Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:09
Static task
static1
Behavioral task
behavioral1
Sample
85668e50e43c6e8092232db81eb943a9e30f12eb540017a3283428949b164a45.exe
Resource
win10v2004-20241007-en
General
-
Target
85668e50e43c6e8092232db81eb943a9e30f12eb540017a3283428949b164a45.exe
-
Size
712KB
-
MD5
2cf9032670f193d7ff08bfdcd8700485
-
SHA1
93d6d68d4e6fb8e0e30c6116bd23cff208274955
-
SHA256
85668e50e43c6e8092232db81eb943a9e30f12eb540017a3283428949b164a45
-
SHA512
8bd878823f54e646eb479008c7eab835e77ef6bfb27a0f46932531a2ed6a4ccb1e9eb43e0b0623d7e61ab5496fbf3cb7feaca956fd0858af4f1ff579b4a98648
-
SSDEEP
12288:CMrDy90drbyARFB1zts6QHQI7/pCLh/mA12Aqo2GL0tSwGRY7:ByOjg7wq+eA12G2GL+SwL7
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca8-12.dat family_redline behavioral1/memory/2356-15-0x00000000009E0000-0x0000000000A08000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2464 x2367255.exe 2356 g5734452.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 85668e50e43c6e8092232db81eb943a9e30f12eb540017a3283428949b164a45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x2367255.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 85668e50e43c6e8092232db81eb943a9e30f12eb540017a3283428949b164a45.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x2367255.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g5734452.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4292 wrote to memory of 2464 4292 85668e50e43c6e8092232db81eb943a9e30f12eb540017a3283428949b164a45.exe 83 PID 4292 wrote to memory of 2464 4292 85668e50e43c6e8092232db81eb943a9e30f12eb540017a3283428949b164a45.exe 83 PID 4292 wrote to memory of 2464 4292 85668e50e43c6e8092232db81eb943a9e30f12eb540017a3283428949b164a45.exe 83 PID 2464 wrote to memory of 2356 2464 x2367255.exe 84 PID 2464 wrote to memory of 2356 2464 x2367255.exe 84 PID 2464 wrote to memory of 2356 2464 x2367255.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\85668e50e43c6e8092232db81eb943a9e30f12eb540017a3283428949b164a45.exe"C:\Users\Admin\AppData\Local\Temp\85668e50e43c6e8092232db81eb943a9e30f12eb540017a3283428949b164a45.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2367255.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2367255.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5734452.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5734452.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD5a019f7a0740d81ae700311ab5dd330b8
SHA1809c02787a407f512daf16e289e18885e4d17dda
SHA25636bda6715705061895b3cdf2b4168003f93d0c1492ad58449a2b5bb48217d322
SHA5123b32c8cfb7c03483d5ef8d4f16a127f76c422c7cd34bc2f504f84afc8161af2637553445044e4886e9f1519c52fa7c68652b2c4ccc5913e22271928aea6d0a21
-
Filesize
136KB
MD59c5958557ccffc32c7e2d7d8ad8e75a4
SHA1d2345ed34d170c85447369c5cae4b2fd540004c8
SHA256cdb1773d4e7c32072097566339d7edcd1416c3f3995a50972852b80ecee4dc5a
SHA512907a7ffbe3c8b71df130b38d9506765aa6d2bf897833f55534d4fadda32cec57c84297d946ad13c06636b6cbaa65aa9536c22e589e7cecb5a9147bf130839274