Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe
Resource
win10v2004-20241007-en
General
-
Target
188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe
-
Size
376KB
-
MD5
974c64901500421a596ad26f606128e4
-
SHA1
c1e9d29ce7085864968ec1f33740b24f41d821a5
-
SHA256
188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6
-
SHA512
957ddb1f3ee56323d305b026274a12294c92ff0b2a0346efa814abf15c45d23d7965915eadbb34a884d676f86e6b26001f3c28feb23604382dfe978742d6717f
-
SSDEEP
6144:Kgy+bnr+9p0yN90QEevJCS6Yy9MPke9wWwjXFOEOpljux43Dl:IMrly90MovM9sWrjuSTl
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb7-12.dat family_redline behavioral1/memory/4784-15-0x0000000000A70000-0x0000000000A98000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4764 x4507930.exe 4784 g7601471.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4507930.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x4507930.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g7601471.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1056 wrote to memory of 4764 1056 188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe 83 PID 1056 wrote to memory of 4764 1056 188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe 83 PID 1056 wrote to memory of 4764 1056 188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe 83 PID 4764 wrote to memory of 4784 4764 x4507930.exe 84 PID 4764 wrote to memory of 4784 4764 x4507930.exe 84 PID 4764 wrote to memory of 4784 4764 x4507930.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe"C:\Users\Admin\AppData\Local\Temp\188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4507930.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4507930.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7601471.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7601471.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4784
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD556252d91ac7df6398dfff7418849511a
SHA109f5b5b019d887a38f1849961f1eb6b0afbcbfb5
SHA256b7e08d7096e73e3bda5aed24d3296e48b0035f7a12c7c21ca0c7b494e6e38459
SHA512d92f4371eb980c46198a18dfc1b00b0445c2fa5550d70c30da36e2234feeb24cb4c34cbb2ee665c653c9a26c6327d3d41df4f13f94ffd2035662c3e11a397ea5
-
Filesize
136KB
MD58f30f7f88229560306c5959c605316de
SHA136f26a905a9743f6dd1608e39b37d1116cafcc0a
SHA2563a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7
SHA512267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0