Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 21:56

General

  • Target

    0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a.exe

  • Size

    479KB

  • MD5

    79e08f3cb154a32b8971307cb1572016

  • SHA1

    3bafa1e74ef75e413841393a740846c1d70df137

  • SHA256

    0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a

  • SHA512

    e6b34e51420c3d4a8eff13e339527a454f59e17db2acf01044a7e6c1d65bafb6d43d7b3c6fe1d8e666edadb4ad8dd39b3fbc0812ea63b51d09b79fee047790d6

  • SSDEEP

    12288:/Mr4y90va3gWw8c0ZF8R2sY3041scnrqHQDgezgAr:Dy7TxTe2sOrKQHzV

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a.exe
    "C:\Users\Admin\AppData\Local\Temp\0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5359636.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5359636.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4168
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2442265.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2442265.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5359636.exe

    Filesize

    307KB

    MD5

    c426ff7820066fda10f72c88b728f40e

    SHA1

    d987c00455c4d7f19079e688485d5bbf1a17609d

    SHA256

    f9abf0680ab4e04392eb9d15ab71cfa29fc269ca48e3b30a452e0e3e4e2382d1

    SHA512

    4614fccae8406faa4022523f538c231ef1bbfc4672bb7e3b3439c74b21d3e2e1974e9f79ab19705a7600babe8d9fa6e6673b16b8f95328d94018d80be40ed9a5

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2442265.exe

    Filesize

    136KB

    MD5

    a983582eb52ddc9d7c4b8cdc0208221a

    SHA1

    473ab673bed234d883c341a9bee8724d0d522157

    SHA256

    f48750d874413cd6c439d02a8b51a2fd8f5e5221b580c9e5414d5d4b39837f8e

    SHA512

    57a6e621ec0a78ffcdc0f74d99a594aec09b69bd12506c4c2eebbe8ea634a8000a45221bf744cc9c6a33908fb269f41691b4b3c57603a5938f27d3996901bf6d

  • memory/4900-14-0x0000000073E4E000-0x0000000073E4F000-memory.dmp

    Filesize

    4KB

  • memory/4900-15-0x00000000007B0000-0x00000000007D8000-memory.dmp

    Filesize

    160KB

  • memory/4900-16-0x0000000007AD0000-0x00000000080E8000-memory.dmp

    Filesize

    6.1MB

  • memory/4900-17-0x0000000007510000-0x0000000007522000-memory.dmp

    Filesize

    72KB

  • memory/4900-18-0x0000000007640000-0x000000000774A000-memory.dmp

    Filesize

    1.0MB

  • memory/4900-19-0x0000000007570000-0x00000000075AC000-memory.dmp

    Filesize

    240KB

  • memory/4900-20-0x0000000073E40000-0x00000000745F0000-memory.dmp

    Filesize

    7.7MB

  • memory/4900-21-0x0000000004B20000-0x0000000004B6C000-memory.dmp

    Filesize

    304KB

  • memory/4900-22-0x0000000073E4E000-0x0000000073E4F000-memory.dmp

    Filesize

    4KB

  • memory/4900-23-0x0000000073E40000-0x00000000745F0000-memory.dmp

    Filesize

    7.7MB