Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:56
Static task
static1
Behavioral task
behavioral1
Sample
0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a.exe
Resource
win10v2004-20241007-en
General
-
Target
0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a.exe
-
Size
479KB
-
MD5
79e08f3cb154a32b8971307cb1572016
-
SHA1
3bafa1e74ef75e413841393a740846c1d70df137
-
SHA256
0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a
-
SHA512
e6b34e51420c3d4a8eff13e339527a454f59e17db2acf01044a7e6c1d65bafb6d43d7b3c6fe1d8e666edadb4ad8dd39b3fbc0812ea63b51d09b79fee047790d6
-
SSDEEP
12288:/Mr4y90va3gWw8c0ZF8R2sY3041scnrqHQDgezgAr:Dy7TxTe2sOrKQHzV
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7e-12.dat family_redline behavioral1/memory/4900-15-0x00000000007B0000-0x00000000007D8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4168 x5359636.exe 4900 g2442265.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5359636.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x5359636.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2442265.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2680 wrote to memory of 4168 2680 0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a.exe 83 PID 2680 wrote to memory of 4168 2680 0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a.exe 83 PID 2680 wrote to memory of 4168 2680 0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a.exe 83 PID 4168 wrote to memory of 4900 4168 x5359636.exe 84 PID 4168 wrote to memory of 4900 4168 x5359636.exe 84 PID 4168 wrote to memory of 4900 4168 x5359636.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a.exe"C:\Users\Admin\AppData\Local\Temp\0ea229b5f61abea1c9c38f0f1ade11f3632b4557e84566f383a2367d1d27463a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5359636.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5359636.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2442265.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2442265.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4900
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5c426ff7820066fda10f72c88b728f40e
SHA1d987c00455c4d7f19079e688485d5bbf1a17609d
SHA256f9abf0680ab4e04392eb9d15ab71cfa29fc269ca48e3b30a452e0e3e4e2382d1
SHA5124614fccae8406faa4022523f538c231ef1bbfc4672bb7e3b3439c74b21d3e2e1974e9f79ab19705a7600babe8d9fa6e6673b16b8f95328d94018d80be40ed9a5
-
Filesize
136KB
MD5a983582eb52ddc9d7c4b8cdc0208221a
SHA1473ab673bed234d883c341a9bee8724d0d522157
SHA256f48750d874413cd6c439d02a8b51a2fd8f5e5221b580c9e5414d5d4b39837f8e
SHA51257a6e621ec0a78ffcdc0f74d99a594aec09b69bd12506c4c2eebbe8ea634a8000a45221bf744cc9c6a33908fb269f41691b4b3c57603a5938f27d3996901bf6d