Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 07:00
Static task
static1
Behavioral task
behavioral1
Sample
27cfd7771db5efb76d9a3a6365099295422bbbb04982266ec7d82ce2eaf67f3e.exe
Resource
win10v2004-20241007-en
General
-
Target
27cfd7771db5efb76d9a3a6365099295422bbbb04982266ec7d82ce2eaf67f3e.exe
-
Size
850KB
-
MD5
613abcd399e6f7a6d4acb964751d52c2
-
SHA1
3c40a4b7cb47c51c7fa9360cf0923ba94dfb0464
-
SHA256
27cfd7771db5efb76d9a3a6365099295422bbbb04982266ec7d82ce2eaf67f3e
-
SHA512
2a3fda4f992bf544b8b3abaf96a024c46d857945e1c7d373f2306798781d12bdaba0750b8e95d8d1e41725c17ffcb052e87ce728683dfe9cdc45297e0774133e
-
SSDEEP
24576:1y83SeWTVSr3VNSotYKVY/lIVqJsw1eghP:Q8ie/3h2KV8c
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/4856-2169-0x0000000004F50000-0x0000000004F82000-memory.dmp family_redline behavioral1/files/0x0002000000022dc9-2174.dat family_redline behavioral1/memory/5884-2184-0x0000000000490000-0x00000000004BE000-memory.dmp family_redline behavioral1/files/0x0007000000023c99-2189.dat family_redline behavioral1/memory/6080-2191-0x0000000000D10000-0x0000000000D40000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation p91614400.exe -
Executes dropped EXE 4 IoCs
pid Process 3344 y78368726.exe 4856 p91614400.exe 5884 1.exe 6080 r38880134.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 27cfd7771db5efb76d9a3a6365099295422bbbb04982266ec7d82ce2eaf67f3e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y78368726.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27cfd7771db5efb76d9a3a6365099295422bbbb04982266ec7d82ce2eaf67f3e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y78368726.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p91614400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r38880134.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4856 p91614400.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3568 wrote to memory of 3344 3568 27cfd7771db5efb76d9a3a6365099295422bbbb04982266ec7d82ce2eaf67f3e.exe 83 PID 3568 wrote to memory of 3344 3568 27cfd7771db5efb76d9a3a6365099295422bbbb04982266ec7d82ce2eaf67f3e.exe 83 PID 3568 wrote to memory of 3344 3568 27cfd7771db5efb76d9a3a6365099295422bbbb04982266ec7d82ce2eaf67f3e.exe 83 PID 3344 wrote to memory of 4856 3344 y78368726.exe 85 PID 3344 wrote to memory of 4856 3344 y78368726.exe 85 PID 3344 wrote to memory of 4856 3344 y78368726.exe 85 PID 4856 wrote to memory of 5884 4856 p91614400.exe 88 PID 4856 wrote to memory of 5884 4856 p91614400.exe 88 PID 4856 wrote to memory of 5884 4856 p91614400.exe 88 PID 3344 wrote to memory of 6080 3344 y78368726.exe 89 PID 3344 wrote to memory of 6080 3344 y78368726.exe 89 PID 3344 wrote to memory of 6080 3344 y78368726.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\27cfd7771db5efb76d9a3a6365099295422bbbb04982266ec7d82ce2eaf67f3e.exe"C:\Users\Admin\AppData\Local\Temp\27cfd7771db5efb76d9a3a6365099295422bbbb04982266ec7d82ce2eaf67f3e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y78368726.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y78368726.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p91614400.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p91614400.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5884
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r38880134.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r38880134.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6080
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
570KB
MD51daa2ee5220e2a31860eb257095ea3c5
SHA16b48db6a93a456331d69f348bd2747d3fb6f2480
SHA256b036d9e85b7b7f9e0a032a2282586ae3a9ea4967b5984123bde8e07cea5958be
SHA512b515c34116ce5d1a433275f7180286052f999bf0e613049c232b33bd5d796cef599e9b5582a671c8eb5e23f5b04130ab80e598a205b8a257a031e733d476eb46
-
Filesize
476KB
MD5b60e91031ca408a0f1f1c50789e1f11d
SHA1be33c1e15c70cc47fd502b1647ec2e1830a389b2
SHA256a0a9a6f49ae485a5ee659518ff8063c12d552d85e191fa805be3cfb17cd79d9e
SHA512add2de5604eee89c0026828a557090ad1094e63e91d449f484ba77271f822c45b917de01a9a174f571135c6e9716d9722fb4b2a1d8d0cc65c1aae2d25a9e4924
-
Filesize
169KB
MD5fcae9f58301758e49e426c9288bc6f66
SHA1c64ce0c3c841126dc78a0718c1be154e2d684e07
SHA2560fa0f9a26b459bfa12659888262357f85a8a898668960779449fa4fd0956e499
SHA512fb2388f82939afdfb96fa9c20f223e2a081938f186ea14225df0342dbe8bb0e956c98bfa6c702225609a739199c1bc9c661333b4fcde66b5f31cfc2e067a31da
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf