Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 10:25

General

  • Target

    2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe

  • Size

    1.2MB

  • MD5

    7b386aec3199dc179b58618d52ce8243

  • SHA1

    5ff9d725d2337291cd5cd61a73a14cab869fef04

  • SHA256

    2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162

  • SHA512

    a6b59ccdb821a5792f64d42a752165488d0038dd313c9f19c4b9f3b23e34206cd3a4a88117447e21dfab779603076b0e9ff17b85be872d32b01f7e8f11731cc9

  • SSDEEP

    24576:Jy8T338/gM5jgKHzC9lUzPWFOu1fxwYMCB8n76S3wSHsNQh:88T3MIMRgUzYezPy91foCB8naSHsNQ

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe
    "C:\Users\Admin\AppData\Local\Temp\2c220a5de5d2e9b59134d199dff7aa148b7d1f2824751b058a83d0baa2775162.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3760
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0339804.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0339804.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2860

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5477257.exe

          Filesize

          914KB

          MD5

          aec4b640bb4d70e26f992687e2a04a76

          SHA1

          1c5faf208e380ae6204dff795e4c6eca1e38c24d

          SHA256

          4c73843b36e052597148df44e62bfc7e4d3adf522f61a97602645869957b2274

          SHA512

          a68ee38285acf92192e30e80a5c878a9dc7712d86716ba1d173313dd0deafe6f4244a55e527bc17f1f6ffe968e78bdd0f1d99b45fa86a7dc118c716ce1e51c16

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2909548.exe

          Filesize

          416KB

          MD5

          443c12936251f264c4dc4d96192f0819

          SHA1

          c5e7c4f660f3ff17c8cea1b9dfd00fc11955d404

          SHA256

          909886487687835f25ff0fdadc63546982f65176fd827a3fb9eeed83c0fac39d

          SHA512

          387938841b8a6ff8fb1dbfb0694dae16ce4bc0b5d9b1b39f942e75d01bc6ae79b19ae9213cae2eb151007592cf5ebdd435f0bb77d0407d08222d4a5cef43c711

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0339804.exe

          Filesize

          136KB

          MD5

          bf796ee030a6a6775ad0266ba6987ad1

          SHA1

          fa088629b9c12d9944abd5560255c0404cf974d6

          SHA256

          5a8dc121cf510a11b664fa3d760deeb981075f55853ba3a68ae4058f6753eb5e

          SHA512

          511e764725904275a9e158a12006f77b30d96a71b14065d1ea9a309775ce02abf9c1a7e0f781bce2c53f366ca2994509147c6df0f98d98319d474ba5362cb04a

        • memory/2860-21-0x0000000000AE0000-0x0000000000B08000-memory.dmp

          Filesize

          160KB

        • memory/2860-22-0x0000000007EC0000-0x00000000084D8000-memory.dmp

          Filesize

          6.1MB

        • memory/2860-23-0x0000000007940000-0x0000000007952000-memory.dmp

          Filesize

          72KB

        • memory/2860-24-0x0000000007AB0000-0x0000000007BBA000-memory.dmp

          Filesize

          1.0MB

        • memory/2860-25-0x00000000079E0000-0x0000000007A1C000-memory.dmp

          Filesize

          240KB

        • memory/2860-26-0x0000000002E90000-0x0000000002EDC000-memory.dmp

          Filesize

          304KB