Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 02:09
Static task
static1
Behavioral task
behavioral1
Sample
28bb5b58fdb24021eb0d77dc56c4b090877912d17291cca74fed3efa9f7ccea6.exe
Resource
win10v2004-20241007-en
General
-
Target
28bb5b58fdb24021eb0d77dc56c4b090877912d17291cca74fed3efa9f7ccea6.exe
-
Size
849KB
-
MD5
67f08e0374679aec72c19bc70e2d00cd
-
SHA1
1b252877e87797f8e00cbef2efffd46e0e69951a
-
SHA256
28bb5b58fdb24021eb0d77dc56c4b090877912d17291cca74fed3efa9f7ccea6
-
SHA512
0ebb8de151bf73986f039923bdb55e8136b3aacb121bb8881bdd9090e6e831488ddf719b00ac5376a54b5a635e8b8115560c4c1ec7a1594392a26c0625f2711a
-
SSDEEP
24576:GyQtn3GfZb/PLOb8BAmXz35lEzWK14Dk:VQtme+3dsWG4D
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/3748-2169-0x0000000005650000-0x0000000005682000-memory.dmp family_redline behavioral1/files/0x0008000000023ca1-2174.dat family_redline behavioral1/memory/5532-2182-0x0000000000740000-0x000000000076E000-memory.dmp family_redline behavioral1/memory/5916-2196-0x00000000001E0000-0x0000000000210000-memory.dmp family_redline behavioral1/files/0x0007000000023ca8-2195.dat family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation p33442783.exe -
Executes dropped EXE 4 IoCs
pid Process 3364 y56303901.exe 3748 p33442783.exe 5532 1.exe 5916 r81347483.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 28bb5b58fdb24021eb0d77dc56c4b090877912d17291cca74fed3efa9f7ccea6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y56303901.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5172 3748 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28bb5b58fdb24021eb0d77dc56c4b090877912d17291cca74fed3efa9f7ccea6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y56303901.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p33442783.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r81347483.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3748 p33442783.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1320 wrote to memory of 3364 1320 28bb5b58fdb24021eb0d77dc56c4b090877912d17291cca74fed3efa9f7ccea6.exe 83 PID 1320 wrote to memory of 3364 1320 28bb5b58fdb24021eb0d77dc56c4b090877912d17291cca74fed3efa9f7ccea6.exe 83 PID 1320 wrote to memory of 3364 1320 28bb5b58fdb24021eb0d77dc56c4b090877912d17291cca74fed3efa9f7ccea6.exe 83 PID 3364 wrote to memory of 3748 3364 y56303901.exe 84 PID 3364 wrote to memory of 3748 3364 y56303901.exe 84 PID 3364 wrote to memory of 3748 3364 y56303901.exe 84 PID 3748 wrote to memory of 5532 3748 p33442783.exe 88 PID 3748 wrote to memory of 5532 3748 p33442783.exe 88 PID 3748 wrote to memory of 5532 3748 p33442783.exe 88 PID 3364 wrote to memory of 5916 3364 y56303901.exe 92 PID 3364 wrote to memory of 5916 3364 y56303901.exe 92 PID 3364 wrote to memory of 5916 3364 y56303901.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\28bb5b58fdb24021eb0d77dc56c4b090877912d17291cca74fed3efa9f7ccea6.exe"C:\Users\Admin\AppData\Local\Temp\28bb5b58fdb24021eb0d77dc56c4b090877912d17291cca74fed3efa9f7ccea6.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y56303901.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y56303901.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p33442783.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p33442783.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 13804⤵
- Program crash
PID:5172
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r81347483.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r81347483.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5916
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3748 -ip 37481⤵PID:4208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569KB
MD57fa7de150df2470ed0d337f8588eec26
SHA18f0db5a4fe41ba2f477f429a433de721c0e152b3
SHA2565d9790510dd560a20115830d58d4ecc3f04c9c42495f20761fb14fb2d002ca04
SHA512619c09972efb4c066065371d059ad9c0829f772e271839eeab04ae5b0b8ee0717b60369bb45035fff4ac24ecd9fc427850bd5a6d6fe4870acdb27a517c53c0fd
-
Filesize
479KB
MD50491a5f37aec4a09de9a2eeadc00590a
SHA12d81bcf6d2564ff1d3efc20bf83176dab8bd2049
SHA256fba64931c4fa5f1792229112bcebb72955356b3d0ee5f7ad6bbaa5804eb41486
SHA512f2d8e7f9737da334fd058b369d1d67a4e709ff2421ce715819e314bb10fb30eb49495e6e542f04cd6f862cb6229e6e724a973bd529d6cd82e13ca29537354a4b
-
Filesize
169KB
MD57a243246fde5b769bf2f6c2b443f97ef
SHA1c658eba1492d08b979833813fcf941a0a841145f
SHA256c53a3a85cc9fb774fffd5c26aba5e446693f7684599f8b9b257f8546b34d9048
SHA5120783c95536a11ac2bb410615bf75ea911a625d6ad4ee59a46e8864d39d53b2101a962212c92908232854db394437d2c68b9142b82074359ca1102d310b6aecc1
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf