Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe
Resource
win10v2004-20241007-en
General
-
Target
09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe
-
Size
1.1MB
-
MD5
a0fc757b421f84fb0bcab3bdade00857
-
SHA1
b7db5ad3b9a0edabe221529cbb4b8955fc948f34
-
SHA256
09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417
-
SHA512
c652c18879cc53687f5b9ae46ba82952d5a668956edf8fe0eb9d23b9cd225c753b69fae9af6ada16a43e169c12942f09cc7b3f4d33f2a62f41c7e5343aca0f37
-
SSDEEP
24576:YyPqa6bH16DoPpZY3rV1x/JWEfef3K0KjSLcNt:fPq916Dgpm/JWEf69KjS
Malware Config
Extracted
redline
muza
185.161.248.75:4132
-
auth_value
99f39e1ac98e0c0a729ab27594e72bc3
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a6725587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a6725587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a6725587.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a6725587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a6725587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a6725587.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000c000000023acd-55.dat family_redline behavioral1/memory/536-56-0x0000000000570000-0x000000000059A000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4700 v3571422.exe 4264 v5777065.exe 1476 a6725587.exe 536 b0555378.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a6725587.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a6725587.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3571422.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5777065.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0555378.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v3571422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v5777065.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6725587.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1476 a6725587.exe 1476 a6725587.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1476 a6725587.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2520 wrote to memory of 4700 2520 09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe 84 PID 2520 wrote to memory of 4700 2520 09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe 84 PID 2520 wrote to memory of 4700 2520 09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe 84 PID 4700 wrote to memory of 4264 4700 v3571422.exe 85 PID 4700 wrote to memory of 4264 4700 v3571422.exe 85 PID 4700 wrote to memory of 4264 4700 v3571422.exe 85 PID 4264 wrote to memory of 1476 4264 v5777065.exe 87 PID 4264 wrote to memory of 1476 4264 v5777065.exe 87 PID 4264 wrote to memory of 1476 4264 v5777065.exe 87 PID 4264 wrote to memory of 536 4264 v5777065.exe 99 PID 4264 wrote to memory of 536 4264 v5777065.exe 99 PID 4264 wrote to memory of 536 4264 v5777065.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe"C:\Users\Admin\AppData\Local\Temp\09e8ffb2f1318e8ac8d4af88c773297a4a48678088cdd1d8dee2f05862c90417.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571422.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5777065.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6725587.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0555378.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD50e779946ef77a1d3780750706a47cf77
SHA1360b12f8421cfd4a52870421d1042d24d82cad24
SHA2564995b38a203abefa69ad4c7ff61247651b74049010128f0e07345a7d025a9861
SHA5123a65f0c8e6c581b8811509716a959089397badb6048bdd0d91db61b8ec73aa64704c28a9ec307a099421ded4a4e058674fcd25d2c4edac784c481c818c7075e8
-
Filesize
305KB
MD59463742fa3592a60dc9a34da6d187ad5
SHA1a9ae15f432098b65c67e95362ff651c567e296be
SHA25680281ca13faefaa480c7084504bf24b888857fd46b0cbf123e35fb1199cb45db
SHA51221d3e653148499097e755cfdae8fce57904a0f02328a005eeda3cbe977821c88e76c6897c160307850ba853fcdf8fbab1a1dafabf2f5f9fcb9e51ec78d0239f8
-
Filesize
185KB
MD5491f1f61aa027e4cbd3a4c768eafa7d1
SHA1a4405e21b14e50e94430c2c3b30cd22c47a9f9f8
SHA256a40b4bb316921cf8ad107871fcff524518c0040925afd6ee9e638f0232c18a55
SHA512d87c7398fe703b7b628cf45060e9f830332a7e188f172e1c51f0e32342cd6ff318a0ab976ef8a828ee9fb26d81907963a53d3270d03174937daff2ace248ec05
-
Filesize
145KB
MD57d467150c58638fda1accd402ffc9db4
SHA17b485acdbbe4ac9afd8dfcf27a4cfc07fa5d5539
SHA25687ff4718b356f6b9d7c4b26ffc3c92ed806e23203cc9b314797a9b97fb12d917
SHA5126f526880626c2725c1d59859fa39a914ae9826de4def771897b7dc839c13d97d4256f58b0da339adc27122b181bc76c4e5f68aa3809b7c9eaa094094b694fd3e