Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe
Resource
win10v2004-20241007-en
General
-
Target
da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe
-
Size
1.5MB
-
MD5
c6b39fec6a4b8e952d29738a5044a75e
-
SHA1
c3ffe0070fba608796cecfa2c1c8152abf0d6777
-
SHA256
da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b
-
SHA512
b7065e705d9688c179c65a50df47710e51f5e53b440a08cff564bfce7451eebca882165f4a98f23d9fbe89b30b0a25bde8dabf0b51f4a9adf2bf8c0d53e72971
-
SSDEEP
24576:Gy/5rx7DDKL7GwEfeNwYlgqUbVKtd+4WGBucfWOwsFQ45XUsNNV0XELjsqTo:VfDxwEGLlg38td+41/6sFQ4NNVNf3T
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b9f-33.dat family_redline behavioral1/memory/220-35-0x0000000000A50000-0x0000000000A80000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 2208 i13015130.exe 592 i89335978.exe 320 i71644065.exe 3008 i89623002.exe 220 a70175154.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i89335978.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i71644065.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i89623002.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i13015130.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i89623002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a70175154.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i13015130.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i89335978.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i71644065.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4368 wrote to memory of 2208 4368 da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe 83 PID 4368 wrote to memory of 2208 4368 da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe 83 PID 4368 wrote to memory of 2208 4368 da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe 83 PID 2208 wrote to memory of 592 2208 i13015130.exe 84 PID 2208 wrote to memory of 592 2208 i13015130.exe 84 PID 2208 wrote to memory of 592 2208 i13015130.exe 84 PID 592 wrote to memory of 320 592 i89335978.exe 85 PID 592 wrote to memory of 320 592 i89335978.exe 85 PID 592 wrote to memory of 320 592 i89335978.exe 85 PID 320 wrote to memory of 3008 320 i71644065.exe 86 PID 320 wrote to memory of 3008 320 i71644065.exe 86 PID 320 wrote to memory of 3008 320 i71644065.exe 86 PID 3008 wrote to memory of 220 3008 i89623002.exe 88 PID 3008 wrote to memory of 220 3008 i89623002.exe 88 PID 3008 wrote to memory of 220 3008 i89623002.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe"C:\Users\Admin\AppData\Local\Temp\da706d3d027ef63aaf24b70f5c2f8e8bb795a40baaa4a7ce692aed3a7a60169b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13015130.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i89335978.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i71644065.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89623002.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70175154.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:220
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5d204859ccc2d8cd642a6a4ea6c931e38
SHA1af57f700d7ba5ea5136a709caf69e17671f56445
SHA25608ca7369ce6e720df3fba908e915a1e42acdac678542ed32bf6149df9218dd58
SHA512265e4e199bf5975b1b0bcd155c70123c2864a55e421aa467b737f47305d9ebcc62bb7f6a35021725e03753619a0a612dd3bedfcc70bd08e2c8328435d7077c44
-
Filesize
1022KB
MD52fe3fcf52c956c689c47500ff7e415e1
SHA1220d98108f3de803c2a93816f7deb2541ebffd80
SHA2562e60b6c23fbb8f5e047217391abfad6f7f55f02fb13901718c36c02da71a3cc8
SHA512cd8da39b030b0e78e5e51dd9fe7ce7222fae0a8867e4c3cd8f986cd3d8fca72ed278bbbc4e333192a3f9611c9225d32daeccc78e6fc41d0e0fa4a9bb3dea1e9e
-
Filesize
851KB
MD5e458082da7cc4f5dd3579ea94b81c071
SHA127d1eb84fd0e40e1929bc863916f3e729589ede9
SHA256a5b8cb12a49febceb29ffe1c5c0cbc5649c90f379c53cd5ec6c7b2c2d66a1c32
SHA5121e36cdb30a8fa6950e1326d4052f873a9c7f1089a54ec3aa30c1a6faa2e437111efcbc63ce5ad4f62a1590c442425a4e7288cc79f9d5ff20cf2629ce1b349198
-
Filesize
374KB
MD569aeb4273a7286acb0d16733ef666fc3
SHA1c2c82c3b557a2bf7d9efe4c8505d2b64ec57facd
SHA2560055f0d686cb0886a5251a468fb710f26c2cb0bcb0d5ee9585a3f2451d25fe06
SHA512fd8ea7f738e438bd44000b6a118e4737b9a5d3599496897685bc1e35376f89f708e99f79943a1dfd1f122279ac096737e67c673f9cf3d83a6778225657f7eecc
-
Filesize
169KB
MD55773a53d294a14d3ff6774e36b97aec1
SHA1f14e74f98201241fc5bc112c46d22a38fc2b8d6e
SHA256b2a4b49950ddcb5ada42f12b5e3f669ea936dd8f2f056d83d71327b774d4e8c1
SHA51211f1d9e885bd8ae28ab8dfff97320d582f522d79c298cf31cc2d946f9543bfc78d88bee51cbdf31235f7105023bfdd75564611a4eabf64f1d10319d60b73d1b3