Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 20:44
Static task
static1
Behavioral task
behavioral1
Sample
5013cfab75c8cfd986b3ab4de5c346c47f7d40736a6cd82943ec4cf5f8cdee22.exe
Resource
win10v2004-20241007-en
General
-
Target
5013cfab75c8cfd986b3ab4de5c346c47f7d40736a6cd82943ec4cf5f8cdee22.exe
-
Size
851KB
-
MD5
97885e98bb6747d8658cdaf2f2884c78
-
SHA1
497588757eee774812a3fbb506a60d0354f3de72
-
SHA256
5013cfab75c8cfd986b3ab4de5c346c47f7d40736a6cd82943ec4cf5f8cdee22
-
SHA512
9642e5e5d63bf2ceba8d74a5af747704929c54249c44ef429a4e40ece20082d9cc4f66dcdaa49a366bf5f18702161e0a1e64d61bd22da39eb792d379c2bdbb01
-
SSDEEP
24576:wyeANZgOrDx9usSCbiTxnnb4EX372YCoqpp:3vTgOx9oVn8g7v6p
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/3096-2168-0x0000000005620000-0x0000000005652000-memory.dmp family_redline behavioral1/files/0x0002000000022a9d-2173.dat family_redline behavioral1/memory/2840-2181-0x0000000000400000-0x000000000042E000-memory.dmp family_redline behavioral1/files/0x000a000000023b6c-2193.dat family_redline behavioral1/memory/1680-2195-0x0000000000460000-0x0000000000490000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation p43538153.exe -
Executes dropped EXE 4 IoCs
pid Process 1116 y17423315.exe 3096 p43538153.exe 2840 1.exe 1680 r75126246.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y17423315.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5013cfab75c8cfd986b3ab4de5c346c47f7d40736a6cd82943ec4cf5f8cdee22.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4336 3096 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p43538153.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r75126246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5013cfab75c8cfd986b3ab4de5c346c47f7d40736a6cd82943ec4cf5f8cdee22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y17423315.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3096 p43538153.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3712 wrote to memory of 1116 3712 5013cfab75c8cfd986b3ab4de5c346c47f7d40736a6cd82943ec4cf5f8cdee22.exe 83 PID 3712 wrote to memory of 1116 3712 5013cfab75c8cfd986b3ab4de5c346c47f7d40736a6cd82943ec4cf5f8cdee22.exe 83 PID 3712 wrote to memory of 1116 3712 5013cfab75c8cfd986b3ab4de5c346c47f7d40736a6cd82943ec4cf5f8cdee22.exe 83 PID 1116 wrote to memory of 3096 1116 y17423315.exe 84 PID 1116 wrote to memory of 3096 1116 y17423315.exe 84 PID 1116 wrote to memory of 3096 1116 y17423315.exe 84 PID 3096 wrote to memory of 2840 3096 p43538153.exe 89 PID 3096 wrote to memory of 2840 3096 p43538153.exe 89 PID 3096 wrote to memory of 2840 3096 p43538153.exe 89 PID 1116 wrote to memory of 1680 1116 y17423315.exe 95 PID 1116 wrote to memory of 1680 1116 y17423315.exe 95 PID 1116 wrote to memory of 1680 1116 y17423315.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\5013cfab75c8cfd986b3ab4de5c346c47f7d40736a6cd82943ec4cf5f8cdee22.exe"C:\Users\Admin\AppData\Local\Temp\5013cfab75c8cfd986b3ab4de5c346c47f7d40736a6cd82943ec4cf5f8cdee22.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17423315.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y17423315.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p43538153.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p43538153.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 13764⤵
- Program crash
PID:4336
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r75126246.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r75126246.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1680
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3096 -ip 30961⤵PID:5468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
570KB
MD5fb5fe6cd6ec79c468c979fdfc6299605
SHA1aca812992d967857cd7c35396e6837e08d75726d
SHA25601a1f78788139ae4e0a9ab00ad2e33a44670c891afea5acceccd00ee92940b5b
SHA51298ce01e7290bb6cc50bebd24ee4c5fc12196179375f8d918eff2d2a5d3f2a47d5e27e2596db7a438bc29dce3755276330c80a9fbbebeba8f8a735465af09e24f
-
Filesize
479KB
MD5af660ddcd5a66298834fe9317e8f6fd7
SHA19ef9ca63eb258f7077ac0eabc99fbe5879794112
SHA25664d78a1f1f4de8205fb187e697abac83641582fd078aeacc055d16cf20d3bc9f
SHA5123acb19a5a50ec3156676efeb255d7755b5af14d248bdca5d3e22aeedd20352e969b6350dd0e3987614ae0ba1a034ad3c4415dde1cccd404945ab6b7162bcfe79
-
Filesize
169KB
MD505e2bfc7b87cf898bc8df8e36ab5dfa1
SHA1c58391085f3255f4b020cbfe5cf1bd7f1a5fdece
SHA2566566c5e1316f6a3f6d2bcd002a8cc7a43b3065341d30837589b926bc110e98f1
SHA512572574c0f633cb84c1f698b6ca165df6685d3c90ae809829687bbcd3f96fcb334ac4f3fa215f8830adad79baa54c9c4a79d0f1688546be9f501fa98371e7d065
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf