Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:57
Static task
static1
Behavioral task
behavioral1
Sample
e07c912b3c149c55e4ca5a78efab0851fa916104e7bde47c807c08e6f7f83a57.exe
Resource
win10v2004-20241007-en
General
-
Target
e07c912b3c149c55e4ca5a78efab0851fa916104e7bde47c807c08e6f7f83a57.exe
-
Size
479KB
-
MD5
e7965ca9055039b489ca71559dfd5c75
-
SHA1
3a8a6252acdb0502b36eead1a8566340d2926ce4
-
SHA256
e07c912b3c149c55e4ca5a78efab0851fa916104e7bde47c807c08e6f7f83a57
-
SHA512
589338123ae3aee89abce148d5e676b3f439e94ad853e166a0a201e8b9c8c70d7f292201fb4cae28699cec08eefea80ea21d23cb610b9fa294accc59cb54e9e7
-
SSDEEP
12288:9Mr8y90rbd6jBRLEQFt/OMFHq6ROwcu7llXbLW2KK+jhbio:NyWMj7NhXZcsllrK2ijdio
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb2-12.dat family_redline behavioral1/memory/3652-15-0x0000000000B00000-0x0000000000B28000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1716 x5797596.exe 3652 g6454532.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e07c912b3c149c55e4ca5a78efab0851fa916104e7bde47c807c08e6f7f83a57.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5797596.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6454532.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e07c912b3c149c55e4ca5a78efab0851fa916104e7bde47c807c08e6f7f83a57.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x5797596.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5008 wrote to memory of 1716 5008 e07c912b3c149c55e4ca5a78efab0851fa916104e7bde47c807c08e6f7f83a57.exe 83 PID 5008 wrote to memory of 1716 5008 e07c912b3c149c55e4ca5a78efab0851fa916104e7bde47c807c08e6f7f83a57.exe 83 PID 5008 wrote to memory of 1716 5008 e07c912b3c149c55e4ca5a78efab0851fa916104e7bde47c807c08e6f7f83a57.exe 83 PID 1716 wrote to memory of 3652 1716 x5797596.exe 84 PID 1716 wrote to memory of 3652 1716 x5797596.exe 84 PID 1716 wrote to memory of 3652 1716 x5797596.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\e07c912b3c149c55e4ca5a78efab0851fa916104e7bde47c807c08e6f7f83a57.exe"C:\Users\Admin\AppData\Local\Temp\e07c912b3c149c55e4ca5a78efab0851fa916104e7bde47c807c08e6f7f83a57.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5797596.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5797596.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6454532.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6454532.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3652
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD592e47edf941ebab740318596c78c9e15
SHA1a5e9c16a2c688ad5f67026d3c77202d10e09b5db
SHA2569be039b190737a31b0d21b52c6c998c239882bc7de361207110b2cf74e68eadb
SHA512c9aea86504e029ac844d12fc28c76d947f658d3069f19ae445fe58b71ef2027979f7b4fcf3fa6d19400b2a99f31b7a8ccefdb4b89d04a8d3ea68bb595d4769e1
-
Filesize
136KB
MD53e9f6e9eba4aa15f0ae505ff43a7d6df
SHA1b3672d6fc06f39e34e343dc9ada0c87ccc8d39f7
SHA256602d299e2468dffc678bc05b7c14125acdc29bd1326b831f6fe296ef2f9229b5
SHA5123f349957f65befe80d80ee1b637ee34a6e25167e7a654c7d0154c77e35c97013c1abc78cee41cb5ecbbd077c04586fa59b2b935aceca04784fb59aeabe634d83