Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b.exe
Resource
win10v2004-20241007-en
General
-
Target
20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b.exe
-
Size
479KB
-
MD5
371935e6206a860e121a6968c283af30
-
SHA1
4ac50d5a43a213aa450c8f913774fa7890d2c144
-
SHA256
20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b
-
SHA512
031a1716ba8b2da4d8d49330e1a8b5dfb2cca9134820699011dbefe01acf81eee39dfb4b4525027d3889d95cd56afe21955c57ee53e2dd02c5393460677c8673
-
SSDEEP
6144:Kky+bnr+8p0yN90QEF13cJzzZnMAews4ZnZs50XYNYCQcJPniwJykdu6sp0xEzN2:gMrYy90NsbMW7vwJzduJ0v9kMN1gq9B
Malware Config
Extracted
redline
dippo
217.196.96.102:4132
-
auth_value
79490ff628fd6af3b29170c3c163874b
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca8-12.dat family_redline behavioral1/memory/2192-15-0x0000000000E30000-0x0000000000E5E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1416 x7474593.exe 2192 g2744051.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x7474593.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x7474593.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2744051.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4004 wrote to memory of 1416 4004 20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b.exe 83 PID 4004 wrote to memory of 1416 4004 20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b.exe 83 PID 4004 wrote to memory of 1416 4004 20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b.exe 83 PID 1416 wrote to memory of 2192 1416 x7474593.exe 84 PID 1416 wrote to memory of 2192 1416 x7474593.exe 84 PID 1416 wrote to memory of 2192 1416 x7474593.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b.exe"C:\Users\Admin\AppData\Local\Temp\20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7474593.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7474593.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2744051.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2744051.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD59337938de858f95646c55a67babf9358
SHA156dcb0b887917475dbb330b1887e01ba94865956
SHA2567a42612b2f96804d35f74a177b6c8f7e1ac17271350c1f2c142003d2606b7211
SHA512f41f3819f76ae2431f7b07752be05e1f74da38ea532d8c708d9907d764f1dbfeedc15ce02e0cae596c1dc0f1b384a51fc3dad137dd1a261d5ed4e10d2fcbafe9
-
Filesize
168KB
MD5b486ae6b4d9032e888a5a62898b3e24b
SHA1a0608db39817c75f44993ab40350d9d2c3a8317d
SHA2562fdf778ab9c2d9aa6de68b508cd1bce00043e4284a9ad23d310bb6ad10b8bb90
SHA5127c87031ba2cdce44a916ccda43c3a4c732193a8365d56e4b550404e050e7dbfbc99bb12e0769676acdc6b46571a09dc5aa221a8c8dddacba5a0234cfcb05615e