Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:07
Static task
static1
Behavioral task
behavioral1
Sample
ed5d368fabba2fa0b39795e4b10060abb769a82b18e9d3cfe1e60cbf2b049433.exe
Resource
win10v2004-20241007-en
General
-
Target
ed5d368fabba2fa0b39795e4b10060abb769a82b18e9d3cfe1e60cbf2b049433.exe
-
Size
769KB
-
MD5
de69bf212c6b8072e8c35a520e6bd058
-
SHA1
a44da60a032e14949cf223cb81c6627c38a7861f
-
SHA256
ed5d368fabba2fa0b39795e4b10060abb769a82b18e9d3cfe1e60cbf2b049433
-
SHA512
1e6b1ffc7dc7e4737d3b42df6baca0b3279061f32b2c21cfb3a675185957ba6a544583d48cee490af4970c165c118660689e4766c48d0b605041444ca835c245
-
SSDEEP
12288:IMrSy90T6+uAc/1q23VPUf+rGiHnCwKZQpYHrXQuAUCjvd0Ml7EWVB:6yKc/1qGVsfaPKAiXQuGj10M1XVB
Malware Config
Extracted
redline
mixa
185.161.248.75:4132
-
auth_value
9d14534b25ac495ab25b59800acf3bb2
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3203669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3203669.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a3203669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3203669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3203669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3203669.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c9a-54.dat family_redline behavioral1/memory/1244-56-0x0000000000C50000-0x0000000000C7E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 1548 v2160758.exe 3376 v6797957.exe 1748 a3203669.exe 1244 b8056859.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a3203669.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a3203669.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ed5d368fabba2fa0b39795e4b10060abb769a82b18e9d3cfe1e60cbf2b049433.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v2160758.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6797957.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2160758.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v6797957.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3203669.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8056859.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed5d368fabba2fa0b39795e4b10060abb769a82b18e9d3cfe1e60cbf2b049433.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1748 a3203669.exe 1748 a3203669.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1748 a3203669.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3972 wrote to memory of 1548 3972 ed5d368fabba2fa0b39795e4b10060abb769a82b18e9d3cfe1e60cbf2b049433.exe 83 PID 3972 wrote to memory of 1548 3972 ed5d368fabba2fa0b39795e4b10060abb769a82b18e9d3cfe1e60cbf2b049433.exe 83 PID 3972 wrote to memory of 1548 3972 ed5d368fabba2fa0b39795e4b10060abb769a82b18e9d3cfe1e60cbf2b049433.exe 83 PID 1548 wrote to memory of 3376 1548 v2160758.exe 85 PID 1548 wrote to memory of 3376 1548 v2160758.exe 85 PID 1548 wrote to memory of 3376 1548 v2160758.exe 85 PID 3376 wrote to memory of 1748 3376 v6797957.exe 86 PID 3376 wrote to memory of 1748 3376 v6797957.exe 86 PID 3376 wrote to memory of 1748 3376 v6797957.exe 86 PID 3376 wrote to memory of 1244 3376 v6797957.exe 93 PID 3376 wrote to memory of 1244 3376 v6797957.exe 93 PID 3376 wrote to memory of 1244 3376 v6797957.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed5d368fabba2fa0b39795e4b10060abb769a82b18e9d3cfe1e60cbf2b049433.exe"C:\Users\Admin\AppData\Local\Temp\ed5d368fabba2fa0b39795e4b10060abb769a82b18e9d3cfe1e60cbf2b049433.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2160758.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2160758.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6797957.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6797957.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3203669.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3203669.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8056859.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8056859.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1244
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD52404543ad290271e72a299cfe20b61d1
SHA1a8d190b79f77b6d749b7281e6dab287eb1bc129c
SHA256ba74069e8c275aaf4a5c28b190a650427bb8647b53b25b63ab8c11d457952261
SHA512b2d1ad12c7bae5ab21a1db92d27656e86acdaab02e474637bad9dde523883e015562ffb05dd5ad26d1a5d0f49020e7a0c4137487e061963c98e27f77a9ff12ba
-
Filesize
316KB
MD5b06515d5ce860c163c7f6f144b7183d9
SHA1d061d7f1154c9bd20325b23055714997613d903f
SHA256ff552cc83e93e41497b3cf171b80333a81a13fcf13c40af9ac1dc4154cee8f95
SHA51245056bfc8128c12c4804d064d57f53f01bf586bad1b3956bf8f83803e0d6b85e2a33bc98e5a2f5ef85326b032149a6485daec490ae5722c668e1da4cd1dbe192
-
Filesize
184KB
MD5d4c640fb500618ad6c9fc5fe7d3e784d
SHA1850df0880e1685ce709b44afbbb365cab4f0fec4
SHA256a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b
SHA512a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd
-
Filesize
168KB
MD59307174dfb6edd81b2e625eac0e60bd3
SHA1777d7e309e65ce9ed4f0169f3842a46ef7295c60
SHA25661c74ce4a92b2b33773e234fac3d58b3af1443d64dd623b444a15c30e80136e2
SHA512c0eefeb8ef626fd02fcd388d11cf4f3487f94e6df9780d450bd3fa28a628687f787f7bbb356e035b17bf8f067a917e2e52d41400079a911dff065d5785cd72e5