Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 04:48
Static task
static1
Behavioral task
behavioral1
Sample
076a56a87db16b3a80c5d45f6615c9c0cf09cbaf8960dbc8b2231da7cf0517b3.exe
Resource
win10v2004-20241007-en
General
-
Target
076a56a87db16b3a80c5d45f6615c9c0cf09cbaf8960dbc8b2231da7cf0517b3.exe
-
Size
851KB
-
MD5
2e52c5c8004d8a93b10fd88dadf7ec6c
-
SHA1
c3350ceaa9ba06737c39b2b3403d6249737856af
-
SHA256
076a56a87db16b3a80c5d45f6615c9c0cf09cbaf8960dbc8b2231da7cf0517b3
-
SHA512
3fade50f6e95088671bb7fe4b2ecdcbf5bde10d054c718351da792a036d6df2c2a42dd87f4a2cf557eed2e9b0177ae0f18112539d2a0e0f1863e34cf73bf57bb
-
SSDEEP
12288:Iy90vdSSaDfJn6kFgyx2BkRe5WCLaUsk4D/ab4Jefq+q52mYJOCdzwl6RB:IyGdiDHxkHsvSbdWYJOChB
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/836-2168-0x0000000005620000-0x0000000005652000-memory.dmp family_redline behavioral1/files/0x0002000000022ef8-2173.dat family_redline behavioral1/memory/6008-2181-0x00000000002C0000-0x00000000002EE000-memory.dmp family_redline behavioral1/files/0x000a000000023ba1-2193.dat family_redline behavioral1/memory/4940-2195-0x0000000000980000-0x00000000009B0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation p04971227.exe -
Executes dropped EXE 4 IoCs
pid Process 396 y10926140.exe 836 p04971227.exe 6008 1.exe 4940 r28471189.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 076a56a87db16b3a80c5d45f6615c9c0cf09cbaf8960dbc8b2231da7cf0517b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y10926140.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2548 836 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y10926140.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p04971227.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r28471189.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 076a56a87db16b3a80c5d45f6615c9c0cf09cbaf8960dbc8b2231da7cf0517b3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 836 p04971227.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2752 wrote to memory of 396 2752 076a56a87db16b3a80c5d45f6615c9c0cf09cbaf8960dbc8b2231da7cf0517b3.exe 83 PID 2752 wrote to memory of 396 2752 076a56a87db16b3a80c5d45f6615c9c0cf09cbaf8960dbc8b2231da7cf0517b3.exe 83 PID 2752 wrote to memory of 396 2752 076a56a87db16b3a80c5d45f6615c9c0cf09cbaf8960dbc8b2231da7cf0517b3.exe 83 PID 396 wrote to memory of 836 396 y10926140.exe 84 PID 396 wrote to memory of 836 396 y10926140.exe 84 PID 396 wrote to memory of 836 396 y10926140.exe 84 PID 836 wrote to memory of 6008 836 p04971227.exe 89 PID 836 wrote to memory of 6008 836 p04971227.exe 89 PID 836 wrote to memory of 6008 836 p04971227.exe 89 PID 396 wrote to memory of 4940 396 y10926140.exe 95 PID 396 wrote to memory of 4940 396 y10926140.exe 95 PID 396 wrote to memory of 4940 396 y10926140.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\076a56a87db16b3a80c5d45f6615c9c0cf09cbaf8960dbc8b2231da7cf0517b3.exe"C:\Users\Admin\AppData\Local\Temp\076a56a87db16b3a80c5d45f6615c9c0cf09cbaf8960dbc8b2231da7cf0517b3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y10926140.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y10926140.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p04971227.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p04971227.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 13844⤵
- Program crash
PID:2548
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r28471189.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r28471189.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4940
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 836 -ip 8361⤵PID:6104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
570KB
MD5f24f8358250b3739153a41340862808a
SHA11b85fc3008699b15d31a338590d81f7c97bea539
SHA2569114c9bc93675eb764ee191c9aa9f394dd2e6a9523ce7d214b433a69458e66fd
SHA51247b1af3394687312d599426dca11a256299a9ca22811cee22c3c61f51a2c816b0c86c101fb820daae5617bd223c83db982ab118f4835c49c9ab4873b1d7d95c3
-
Filesize
479KB
MD5feb849f859359cb9ab6dd4b8d37db3df
SHA18f72a9e410a7871482144e7840b7963711a19612
SHA256ac6776aef0dddc96122a3dbbecb7a62e5353d06efb020f6d975303fc24c728fa
SHA512e88b6821a6a64313e3ee4acab8af91e570cb8cbbb58b86d7787ad9f1112e0f81bcaeb42350b0f0469cc8680eacef4a082b2da1bc2cb1810fb5271ebb9a43cdc3
-
Filesize
169KB
MD5e63c9f69f75f1acd1c285fd469717637
SHA145b4790161dc4a5b2ad1c77ea5cf8bbc589fb065
SHA25651faadf6e1370c15a3e4ef04d1f6c59f91409dfcab1b7b62c528b1739eae2c1d
SHA512230d0bf0c3baa3dad5f9a99ac64759c6de46f4e31db15142da9352df8d55d89f5a5157bd9b6e14caca889ef6b2f4ba797837ca8ab5efc6e5f9315a9b4fa3db12
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf