Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 07:11
Static task
static1
Behavioral task
behavioral1
Sample
cc043bc197e633e43e17152ecb421c143e61bc0eec6095a20cff29c8b78f9502.exe
Resource
win10v2004-20241007-en
General
-
Target
cc043bc197e633e43e17152ecb421c143e61bc0eec6095a20cff29c8b78f9502.exe
-
Size
896KB
-
MD5
2b88113dc9157f33202752cf1b91a382
-
SHA1
8dceca1df9ff88eb282a85217f4a27e3c5256735
-
SHA256
cc043bc197e633e43e17152ecb421c143e61bc0eec6095a20cff29c8b78f9502
-
SHA512
c84e8d00ff585fd808404eff713fab1a76f75f19b27350cb279881076d53d15f19fcff92c8130c2617f7bf5cd5e5eb345d297cf1af21b5f2838c3c042d7d9018
-
SSDEEP
24576:byvqVP7XdddnhRda7LhEpj0ak14uC/wrfX7+3:OQRddhOAjPkGSy
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/4568-2168-0x00000000059C0000-0x00000000059F2000-memory.dmp family_redline behavioral1/files/0x000b000000023b8f-2173.dat family_redline behavioral1/memory/4104-2181-0x0000000000CF0000-0x0000000000D1E000-memory.dmp family_redline behavioral1/files/0x000a000000023b95-2192.dat family_redline behavioral1/memory/2272-2194-0x0000000000C50000-0x0000000000C80000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation p02863370.exe -
Executes dropped EXE 4 IoCs
pid Process 3404 y59703616.exe 4568 p02863370.exe 4104 1.exe 2272 r62261162.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cc043bc197e633e43e17152ecb421c143e61bc0eec6095a20cff29c8b78f9502.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y59703616.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1312 4568 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r62261162.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc043bc197e633e43e17152ecb421c143e61bc0eec6095a20cff29c8b78f9502.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y59703616.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p02863370.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4568 p02863370.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1444 wrote to memory of 3404 1444 cc043bc197e633e43e17152ecb421c143e61bc0eec6095a20cff29c8b78f9502.exe 86 PID 1444 wrote to memory of 3404 1444 cc043bc197e633e43e17152ecb421c143e61bc0eec6095a20cff29c8b78f9502.exe 86 PID 1444 wrote to memory of 3404 1444 cc043bc197e633e43e17152ecb421c143e61bc0eec6095a20cff29c8b78f9502.exe 86 PID 3404 wrote to memory of 4568 3404 y59703616.exe 88 PID 3404 wrote to memory of 4568 3404 y59703616.exe 88 PID 3404 wrote to memory of 4568 3404 y59703616.exe 88 PID 4568 wrote to memory of 4104 4568 p02863370.exe 91 PID 4568 wrote to memory of 4104 4568 p02863370.exe 91 PID 4568 wrote to memory of 4104 4568 p02863370.exe 91 PID 3404 wrote to memory of 2272 3404 y59703616.exe 95 PID 3404 wrote to memory of 2272 3404 y59703616.exe 95 PID 3404 wrote to memory of 2272 3404 y59703616.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc043bc197e633e43e17152ecb421c143e61bc0eec6095a20cff29c8b78f9502.exe"C:\Users\Admin\AppData\Local\Temp\cc043bc197e633e43e17152ecb421c143e61bc0eec6095a20cff29c8b78f9502.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y59703616.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y59703616.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p02863370.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p02863370.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4104
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 15124⤵
- Program crash
PID:1312
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r62261162.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r62261162.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4568 -ip 45681⤵PID:2972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
590KB
MD5188a78182cbc1698c670e81d7d933513
SHA1eca8f8ebccfaba74a3c7767cae0f9d5eb885dd2b
SHA256f905146e3965d85657423eb4452b5fdd60a08a65b0e24ff46dd654790373fa02
SHA51236c93335ce0f9ff51f92d99aa672aa4bdb9a31f8433592be2d6111ef993ead6349ae583184fcf3e7adf0e3a69d984b2605b8b03053096f91930fb4db46efa5b3
-
Filesize
530KB
MD5316fb2a23687b141e24f4762fff96c76
SHA1ef2102c349ca45bcba32f9f8639282a8a36471de
SHA25648e92b65284921d936c67c7f5694b5a0be7177200c1c81912756ef06180295cf
SHA512a5ca93fd94ab3cf2656c230569cf765b90a72e5b65836283a53e4a691261b53a11918dfb575e7f511a6ad188b9be4a0c111c3641f1cb9cf00fc64848368d0e5c
-
Filesize
168KB
MD50c5ded88228da9ce37310a333a2767cb
SHA1562236b6a58ac0b96aa94c1e6da2e150e0e4c12a
SHA256a859fe3df6c7d759a0c3f94e99636295fce6a9c01b757e9346206269afe7df15
SHA51240cc392fe792dd50e0b5d038470dec1b08d857632f4d1e0d30564d4b7b7e9bb963b39423e3b73209d4b3b55e490a177bcd87ec52f7885b384649a1309d6b62ad
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf