Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 11:00
Static task
static1
Behavioral task
behavioral1
Sample
be96ff083d5ae6dc3dd100ff70535bc963d221e0bd49a0372f31549d1aa23d68.exe
Resource
win10v2004-20241007-en
General
-
Target
be96ff083d5ae6dc3dd100ff70535bc963d221e0bd49a0372f31549d1aa23d68.exe
-
Size
712KB
-
MD5
a878864357901c3158dd9b65b9b1ecec
-
SHA1
f8d7a94965d1455eebe94b99ab6c4915e4dca779
-
SHA256
be96ff083d5ae6dc3dd100ff70535bc963d221e0bd49a0372f31549d1aa23d68
-
SHA512
23a1f32b7c14dacc6845c8fa136b9a3ebac20064339b4ccfadf74799bc685a80e19300259e12ea2722e5867bc270036ea1f4998ddd795c74cb139f69e782a59a
-
SSDEEP
12288:OMrBy90K9ArfPWipnhVlUu4m8qdl1zcgmvS2a338jHf50VEPK2V8CQH4PXSs:fyN9wdnhku4m/VRaNKu+YKs
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000c000000023bb2-12.dat family_redline behavioral1/memory/3628-15-0x0000000000920000-0x0000000000948000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3880 x0343731.exe 3628 g6012870.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" be96ff083d5ae6dc3dd100ff70535bc963d221e0bd49a0372f31549d1aa23d68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0343731.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be96ff083d5ae6dc3dd100ff70535bc963d221e0bd49a0372f31549d1aa23d68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x0343731.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6012870.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4524 wrote to memory of 3880 4524 be96ff083d5ae6dc3dd100ff70535bc963d221e0bd49a0372f31549d1aa23d68.exe 84 PID 4524 wrote to memory of 3880 4524 be96ff083d5ae6dc3dd100ff70535bc963d221e0bd49a0372f31549d1aa23d68.exe 84 PID 4524 wrote to memory of 3880 4524 be96ff083d5ae6dc3dd100ff70535bc963d221e0bd49a0372f31549d1aa23d68.exe 84 PID 3880 wrote to memory of 3628 3880 x0343731.exe 85 PID 3880 wrote to memory of 3628 3880 x0343731.exe 85 PID 3880 wrote to memory of 3628 3880 x0343731.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\be96ff083d5ae6dc3dd100ff70535bc963d221e0bd49a0372f31549d1aa23d68.exe"C:\Users\Admin\AppData\Local\Temp\be96ff083d5ae6dc3dd100ff70535bc963d221e0bd49a0372f31549d1aa23d68.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0343731.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0343731.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6012870.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6012870.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3628
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD505011e159b35eb2c42abfacc41995cba
SHA12143f86b1cdb9d85bbc4ba50d91a24a32641669f
SHA2561bb050527197079ddfe7d8b2da15f7c95c4765081e85efd29bb77695220df79d
SHA5120d35460da6f6c94d33582e2fd8272fec7d54470ce4cbcfb48f40130914145433754eff51259444ab2ac376c7cfb2d44523d005a1163344dbbc11653aa5bc8842
-
Filesize
136KB
MD5900773e990d8b1e3af6e21f70254cfdb
SHA1dda280ccdcfe908c9025e3ac2149ce85bdc21306
SHA256be09a1ddcce79e01ba6501e664d631042f191e9bb1396cc4ae09df3343c1efc6
SHA512bec9b05f0ae9fe0cc7bf1274963847adc4c2dbdb27cac3d86a96ee7472647383d6cb33a26a74ca2800c07248e1edec67cd2115d721bd13e5f9b820ae646b3e87