Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 07:19
Static task
static1
Behavioral task
behavioral1
Sample
1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29.exe
Resource
win10v2004-20241007-en
General
-
Target
1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29.exe
-
Size
474KB
-
MD5
3499ef398a88c7b9e25b72b77e374c7c
-
SHA1
d93a7b2d958523b6c39c4d041a34f85cefceb9e7
-
SHA256
1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29
-
SHA512
be789556b5f5ba1383ca0afd0773548c95ceb270f51de9c7bfd68556e5701b8efbd51a583c7ed7573f0c33aecffa5227e960a9a8b1c37fc043b04c16e13c15b4
-
SSDEEP
6144:KQy+bnr+5p0yN90QEkk4iZCEtUzJGOLVfoGbfQ5Cm35LHSyOOWMyEa7n:QMrJy90uk4LuUzzVfRfQwm31pXyt
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0010000000023aa7-12.dat family_redline behavioral1/memory/4672-15-0x0000000000F20000-0x0000000000F52000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nSI73.exebWA65.exepid Process 1124 nSI73.exe 4672 bWA65.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
nSI73.exe1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nSI73.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29.exenSI73.exebWA65.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nSI73.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bWA65.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29.exenSI73.exedescription pid Process procid_target PID 2456 wrote to memory of 1124 2456 1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29.exe 84 PID 2456 wrote to memory of 1124 2456 1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29.exe 84 PID 2456 wrote to memory of 1124 2456 1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29.exe 84 PID 1124 wrote to memory of 4672 1124 nSI73.exe 85 PID 1124 wrote to memory of 4672 1124 nSI73.exe 85 PID 1124 wrote to memory of 4672 1124 nSI73.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29.exe"C:\Users\Admin\AppData\Local\Temp\1811ec9fb6c7ff8d6e523e4b4ac820f72a9ce8fdda97e36434b3a84c2259ba29.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nSI73.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nSI73.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bWA65.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bWA65.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4672
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD5370f04af9c734d5af5038cab0cb9329d
SHA1a129b9e8ff9fd039b4dd5572226c2743c8e81a16
SHA256604021846348b224d19fecd5ba6393066c5151a1b2fe6caac1f430ca15edb0a5
SHA5126b0e274ba10f18716edc985a20791c0b5ae9364bfecc9036aba7fc38ce661084f96cc96d0687940d98f5cb99b41d2bfcf4a499928288f876486f9af9a28af290
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec