Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 11:00
Static task
static1
Behavioral task
behavioral1
Sample
77e51aa5e916b40713ad3184569e4f206f7c66daf9bb58a1c2a933ed2c228692.exe
Resource
win10v2004-20241007-en
General
-
Target
77e51aa5e916b40713ad3184569e4f206f7c66daf9bb58a1c2a933ed2c228692.exe
-
Size
376KB
-
MD5
af230fb3bb5219c0aa5a06b1286bd056
-
SHA1
01cfa995d800fe25a50ca22a42d438f3476af022
-
SHA256
77e51aa5e916b40713ad3184569e4f206f7c66daf9bb58a1c2a933ed2c228692
-
SHA512
b80687ca66e88d8e6ad059b4de0b63b9cedf2d3f53045f2121de3cced22cc6d76df2c3722283397a5ea53b08feedc20ed37d8e8d05ac49431fbd42821846515c
-
SSDEEP
6144:K4y+bnr+Op0yN90QEeukWqSuymYDhgGdFwWFBONQYh+RE+WTF:0Mriy90rkWnuy5DhgGd+WoP+RE+WTF
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cae-12.dat family_redline behavioral1/memory/1424-15-0x0000000000D80000-0x0000000000DA8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3132 x0514300.exe 1424 g5185857.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 77e51aa5e916b40713ad3184569e4f206f7c66daf9bb58a1c2a933ed2c228692.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0514300.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77e51aa5e916b40713ad3184569e4f206f7c66daf9bb58a1c2a933ed2c228692.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x0514300.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g5185857.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4952 wrote to memory of 3132 4952 77e51aa5e916b40713ad3184569e4f206f7c66daf9bb58a1c2a933ed2c228692.exe 83 PID 4952 wrote to memory of 3132 4952 77e51aa5e916b40713ad3184569e4f206f7c66daf9bb58a1c2a933ed2c228692.exe 83 PID 4952 wrote to memory of 3132 4952 77e51aa5e916b40713ad3184569e4f206f7c66daf9bb58a1c2a933ed2c228692.exe 83 PID 3132 wrote to memory of 1424 3132 x0514300.exe 84 PID 3132 wrote to memory of 1424 3132 x0514300.exe 84 PID 3132 wrote to memory of 1424 3132 x0514300.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\77e51aa5e916b40713ad3184569e4f206f7c66daf9bb58a1c2a933ed2c228692.exe"C:\Users\Admin\AppData\Local\Temp\77e51aa5e916b40713ad3184569e4f206f7c66daf9bb58a1c2a933ed2c228692.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0514300.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0514300.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5185857.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5185857.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1424
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD51312830dd3c00285fb8f42e636573a96
SHA105235ebca99c1ba5b25bed8a02fc90f963cd5653
SHA2567bc1e55e5eac0157ef10dfab8c269727d26b1e51759ad7364c105ff2d92e57cc
SHA51221eb22876b2199983dc2c89536e203af7c81eba52a54af0fa94882ee6e758cacf6b42fa1049399b177cd441cfde02bc2a6e6e967a60711b0a07a01975c6d067f
-
Filesize
136KB
MD5317e7409a2bb5d5cc5756b22d19f8f65
SHA180fec9ccfb4dcbfa0a142c0714e000c4cebaed5c
SHA25695dac97529a6e28d86f69528d887835ed8fe23891e4cdf994c1690f3c9e1f282
SHA512fe8894d752f9240eb1e67d4fd798013dcb5da88695b25c5b3fc8ab893cff6d804c3516a9a9a9cf40cf2ccfd9be64647b4de1151207a7ae08b78a3019332f35a7