Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe
Resource
win10v2004-20241007-en
General
-
Target
2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe
-
Size
1.2MB
-
MD5
7b386aec3199dc179b58618d52ce8243
-
SHA1
5ff9d725d2337291cd5cd61a73a14cab869fef04
-
SHA256
2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162
-
SHA512
a6b59ccdb821a5792f64d42a752165488d0038dd313c9f19c4b9f3b23e34206cd3a4a88117447e21dfab779603076b0e9ff17b85be872d32b01f7e8f11731cc9
-
SSDEEP
24576:Jy8T338/gM5jgKHzC9lUzPWFOu1fxwYMCB8n76S3wSHsNQh:88T3MIMRgUzYezPy91foCB8naSHsNQ
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca7-19.dat family_redline behavioral1/memory/2860-21-0x0000000000AE0000-0x0000000000B08000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4756 x5477257.exe 3760 x2909548.exe 2860 g0339804.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5477257.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x2909548.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x5477257.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x2909548.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0339804.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1584 wrote to memory of 4756 1584 2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe 83 PID 1584 wrote to memory of 4756 1584 2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe 83 PID 1584 wrote to memory of 4756 1584 2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe 83 PID 4756 wrote to memory of 3760 4756 x5477257.exe 84 PID 4756 wrote to memory of 3760 4756 x5477257.exe 84 PID 4756 wrote to memory of 3760 4756 x5477257.exe 84 PID 3760 wrote to memory of 2860 3760 x2909548.exe 85 PID 3760 wrote to memory of 2860 3760 x2909548.exe 85 PID 3760 wrote to memory of 2860 3760 x2909548.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe"C:\Users\Admin\AppData\Local\Temp\2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0339804.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0339804.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914KB
MD5aec4b640bb4d70e26f992687e2a04a76
SHA11c5faf208e380ae6204dff795e4c6eca1e38c24d
SHA2564c73843b36e052597148df44e62bfc7e4d3adf522f61a97602645869957b2274
SHA512a68ee38285acf92192e30e80a5c878a9dc7712d86716ba1d173313dd0deafe6f4244a55e527bc17f1f6ffe968e78bdd0f1d99b45fa86a7dc118c716ce1e51c16
-
Filesize
416KB
MD5443c12936251f264c4dc4d96192f0819
SHA1c5e7c4f660f3ff17c8cea1b9dfd00fc11955d404
SHA256909886487687835f25ff0fdadc63546982f65176fd827a3fb9eeed83c0fac39d
SHA512387938841b8a6ff8fb1dbfb0694dae16ce4bc0b5d9b1b39f942e75d01bc6ae79b19ae9213cae2eb151007592cf5ebdd435f0bb77d0407d08222d4a5cef43c711
-
Filesize
136KB
MD5bf796ee030a6a6775ad0266ba6987ad1
SHA1fa088629b9c12d9944abd5560255c0404cf974d6
SHA2565a8dc121cf510a11b664fa3d760deeb981075f55853ba3a68ae4058f6753eb5e
SHA512511e764725904275a9e158a12006f77b30d96a71b14065d1ea9a309775ce02abf9c1a7e0f781bce2c53f366ca2994509147c6df0f98d98319d474ba5362cb04a