Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 04:13
Static task
static1
Behavioral task
behavioral1
Sample
37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe
Resource
win10v2004-20241007-en
General
-
Target
37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe
-
Size
773KB
-
MD5
29aaf4329eb63ad58213522d546be502
-
SHA1
7f5484fbe77a2b1ecdcc9d5d881c8a7fe4d0bbef
-
SHA256
37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9
-
SHA512
afa2717ffda628f6ef1cbaa65c505743d8ae4699e20c0a091c28d792289c7e5a94cd5c848622350a7d42ad74b60eddfc8bee69344efdb38ff9f54a1f7974a3e2
-
SSDEEP
24576:Ayy2GzxwCYvDnP1O1fBiNxX/dEOro0O6r:HyHMvE5iHFEOrJ
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/4960-2168-0x0000000005630000-0x0000000005662000-memory.dmp family_redline behavioral1/files/0x000800000001e560-2173.dat family_redline behavioral1/memory/4340-2181-0x00000000006D0000-0x00000000006FE000-memory.dmp family_redline behavioral1/files/0x0007000000023cc3-2192.dat family_redline behavioral1/memory/4464-2194-0x0000000000320000-0x0000000000350000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation m55074846.exe -
Executes dropped EXE 4 IoCs
pid Process 5056 x69063619.exe 4960 m55074846.exe 4340 1.exe 4464 n71110944.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x69063619.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1552 4960 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x69063619.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m55074846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language n71110944.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4960 m55074846.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2128 wrote to memory of 5056 2128 37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe 85 PID 2128 wrote to memory of 5056 2128 37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe 85 PID 2128 wrote to memory of 5056 2128 37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe 85 PID 5056 wrote to memory of 4960 5056 x69063619.exe 86 PID 5056 wrote to memory of 4960 5056 x69063619.exe 86 PID 5056 wrote to memory of 4960 5056 x69063619.exe 86 PID 4960 wrote to memory of 4340 4960 m55074846.exe 90 PID 4960 wrote to memory of 4340 4960 m55074846.exe 90 PID 4960 wrote to memory of 4340 4960 m55074846.exe 90 PID 5056 wrote to memory of 4464 5056 x69063619.exe 94 PID 5056 wrote to memory of 4464 5056 x69063619.exe 94 PID 5056 wrote to memory of 4464 5056 x69063619.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe"C:\Users\Admin\AppData\Local\Temp\37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69063619.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69063619.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m55074846.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m55074846.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 13884⤵
- Program crash
PID:1552
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n71110944.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n71110944.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4464
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4960 -ip 49601⤵PID:2516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569KB
MD54d36a4218bc1cc33e72ba037f0465930
SHA10e85d205c5cf934fca525559f13b329486139056
SHA256e5eeb396cc6cb613caf25aa87e549eff2066c0b242d34c5338a8e0f7f94bb2e9
SHA5123bcb4e9399e577b43f371f21ffed8296f041c19afa2c619a816f1db49ddea79613f3ba5388a42f6a2e6d0f771fb14afeb647cec5a15b9a615be869fd1138eed6
-
Filesize
479KB
MD500cb38d342a1c443f83de64ab3df0628
SHA152655d532a4497d809d68194b6b4f0b526c55170
SHA256c24c25951db24d0dd3b109eaca70e32c621d8c5d6d115d5c605f12d721314f5e
SHA51247a220f0d81884e20d44e03acc7674dc93483dc0f433a7df78910b607d55bc9b959c0d4ceba14b3b6fda80f3930c1a76abd2a5f0ae7545065d8d738d4271278a
-
Filesize
169KB
MD5e62e4bb9734b2212a4c351307ef7c4e8
SHA193fb97a8d6332fcbd80e13289e2a3c8afe029997
SHA25698c9c93155a3cff8a49d3045975a7f7fd9f5ee4702e1414eb049d799b60b2856
SHA512486e3e145333e33259799d36da1f91b0fee8f9debe4ce81de8ab505b591f31b75f76d44dfa32c787689a0c7213a1b011018ecebe49c1397f98e8b9c455307e76
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf