Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:13
Static task
static1
Behavioral task
behavioral1
Sample
ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe
Resource
win10v2004-20241007-en
General
-
Target
ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe
-
Size
793KB
-
MD5
11c58d1b16c53ea6b7efe8b55e57d8d5
-
SHA1
1ccdbc8b4d1829908d31e3d3aed6944d733f8e60
-
SHA256
ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f
-
SHA512
6d5ea6294d1be4c0ba72c71e65d5c2ac08f9028bdf04ebb5d2377cecd3551658313b4e440280aeae988ceac0f297ae9db66a775a8b8c999d2377deae346a79f6
-
SSDEEP
24576:cyRCEORHaTx4NHRiECxwwEoe2ase3Ui+h1KWZ:LsH4yNxiEy3neGe3oh17
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dork
185.161.248.73:4164
-
auth_value
e81be7d6cfb453cc812e1b4890eeadad
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3620-2169-0x00000000059C0000-0x00000000059F2000-memory.dmp family_redline behavioral1/files/0x000900000001e5c5-2174.dat family_redline behavioral1/memory/6000-2182-0x0000000000390000-0x00000000003BE000-memory.dmp family_redline behavioral1/files/0x0007000000023cb9-2195.dat family_redline behavioral1/memory/4548-2196-0x0000000000310000-0x0000000000340000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
m59168454.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation m59168454.exe -
Executes dropped EXE 4 IoCs
Processes:
x19862815.exem59168454.exe1.exen99963261.exepid Process 3140 x19862815.exe 3620 m59168454.exe 6000 1.exe 4548 n99963261.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exex19862815.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x19862815.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4384 3620 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exex19862815.exem59168454.exe1.exen99963261.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x19862815.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m59168454.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language n99963261.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
m59168454.exedescription pid Process Token: SeDebugPrivilege 3620 m59168454.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exex19862815.exem59168454.exedescription pid Process procid_target PID 1344 wrote to memory of 3140 1344 ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe 83 PID 1344 wrote to memory of 3140 1344 ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe 83 PID 1344 wrote to memory of 3140 1344 ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe 83 PID 3140 wrote to memory of 3620 3140 x19862815.exe 84 PID 3140 wrote to memory of 3620 3140 x19862815.exe 84 PID 3140 wrote to memory of 3620 3140 x19862815.exe 84 PID 3620 wrote to memory of 6000 3620 m59168454.exe 91 PID 3620 wrote to memory of 6000 3620 m59168454.exe 91 PID 3620 wrote to memory of 6000 3620 m59168454.exe 91 PID 3140 wrote to memory of 4548 3140 x19862815.exe 97 PID 3140 wrote to memory of 4548 3140 x19862815.exe 97 PID 3140 wrote to memory of 4548 3140 x19862815.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe"C:\Users\Admin\AppData\Local\Temp\ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 13724⤵
- Program crash
PID:4384
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99963261.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99963261.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4548
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3620 -ip 36201⤵PID:3556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
589KB
MD5b6d5b21dccdbbc795c3a3d080226b46c
SHA189a3cb59cdad04f6b101e87f811f611eb6318a3f
SHA256efe190e06cd1f326733dbf2e7b16ecf3eb897718ca4f4adc1b78249fa58d18fe
SHA51283f3a18cd34a8bcd0bfbc284fd773f9022880a4f39eba2c6883a32c1d3132a29292671a78770358a691ffe45e817ac7f5be163dbfb739c7ae88bd65f3fd4e063
-
Filesize
529KB
MD5e360dd0459760dcaec1b5a835f3655e5
SHA1e64dcd5b4f3696343c3f62bcb9a5ef73ab96af08
SHA256b65592d6befcac3d68a3cc1dd35b492378ad6d97c8adb039655feffd0531bfaa
SHA512b78aba12b91cba5297b152e1fc84ab16ab4e67e95ef9cc8867b047fa52d59e4f226b60357275483e8a13c197cdb51c4e476f2deddad6a9ff352ea5ba405c5deb
-
Filesize
169KB
MD5070d329c22407c1cd4644549d796874e
SHA184bafb3fe66924333e928c5a01d7b5671e6f6fa9
SHA256b52a2c4ad3906edb4dbabe5cc1d45ec93ff37c89246e7cccc7f02410d10c39cd
SHA51212fb7f7e1e25d75db34ef32b0d19f9dec820f4c84d6e5e8867b09f43d81e85a0aad5f1a8ba6aabc3e25f5d9eb7330c3fa1a399086882f9c60a56cc015bb7e0a0
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf