Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
8340b85b87e24540355c0b78dc941fd8e8a3225f6e8136ec859bef8c038efb7c.exe
Resource
win10v2004-20241007-en
General
-
Target
8340b85b87e24540355c0b78dc941fd8e8a3225f6e8136ec859bef8c038efb7c.exe
-
Size
793KB
-
MD5
14af28aa5ab1358410f9668e16a1cfa4
-
SHA1
a53e08f4af289fe1773f62e868f9fdf3029a5162
-
SHA256
8340b85b87e24540355c0b78dc941fd8e8a3225f6e8136ec859bef8c038efb7c
-
SHA512
b030c32d6601cdb4bf0d6c60b34f8f8ef2cf7f481294fda654a6cb0c457186f73f8b1f3a6a18bee7836c6272ae22d3fd9f0982c2f53155c440675b379f1536c2
-
SSDEEP
12288:Dy90wFIqxGZZO6Thf0RFfnnHfLhR5SwNqPdRonexceZ7YgcqjEFveZjZ/ge:DyZFbof+PntRpNqVRXmuFcoEEZt
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/4032-2169-0x0000000005A00000-0x0000000005A32000-memory.dmp family_redline behavioral1/files/0x0002000000022ab7-2174.dat family_redline behavioral1/memory/6012-2182-0x0000000000D80000-0x0000000000DAE000-memory.dmp family_redline behavioral1/files/0x000a000000023b8e-2194.dat family_redline behavioral1/memory/2076-2196-0x00000000003D0000-0x0000000000400000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation m02605417.exe -
Executes dropped EXE 4 IoCs
pid Process 4400 x02246121.exe 4032 m02605417.exe 6012 1.exe 2076 n64497447.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8340b85b87e24540355c0b78dc941fd8e8a3225f6e8136ec859bef8c038efb7c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x02246121.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3076 4032 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8340b85b87e24540355c0b78dc941fd8e8a3225f6e8136ec859bef8c038efb7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x02246121.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m02605417.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language n64497447.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4032 m02605417.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3924 wrote to memory of 4400 3924 8340b85b87e24540355c0b78dc941fd8e8a3225f6e8136ec859bef8c038efb7c.exe 84 PID 3924 wrote to memory of 4400 3924 8340b85b87e24540355c0b78dc941fd8e8a3225f6e8136ec859bef8c038efb7c.exe 84 PID 3924 wrote to memory of 4400 3924 8340b85b87e24540355c0b78dc941fd8e8a3225f6e8136ec859bef8c038efb7c.exe 84 PID 4400 wrote to memory of 4032 4400 x02246121.exe 86 PID 4400 wrote to memory of 4032 4400 x02246121.exe 86 PID 4400 wrote to memory of 4032 4400 x02246121.exe 86 PID 4032 wrote to memory of 6012 4032 m02605417.exe 91 PID 4032 wrote to memory of 6012 4032 m02605417.exe 91 PID 4032 wrote to memory of 6012 4032 m02605417.exe 91 PID 4400 wrote to memory of 2076 4400 x02246121.exe 97 PID 4400 wrote to memory of 2076 4400 x02246121.exe 97 PID 4400 wrote to memory of 2076 4400 x02246121.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\8340b85b87e24540355c0b78dc941fd8e8a3225f6e8136ec859bef8c038efb7c.exe"C:\Users\Admin\AppData\Local\Temp\8340b85b87e24540355c0b78dc941fd8e8a3225f6e8136ec859bef8c038efb7c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x02246121.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x02246121.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m02605417.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m02605417.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 13684⤵
- Program crash
PID:3076
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n64497447.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n64497447.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2076
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4032 -ip 40321⤵PID:5048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
589KB
MD57cde15368f5d43b5169992e0e47fcea3
SHA16dd772a28f37f3f1840a9242ad0b2cad0680a993
SHA256edbe6baa11be32e3fda9340b01f5e23e8485e1f57687f07922fbec1d5199e4ad
SHA512bb4a6e17c373bc145a0c2b8908f8213c722bde1ff0a4b03d679eb74bad52e93132e42a8205b2057d7cd69437b959ed932187275c2d0763b05fdebf01a3b1e6d4
-
Filesize
530KB
MD532f6380903f044ea4aaa87252842ab63
SHA16625750ade2dad2b525cdfb1d3bd76b761924ac8
SHA2562f6dee5b6f2de6787b4f97449a5fece489be2c9def0b2151817eb946dd56c279
SHA512b5311f5a2d4ddf5169d87c21d11c105e0ddb64c4c32a1917b9437267e37bd1b3c3bf0efd0ce5b2eb8cdad51da511b4faa358fc4db3be27d944931dc6e6dbe686
-
Filesize
168KB
MD5d4890dc7c6062c19d3834f32c1c84265
SHA15c8fcab3d5d159004ff9b1ee4881f31368ddbf81
SHA2566d646fce43493b7495a6083781a7d290abf0e8a66e4ff9968157555f1f72c61e
SHA51252d4deec557aa0d10e37c2b10ed267c2e62a62de055b040eadc768d8381a66663c7b8fa0e58682c40e11d31db4e25c7e25c013b327c98b1ca9d19439a0eaca58
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf