Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:37
Static task
static1
Behavioral task
behavioral1
Sample
cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe
Resource
win10v2004-20241007-en
General
-
Target
cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe
-
Size
1.4MB
-
MD5
1fa20ce685ec4c6644d7319fe54e161e
-
SHA1
43de7be6340ca27514e199c16935a7c8a3503536
-
SHA256
cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2
-
SHA512
204b4131bfd9a2bb24da06c84fb2e63aca50cc4c5dfba7ec34407ae76a17f194018f5b2d1d1f4be2c8afac962c085160728f888d7a38d138d6c9a0d579cab545
-
SSDEEP
24576:QyS7ch9MT7w6RiAfa1IFTkycjrQ6lksOw295b7QYZGpew3a1jagTE718/pC:XMcLy7w68sTjY2HZy585TE7G/p
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b86-33.dat family_redline behavioral1/memory/552-35-0x0000000000EF0000-0x0000000000F20000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 1944 i31597883.exe 1164 i36009917.exe 3608 i22580956.exe 4548 i67693533.exe 552 a78241290.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i22580956.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i67693533.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i31597883.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i36009917.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i31597883.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i36009917.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i22580956.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i67693533.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a78241290.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1244 wrote to memory of 1944 1244 cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe 84 PID 1244 wrote to memory of 1944 1244 cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe 84 PID 1244 wrote to memory of 1944 1244 cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe 84 PID 1944 wrote to memory of 1164 1944 i31597883.exe 86 PID 1944 wrote to memory of 1164 1944 i31597883.exe 86 PID 1944 wrote to memory of 1164 1944 i31597883.exe 86 PID 1164 wrote to memory of 3608 1164 i36009917.exe 87 PID 1164 wrote to memory of 3608 1164 i36009917.exe 87 PID 1164 wrote to memory of 3608 1164 i36009917.exe 87 PID 3608 wrote to memory of 4548 3608 i22580956.exe 89 PID 3608 wrote to memory of 4548 3608 i22580956.exe 89 PID 3608 wrote to memory of 4548 3608 i22580956.exe 89 PID 4548 wrote to memory of 552 4548 i67693533.exe 90 PID 4548 wrote to memory of 552 4548 i67693533.exe 90 PID 4548 wrote to memory of 552 4548 i67693533.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe"C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:552
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5daab354c721fafd2ee243a05767c7468
SHA17f26ce46e73732f540a4269ac032c13cc99c8fae
SHA2562da87139d7e667973f378d79d15e5699b408a8eb0db3ec5b067df58ef08c9c27
SHA512fe2c8fd05ae113bae76c6acf5deb579fe4e1c060a9e9dffb871d526e0e09fc869ae4059bf6442097f9ee585995110b0f5c81de0cd060420d7f9cbfc657202de5
-
Filesize
1018KB
MD53a891891b1a5cad57b3989e090bf7a45
SHA123300df99171a8b3eccd3076d243eb928405b83b
SHA256e05723334c15901fc9c49ec8fd360caafcfcac948b67f811dc0047f936a9ce70
SHA512188d1d48fcbbd801781402822311af210e89b3dc9c0578d409b3c0655ca9081a2e5753cb3847919bb4b87cc916517b09a547502ab13e9a048eb371e0f752c930
-
Filesize
846KB
MD515afed7ad4a63230f5889cd16befcfcb
SHA12fc0406edb137d816ef78add3f1122405ab4a8e2
SHA2563c406e69fe367ff17c3696ec00a295a9dbb2aa0b1d8a7a9fb935dd59761c43c3
SHA512efc7fb2e2529a6be251b2e3b5cbd44d51d7fbe1297bcbb3c28e1979a0a33769ea4e74e2c008c71bebcf0bd10cafbf2b34953b7ed3d446d8e858db5f15958c481
-
Filesize
374KB
MD550e64249ab3e5c4357c0aa5b959486dd
SHA14dfc80849cdeaa991cfbaea1676d50116e49a78b
SHA256dd2b61f7abbee9a2dd29f96d4a8beaf4e61839551745361e0eb5de342eafb923
SHA51294611819189da460069e271dea11cfdc7998cb7ccc1ba74f79fad965ed30b5e3897a117a8c12a9d25b71b467b9e4ba7e7d59a961b357d8a0221d8d6b058cf2d0
-
Filesize
169KB
MD5e0a5330d1d105090f672424393566336
SHA13d00706858bcf31b8e7c796423e8ece447a49d03
SHA25657d9202819648c6f2dec5ef6d39c678d2377e9daa06c85fa0cfc693258c141b0
SHA5126436bf0241555ca37c82059b63417e4bafee4b75fc147302cf45e862913f665e61800f8c457715889922d3f06ac952c26340ba1b58a613cb727da10aaaabc988