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0591768.exe
    Filesize

    183KB

    MD5

    75df6a4aaf5c63bc4f42ac5ec8ecc76a

    SHA1

    8d9da11aa11364c1b580b12faa446403f527ff83

    SHA256

    d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

    SHA512

    72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3142054.exe
    Filesize

    145KB

    MD5

    77636bf4f10df3cc5ec24ea3d592d1a3

    SHA1

    43cfd545926169ce72f7a43f9308afcd1369a7e7

    SHA256

    ff96e56a6795d8bd1892ad47f44806c481b3b3d85ba06e8361aed3bf7ed3ecd8

    SHA512

    c640705ab5565c7e7c45348bb8d55bf01cfcbf6df99a80fda608db8bd1f12d8e6637b5a818cac7609b827ed1e234cb9515501c13b0817f74de58312def716a48

    Download Submit

  • memory/780-61-0x0000000005170000-0x00000000051BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/780-60-0x0000000004FF0000-0x000000000502C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/780-59-0x0000000004F90000-0x0000000004FA2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/780-58-0x0000000005060000-0x000000000516A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/780-57-0x00000000054E0000-0x0000000005AF8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/780-56-0x0000000000590000-0x00000000005BA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/5004-51-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-25-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-39-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-37-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-35-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-33-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-31-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-29-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-27-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-41-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-24-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-43-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-45-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-47-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-49-0x0000000002590000-0x00000000025A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/5004-23-0x0000000002590000-0x00000000025AC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/5004-22-0x0000000004B30000-0x00000000050D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5004-21-0x00000000020F0000-0x000000000210E000-memory.dmp

    Filesize

    120KB

    Download