Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 06:49
Static task
static1
Behavioral task
behavioral1
Sample
99461ebe46719ac8e1c923a8f28e2af120219ed233907ad27e52be48c90c2caa.exe
Resource
win10v2004-20241007-en
General
-
Target
99461ebe46719ac8e1c923a8f28e2af120219ed233907ad27e52be48c90c2caa.exe
-
Size
774KB
-
MD5
7ec9e6399a569132b46282467cd99a2b
-
SHA1
3713dec619ae8935a7d1b3d23d6292093997b2bf
-
SHA256
99461ebe46719ac8e1c923a8f28e2af120219ed233907ad27e52be48c90c2caa
-
SHA512
621b571ef52057cc80702e2d76e5e2f43c58bfa2d20f2785f60b16569e265e14f7fad04983359dbdb9eb7d4df08853a03fe891f82688b2814410a1a2ee807ebf
-
SSDEEP
12288:Ty90/vqnHCxxWAEOqy7fy7JWmP4SvAAG/12ao4I7Kvh0+7NYhvh+BX488:TyGvVr2y7a7JWpSoAN0hD7gSX4V
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2036-2169-0x0000000005620000-0x0000000005652000-memory.dmp family_redline behavioral1/files/0x0002000000022b11-2174.dat family_redline behavioral1/memory/1956-2182-0x0000000000680000-0x00000000006AE000-memory.dmp family_redline behavioral1/files/0x0007000000023cc2-2189.dat family_redline behavioral1/memory/1604-2191-0x00000000007E0000-0x0000000000810000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation m36664858.exe -
Executes dropped EXE 4 IoCs
pid Process 3408 x20627855.exe 2036 m36664858.exe 1956 1.exe 1604 n82579015.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 99461ebe46719ac8e1c923a8f28e2af120219ed233907ad27e52be48c90c2caa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x20627855.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language n82579015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99461ebe46719ac8e1c923a8f28e2af120219ed233907ad27e52be48c90c2caa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x20627855.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m36664858.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2036 m36664858.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3088 wrote to memory of 3408 3088 99461ebe46719ac8e1c923a8f28e2af120219ed233907ad27e52be48c90c2caa.exe 83 PID 3088 wrote to memory of 3408 3088 99461ebe46719ac8e1c923a8f28e2af120219ed233907ad27e52be48c90c2caa.exe 83 PID 3088 wrote to memory of 3408 3088 99461ebe46719ac8e1c923a8f28e2af120219ed233907ad27e52be48c90c2caa.exe 83 PID 3408 wrote to memory of 2036 3408 x20627855.exe 84 PID 3408 wrote to memory of 2036 3408 x20627855.exe 84 PID 3408 wrote to memory of 2036 3408 x20627855.exe 84 PID 2036 wrote to memory of 1956 2036 m36664858.exe 88 PID 2036 wrote to memory of 1956 2036 m36664858.exe 88 PID 2036 wrote to memory of 1956 2036 m36664858.exe 88 PID 3408 wrote to memory of 1604 3408 x20627855.exe 89 PID 3408 wrote to memory of 1604 3408 x20627855.exe 89 PID 3408 wrote to memory of 1604 3408 x20627855.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\99461ebe46719ac8e1c923a8f28e2af120219ed233907ad27e52be48c90c2caa.exe"C:\Users\Admin\AppData\Local\Temp\99461ebe46719ac8e1c923a8f28e2af120219ed233907ad27e52be48c90c2caa.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x20627855.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x20627855.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m36664858.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m36664858.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n82579015.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n82579015.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
570KB
MD58a013de26d91b083642fc6c19ac43104
SHA13275786002e167210acc86bd65250abe4e488e8a
SHA2565446d6d162a797466707834b48bb77e700fc43e8317981bbb9434e2e118e2611
SHA5129497ab8bfc69ff0c2e34688f416234c3ed31a870923a59b946869ada141469a82c47b9c4fa75f1f7e2b0a7ed8fe5a72285fb377d52859f25d151a4090af978b8
-
Filesize
476KB
MD58ac9e2ee139396c9dd36c4948b879078
SHA17cd179f7ccdb8fcfc0d3e580d9eb3e59410a8837
SHA256d76152c96a5ce54a42af59f756454289be7a4b79a6776e8e5f7cb019537c7341
SHA512fbdb8f754b4ebc454307fed6f2bdd60e11ecaa30cdff0b490f135f609688b66f5d02e94d50a2ef83114b011af801701adc0d48d656cfd98fcee411eedee563cf
-
Filesize
169KB
MD59989826586c60da33f01745be380d0fc
SHA1294f2fac027a6c65298dc09597aef4a51c42f498
SHA25653674ea6ff875402a7098dadd7a6adefb1dafd454ba5be77452bbe25527faddd
SHA5121c6c5c09368ef344c8545537deb4a63e671d067da240662eb0791b945cbb2e2d7a9fd6938c65fb4e693034964eb52119fba8c5b5ba9a263463732f1bb6ecf134
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf