Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 06:18
Static task
static1
Behavioral task
behavioral1
Sample
84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b.exe
Resource
win10v2004-20241007-en
General
-
Target
84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b.exe
-
Size
474KB
-
MD5
27ca43b48e793625818a783582af3ea8
-
SHA1
6a3d070a90b56279ee35d85657421d255c5f2e89
-
SHA256
84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b
-
SHA512
daad4dd0674223db6b673047f4a1170170cf47843a74ad643b7363e16d0c3153daf423f65dfbdf51a282ce5e7ff6424cd59354864d551b7eb99571cc2ea0223d
-
SSDEEP
6144:KKy+bnr+Op0yN90QEKC6b3LJRDsoco0kAg3aivvXYMsGbehvbJ3ZOy22Q3GHdTg:GMray90wdb3tV0HgKivF/KbJ3ky2Sxg
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b6a-12.dat family_redline behavioral1/memory/3780-15-0x00000000005B0000-0x00000000005E2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nMk93.exebXX92.exepid Process 2848 nMk93.exe 3780 bXX92.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b.exenMk93.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nMk93.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b.exenMk93.exebXX92.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nMk93.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bXX92.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b.exenMk93.exedescription pid Process procid_target PID 4992 wrote to memory of 2848 4992 84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b.exe 85 PID 4992 wrote to memory of 2848 4992 84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b.exe 85 PID 4992 wrote to memory of 2848 4992 84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b.exe 85 PID 2848 wrote to memory of 3780 2848 nMk93.exe 87 PID 2848 wrote to memory of 3780 2848 nMk93.exe 87 PID 2848 wrote to memory of 3780 2848 nMk93.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b.exe"C:\Users\Admin\AppData\Local\Temp\84f20f80eb05a92d3c4dfa190d1c7577d52a2cb365511dfe2baf7556298a9b6b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nMk93.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nMk93.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bXX92.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bXX92.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3780
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD5be1ccfe6183645e8651fe0e7e12e569b
SHA1c6c96f514ab83bde8a590f9c16109339a5426686
SHA256f820906998f80560022e35d07eb9ed7b8f0fd0ddb001d1c28ded671e03456122
SHA512647f7bf1795973dc7d566921f756149069e4085ce7c86f396cd680a8e0526f566e8f8d8693c64f6e296e364c2fada164df947b601411d419cf0c720e69aec281
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec