Analysis
-
max time kernel
110s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:13
Static task
static1
Behavioral task
behavioral1
Sample
cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exe
Resource
win10v2004-20241007-en
General
-
Target
cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exe
-
Size
577KB
-
MD5
3e561c2040dcae5eba631fe63eb60b30
-
SHA1
9cbbd9e4b074074e033be546439ae7fb0e3ae01c
-
SHA256
cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109c
-
SHA512
99fc9ab4cc8e6a3b2c0bcd7a2bf5b660b9cf0609b29fadf9340487d53f9f2b71bce92c8750a3046d508fe5b94e5831e1c262c1c423e42f891a57db5285948604
-
SSDEEP
12288:Oy9037VAW0vyIq+UtA9z5LHRIgtDHHZgBzsbpSdXROrgo2HnyDiH3l:OyuSvyIuAp5LHRIgJHH2BoSJROcoMn31
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dark
185.161.248.73:4164
-
auth_value
ae85b01f66afe8770afeed560513fc2d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/4192-2162-0x0000000004ED0000-0x0000000004F02000-memory.dmp family_redline behavioral1/files/0x000b000000023b8f-2167.dat family_redline behavioral1/memory/4484-2176-0x0000000000470000-0x000000000049E000-memory.dmp family_redline behavioral1/files/0x000a000000023b92-2189.dat family_redline behavioral1/memory/5320-2191-0x0000000000180000-0x00000000001B0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
m33178016.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation m33178016.exe -
Executes dropped EXE 3 IoCs
Processes:
m33178016.exe1.exen93965724.exepid Process 4192 m33178016.exe 4484 1.exe 5320 n93965724.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 976 4192 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exem33178016.exe1.exen93965724.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m33178016.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language n93965724.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
m33178016.exedescription pid Process Token: SeDebugPrivilege 4192 m33178016.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exem33178016.exedescription pid Process procid_target PID 1888 wrote to memory of 4192 1888 cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exe 83 PID 1888 wrote to memory of 4192 1888 cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exe 83 PID 1888 wrote to memory of 4192 1888 cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exe 83 PID 4192 wrote to memory of 4484 4192 m33178016.exe 87 PID 4192 wrote to memory of 4484 4192 m33178016.exe 87 PID 4192 wrote to memory of 4484 4192 m33178016.exe 87 PID 1888 wrote to memory of 5320 1888 cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exe 93 PID 1888 wrote to memory of 5320 1888 cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exe 93 PID 1888 wrote to memory of 5320 1888 cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exe"C:\Users\Admin\AppData\Local\Temp\cfa85c9aec50350d95b8b5daa95b54d00c5c6636b1697fab614781432e43109cN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m33178016.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m33178016.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 13843⤵
- Program crash
PID:976
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n93965724.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n93965724.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4192 -ip 41921⤵PID:3504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
575KB
MD52c96d4d854acee0503cfc5f4759cebf5
SHA1933991c7d06b62e0a716dc9a23ab0c94b09b3f59
SHA2561beca08441d61c6c1afdc8d983d2bfc4f5fe913df3f3457d93d997b70ff0b489
SHA51269199469727c4fc471d6b72856d2686e628015bc75e68064eabea07b99cf3e3fbe2ca86ee4b31066d1773a69654321c37688453977de3aac74e3b5b7ce1cfb7d
-
Filesize
172KB
MD534bc8de328c8b062661ae32d31054fa6
SHA1bdd92bb5496d9d8b118149b07be52e2582a3cbbb
SHA25658c3bee46bd1a23ab699328fbb5aa682d883063c7327486e82e0b1b1a3285ef7
SHA512f799bd0f2b4dd32cb9874fdce5c562f3eee141f29e2948ef21eb0f67f5e2ae84c3a4d98e4b49d0deca1acdd0cea27ea18b08c08f7d05b02d09efcb9f3f9b67e8
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf