Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:14
Static task
static1
Behavioral task
behavioral1
Sample
31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe
Resource
win10v2004-20241007-en
General
-
Target
31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe
-
Size
1.5MB
-
MD5
7081b40438b5172369c53a7558bed0ed
-
SHA1
cf2576f9cbf401932fa6c65e9e481d5109676ba1
-
SHA256
31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3
-
SHA512
cc17d65f7478afdbf4fb797f91ed097714333afa897dc4a5ae7fd5ce927675123c1a075cc359614745680c85e96824e4d4b1d1a6dc3571e5e4bd5fcf3505f815
-
SSDEEP
24576:eyFuqFfIaRgZmmmhkcHpBmY7u/VF24Tzpwhii4vIGIwXDYEgQu+CWsAxd2Y3JZKG:tFuqFQ5ZMhNPmY7sH24TzpOiiqLIUgZT
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c92-33.dat family_redline behavioral1/memory/1164-35-0x00000000002D0000-0x0000000000300000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
i01790874.exei44804119.exei07970134.exei41843636.exea97214348.exepid Process 1304 i01790874.exe 3680 i44804119.exe 3888 i07970134.exe 3836 i41843636.exe 1164 a97214348.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exei01790874.exei44804119.exei07970134.exei41843636.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i01790874.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i44804119.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i07970134.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i41843636.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exei01790874.exei44804119.exei07970134.exei41843636.exea97214348.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i01790874.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i44804119.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i07970134.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i41843636.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a97214348.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exei01790874.exei44804119.exei07970134.exei41843636.exedescription pid Process procid_target PID 2064 wrote to memory of 1304 2064 31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe 84 PID 2064 wrote to memory of 1304 2064 31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe 84 PID 2064 wrote to memory of 1304 2064 31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe 84 PID 1304 wrote to memory of 3680 1304 i01790874.exe 86 PID 1304 wrote to memory of 3680 1304 i01790874.exe 86 PID 1304 wrote to memory of 3680 1304 i01790874.exe 86 PID 3680 wrote to memory of 3888 3680 i44804119.exe 87 PID 3680 wrote to memory of 3888 3680 i44804119.exe 87 PID 3680 wrote to memory of 3888 3680 i44804119.exe 87 PID 3888 wrote to memory of 3836 3888 i07970134.exe 89 PID 3888 wrote to memory of 3836 3888 i07970134.exe 89 PID 3888 wrote to memory of 3836 3888 i07970134.exe 89 PID 3836 wrote to memory of 1164 3836 i41843636.exe 90 PID 3836 wrote to memory of 1164 3836 i41843636.exe 90 PID 3836 wrote to memory of 1164 3836 i41843636.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe"C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5c1dbe2e17b308e340eb97be0acd63e31
SHA127fff37d305225b6f223a159539fdb0b07683fd6
SHA256facc9886e9da60292840029fe64a63316f641150b34087c6dab789986f39be11
SHA5124b282f1752dd53a993a31c4f89fcb0013e82a60dca82240710d7559dccec22f2de229352fd96b3e6740ba7bc3c99c5440813e785442fd125ee17584d61b35c67
-
Filesize
1023KB
MD59f720c820cbde535803ac8a97ec198e7
SHA1788dea0d1242930186b177097e13a6ccb0964561
SHA256f5e393b8586d4a379cb1735d76b095f9097fe736f4f1b767c57d76544cec7c02
SHA5127b9d81f6a986e2c1414a5a284dc3a2d31a6402cc8b54fc30608f394966a9c4fcd77626b3c737512f74ef881c97df189e349bfcfe42d9cfe506178e053968fa55
-
Filesize
852KB
MD5d89e9d86295c132759c0f2ed8e6a0669
SHA1661bbe97b1530db24c1a66683fe9d8db25b632b9
SHA256f8a667aad6aa692f46bf30c46b45f9fd80a0c4d23484635147f6080565e4d0f0
SHA512387293a1b725a7d4601a438ec39b10ce0587f72c5626955806205345655bbed2ee6d99d30424b23a81a104e3d8ac8d56bae209c7094453bae0e32480ad0bbd29
-
Filesize
375KB
MD5de83c3f0968b64ad6b5bd0128edc00a0
SHA11f6b5630821223ee437dc1998a5aa6b14d528ef2
SHA2568a6861e73519e8f7a659bf5b02f5d35d1b4180aaf9debfc5870c8e99b5552536
SHA51261d4f36e97882aafdf586a22161060a8dfb64942322273b2e01a65eab253cf9bf480237656fd84abb92cb950068b09e8884d9f4ef5e78691f03635caaa5124d6
-
Filesize
169KB
MD544d07a9d2e37f8eec8af6734583a9c3f
SHA1d14f0a6620645f054d89861b54c4455651810871
SHA256877d41b3912d640bb21c6228a9d788ba4a1e414e35ac091a872644680c3cac9d
SHA51292d5d19d6cf9f219f48a3aec1a6aba4411b718cd6c802cabce3931495652cd0ada9afda4e76b360c0d2d3dedfc1defcf08b11302c1be1d9ac34c6f283f76ec5e