Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-11-2024 10:51
General
-
Target
9fb2b2abe9182369cedf29de25ce92167b395093c263747e417dda8f4d3a4775.exe
-
Size
1.1MB
-
MD5
a4b3d94fa4d058ef10abf3a3391d9982
-
SHA1
0f1dba76f81814f9f8d5701e2ef824081015f5be
-
SHA256
9fb2b2abe9182369cedf29de25ce92167b395093c263747e417dda8f4d3a4775
-
SHA512
095aef6ddbfa89b0b73eb1745bb9d01ad125e94abf6c5cef784b2c306a048face02a0145469814ad31c613a5a4bfd353d8f48df63646d9d8a57787b03bc29370
-
SSDEEP
24576:EyHGfP2chxjpCQW7CFkmvDHAD6T4Et81VMMW2V:THG3J5+7CFkIAD6T4EOVt
Malware Config
Extracted
redline
doma
185.161.248.75:4132
-
auth_value
8be53af7f78567706928d0abef953ef4
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fb2b2abe9182369cedf29de25ce92167b395093c263747e417dda8f4d3a4775.exe"C:\Users\Admin\AppData\Local\Temp\9fb2b2abe9182369cedf29de25ce92167b395093c263747e417dda8f4d3a4775.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1146570.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1146570.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7349411.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7349411.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6427279.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6427279.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6720111.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6720111.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
748KB
MD5966dae0c730dc11d0c052cd27301afa3
SHA1d7a931902e8fb58b61aafd9d40ba35448fd30ce6
SHA256a0b0188ce636e8a6f691ccaf1e0a77190fc0b3cef37a76c5271f965eae7c6e68
SHA512027d3ecb39c721bb457a3ce8d1230cb28fd67649f28cd0de9cb76e0caea53cff3566f1583dad80cee925804aba1410c0d074b8417c0f5d695498515ba04b8818
-
Filesize
304KB
MD52c48b4299fe36948aeff1cbac0ee39bf
SHA17bba03d411dbab71b873b3627628da9a78e4e1b0
SHA256233b3141fc98d52aee003b4e512e584739e80cdab2a4dc15a33830ef49ce7d61
SHA5122201413a31413a300b585f3b9f8b7d91e1f9d9bf167d0a6dac546c5d53afdf1e75aab27f800decd6dc6476010c156d4dea3261539a117292ea8414e7d9cb01d5
-
Filesize
183KB
MD575df6a4aaf5c63bc4f42ac5ec8ecc76a
SHA18d9da11aa11364c1b580b12faa446403f527ff83
SHA256d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05
SHA51272d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe
-
Filesize
145KB
MD5c1bc32afcdccfba8e304c2fc95b04882
SHA1c0503ceb866c276fcb99ab43683f2b0ba2ccb2b5
SHA25608f2ee3b829ca26114ee1dc4c41519530e838e63da2815794c27274b4cc1c8d0
SHA5120e8522cf83ae0df9708da0140ccf899a4fb6ea96e915edf42b923e989f1337ff13a12fafffd8b650fb2a6c8f6a68ead9344809e24abf6b90ab9fb04eda33572e
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
168KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
5.6MB
-
Filesize
120KB