Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 14:32
Static task
static1
Behavioral task
behavioral1
Sample
90872d8edb91bed21409768b92622659af956ec1626de69dd22f56948a3cb1d8.exe
Resource
win10v2004-20241007-en
General
-
Target
90872d8edb91bed21409768b92622659af956ec1626de69dd22f56948a3cb1d8.exe
-
Size
849KB
-
MD5
621898503449e6a5cb6c3639af765d09
-
SHA1
9cd86fcad5157406a1bb1dd2b5e71897d7812ec8
-
SHA256
90872d8edb91bed21409768b92622659af956ec1626de69dd22f56948a3cb1d8
-
SHA512
b91368eafd74570128175ef3d2f70f15693ed1d7a27dc010ca2ce4d969023d50dab7196dd8704389b22681a3bca0936e5c278e8fc5522c86d0fd95db53ac80cd
-
SSDEEP
24576:zyyHVj/oOY4SdPZOqnBK6RXifcAN95YKnR1PZyG1:GW9sbBK+q3N9fT
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1392-2168-0x0000000005630000-0x0000000005662000-memory.dmp family_redline behavioral1/files/0x0011000000023b29-2173.dat family_redline behavioral1/memory/2456-2181-0x0000000000300000-0x000000000032E000-memory.dmp family_redline behavioral1/files/0x0008000000023c60-2192.dat family_redline behavioral1/memory/3168-2194-0x0000000000470000-0x00000000004A0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation p17872252.exe -
Executes dropped EXE 4 IoCs
pid Process 1040 y73999876.exe 1392 p17872252.exe 2456 1.exe 3168 r22239951.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 90872d8edb91bed21409768b92622659af956ec1626de69dd22f56948a3cb1d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y73999876.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5052 1392 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p17872252.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r22239951.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 90872d8edb91bed21409768b92622659af956ec1626de69dd22f56948a3cb1d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y73999876.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1392 p17872252.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 396 wrote to memory of 1040 396 90872d8edb91bed21409768b92622659af956ec1626de69dd22f56948a3cb1d8.exe 83 PID 396 wrote to memory of 1040 396 90872d8edb91bed21409768b92622659af956ec1626de69dd22f56948a3cb1d8.exe 83 PID 396 wrote to memory of 1040 396 90872d8edb91bed21409768b92622659af956ec1626de69dd22f56948a3cb1d8.exe 83 PID 1040 wrote to memory of 1392 1040 y73999876.exe 84 PID 1040 wrote to memory of 1392 1040 y73999876.exe 84 PID 1040 wrote to memory of 1392 1040 y73999876.exe 84 PID 1392 wrote to memory of 2456 1392 p17872252.exe 88 PID 1392 wrote to memory of 2456 1392 p17872252.exe 88 PID 1392 wrote to memory of 2456 1392 p17872252.exe 88 PID 1040 wrote to memory of 3168 1040 y73999876.exe 92 PID 1040 wrote to memory of 3168 1040 y73999876.exe 92 PID 1040 wrote to memory of 3168 1040 y73999876.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\90872d8edb91bed21409768b92622659af956ec1626de69dd22f56948a3cb1d8.exe"C:\Users\Admin\AppData\Local\Temp\90872d8edb91bed21409768b92622659af956ec1626de69dd22f56948a3cb1d8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73999876.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73999876.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p17872252.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p17872252.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 15164⤵
- Program crash
PID:5052
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r22239951.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r22239951.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3168
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1392 -ip 13921⤵PID:2100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569KB
MD5dd7dda6bd873901e00dfe6ae8151ef0f
SHA112f978f634100d980079b579dc02a2a96aa414a0
SHA256845da4268a031680045da1d2794f7c4137115ae083c7c845d736016f7a23c99f
SHA512bec399f3e3a026b3186fffe2a0f64d7d7f2b50eca98e0a2a5cb462aa509c42f8ffff4ddcefd7f72fbfc2e36955da29ce382a334b82822e58269a6b0b8274cdbb
-
Filesize
479KB
MD5dc00ac100daac67dff8c9afdedfb6142
SHA16d227f95ce30f092a62fdf5f21b56b48a3144bfc
SHA2568b8cc27082601721df24870936d0174e2f449747a4b726f78c90028a1f483257
SHA5126011e8669c92872bf6c79421eac93d1fcc6f67a233f091a02913d6f4aa836c40a4fae6fe3b266b649b2a46c569129c6be8e6427f95601f5929ac6b822de292ec
-
Filesize
169KB
MD5cf7642652cd42e7ade090267ccfcab81
SHA10fafcf59267a58be6346fdc0558cd55aaf2a7e4a
SHA256735a1759b8b1aac892100f2495ace68dc4ce3ae1bf38ef75d74d9d30d8653eda
SHA51208c9b95650b223e1258258f7a06a1b15c391d03db40fe395d39938e0484a943d9cb6b8de8b41c37afb69c92c3795ef0117999b03109a1b93cc219f535b908ff3
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf