Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
1702411e01d0cd615282ab8a91ef29479779f53df8c2b7ad8d9e150612e1deea.exe
Resource
win10v2004-20241007-en
General
-
Target
1702411e01d0cd615282ab8a91ef29479779f53df8c2b7ad8d9e150612e1deea.exe
-
Size
849KB
-
MD5
a503af3978e1796b2f253d92955ffc9d
-
SHA1
c001655b8a045f8464936dda71ef874674c5a428
-
SHA256
1702411e01d0cd615282ab8a91ef29479779f53df8c2b7ad8d9e150612e1deea
-
SHA512
8c30b34b7d92f36507cdb544c5634660e96ec5f2a20cd08bb72275db2a830db3c65ed2a029adf4ebcc1fa211ed1a684b77a833c1991709d646cd96cb33895fb7
-
SSDEEP
24576:0yiFoxYl1FPjOf7BCCcXGCNsgMwmRqOsSeF:DALiVC/GiRR7
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/3832-2169-0x0000000005620000-0x0000000005652000-memory.dmp family_redline behavioral1/files/0x0002000000022efc-2174.dat family_redline behavioral1/memory/6068-2182-0x00000000001F0000-0x000000000021E000-memory.dmp family_redline behavioral1/files/0x0007000000023c9f-2194.dat family_redline behavioral1/memory/3864-2196-0x00000000009C0000-0x00000000009F0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation p98104035.exe -
Executes dropped EXE 4 IoCs
pid Process 3504 y02752080.exe 3832 p98104035.exe 6068 1.exe 3864 r41958425.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1702411e01d0cd615282ab8a91ef29479779f53df8c2b7ad8d9e150612e1deea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y02752080.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2016 3832 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1702411e01d0cd615282ab8a91ef29479779f53df8c2b7ad8d9e150612e1deea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y02752080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p98104035.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r41958425.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3832 p98104035.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4128 wrote to memory of 3504 4128 1702411e01d0cd615282ab8a91ef29479779f53df8c2b7ad8d9e150612e1deea.exe 83 PID 4128 wrote to memory of 3504 4128 1702411e01d0cd615282ab8a91ef29479779f53df8c2b7ad8d9e150612e1deea.exe 83 PID 4128 wrote to memory of 3504 4128 1702411e01d0cd615282ab8a91ef29479779f53df8c2b7ad8d9e150612e1deea.exe 83 PID 3504 wrote to memory of 3832 3504 y02752080.exe 84 PID 3504 wrote to memory of 3832 3504 y02752080.exe 84 PID 3504 wrote to memory of 3832 3504 y02752080.exe 84 PID 3832 wrote to memory of 6068 3832 p98104035.exe 88 PID 3832 wrote to memory of 6068 3832 p98104035.exe 88 PID 3832 wrote to memory of 6068 3832 p98104035.exe 88 PID 3504 wrote to memory of 3864 3504 y02752080.exe 94 PID 3504 wrote to memory of 3864 3504 y02752080.exe 94 PID 3504 wrote to memory of 3864 3504 y02752080.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\1702411e01d0cd615282ab8a91ef29479779f53df8c2b7ad8d9e150612e1deea.exe"C:\Users\Admin\AppData\Local\Temp\1702411e01d0cd615282ab8a91ef29479779f53df8c2b7ad8d9e150612e1deea.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y02752080.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y02752080.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p98104035.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p98104035.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 13804⤵
- Program crash
PID:2016
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r41958425.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r41958425.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3864
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3832 -ip 38321⤵PID:4452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569KB
MD56b57c44a74073d05b0980c19eb7c9f8a
SHA17fd1d7b7a3a92dfd1fa48cb543a5f7f92d9292a9
SHA256cad166897f165509d873b96fff5aaf1bcc10b8776c13da778b6751fd680f1725
SHA5129ea69a9b00bd616d9e8e7475b47f07b6f31b81a2388a97f99277d7ee6dbda9a8d4f25530944cb898eb490f7ffd8234b63f16a84e57e0e6b23aa76d1a27a24782
-
Filesize
479KB
MD56ff504af5bd339c167592315f3b7f1bb
SHA15f35e8d32a82653808104a39417420be4902bc32
SHA256bdab668d162fa100f00d93cd357720f7aa0eca66c2d504a2f6239489292fa1c7
SHA512253c36cfddf4cf300bba7c1bab9b8bf82c06449f85cfb98e5dd22aef6116d663c146e0525fa6f9e4ec2b0523bc47f9cf7ba9b78806fcd4010976a4b99ad16e9f
-
Filesize
169KB
MD51efde421448eb26695059cc92902384e
SHA1d70f9897cf246d9f5f5129d1b55cb39f6343a4fa
SHA25667b58f51db45d07d9df80152880c1592f34c39462a31882f0ab149abbc28e00f
SHA51276451fa3b74b32ee2666329bcbae75a09de2062ad4405c0cc7cc485055df25651505a3433435f1fd92059680989b0aa157edcdb40fe662f8e5099e1881426ae6
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf