Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:11
Static task
static1
Behavioral task
behavioral1
Sample
78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe
Resource
win10v2004-20241007-en
General
-
Target
78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe
-
Size
376KB
-
MD5
0e0a0c8cf35e2b306709246aaf10fd90
-
SHA1
c3797c3c6f6dc4f879f06fbf6c7edd57c3545fe6
-
SHA256
78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268
-
SHA512
60489480638273c8689eab1a2c8101ba19444bba5e187d80210214a64fa0aff801b4fad1850cae5d15f95af04bf3231e881c0e360239cdbccb24c1a525f9ec52
-
SSDEEP
6144:Kiy+bnr+wp0yN90QEdxb9RZL0aOkE/5eHFZOu39r7M0NjSW3+/L9S8Gtq7eVeQ:SMroy90jRZw0KYFZ/tnM6SWGhvGtyeVr
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b95-12.dat family_redline behavioral1/memory/3124-15-0x0000000000540000-0x0000000000568000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4560 x8374375.exe 3124 g5614046.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8374375.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x8374375.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g5614046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2284 wrote to memory of 4560 2284 78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe 83 PID 2284 wrote to memory of 4560 2284 78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe 83 PID 2284 wrote to memory of 4560 2284 78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe 83 PID 4560 wrote to memory of 3124 4560 x8374375.exe 84 PID 4560 wrote to memory of 3124 4560 x8374375.exe 84 PID 4560 wrote to memory of 3124 4560 x8374375.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe"C:\Users\Admin\AppData\Local\Temp\78372e7554a19746b1154f134ce7a4220fb6c4e3687c367e9f6996a65f9e3268.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8374375.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8374375.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5614046.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5614046.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3124
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD58e53b584959d462596f7b84fe0eb278e
SHA182a6a915713cc2454aa94ed7f928180be8c93e84
SHA2565cffef2d19eb07318f757c7851d9d2042b2ae54dae3af7f473ade5ac8b219e89
SHA51222b89e77e14b57892ca088f2b27d94b590125c40ddbdc06a7274761e9d784784e7b6607054941320b71ebf78c2f55524b4f534ae059b9b9ef91ab43acdfafd18
-
Filesize
136KB
MD5fde49fb6777171e785d6aa949bc1d6d5
SHA1ebcdea07bf8d7b9ae907f669ab87fce2a50f3fb5
SHA2563d4c859dbca7bec82f0466ab4a72b106a5dc7f661f55a92d408bae6ad5f38206
SHA512a8d431ea1b0137e3aa8981aeafbd666a77e2f5004da5f3210d0790c4d8151face8be58ed5add0b86f4529da3a446eafd99903010e15de9a734fa31f752482e20