Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 08:25
Static task
static1
Behavioral task
behavioral1
Sample
7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01.exe
Resource
win10v2004-20241007-en
General
-
Target
7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01.exe
-
Size
468KB
-
MD5
d28ac014aac2c3b6c16722d5fb98d9dd
-
SHA1
8476fa23ecde921a594bc161ee367af82d639595
-
SHA256
7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01
-
SHA512
a4caae9b6acf1061fe92209d017d96112fc515ec2f4a08c20fcc8befe11e151adef6447dd1da7d2ddb713b6491d77a1f94fcdcf158e87f2bbadd641a75811e0c
-
SSDEEP
6144:KUy+bnr+Op0yN90QEr0X6wmggWi93JtqfH5K4qO7Ljzgv+JZhuWjn7g:MMrqy90tYLZgZkP5K4bjUvgZhbnU
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023ca0-12.dat family_redline behavioral1/memory/372-15-0x00000000006D0000-0x0000000000702000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nmF28.exebKY55.exepid Process 1432 nmF28.exe 372 bKY55.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01.exenmF28.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nmF28.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
nmF28.exebKY55.exe7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmF28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bKY55.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01.exenmF28.exedescription pid Process procid_target PID 868 wrote to memory of 1432 868 7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01.exe 83 PID 868 wrote to memory of 1432 868 7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01.exe 83 PID 868 wrote to memory of 1432 868 7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01.exe 83 PID 1432 wrote to memory of 372 1432 nmF28.exe 85 PID 1432 wrote to memory of 372 1432 nmF28.exe 85 PID 1432 wrote to memory of 372 1432 nmF28.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01.exe"C:\Users\Admin\AppData\Local\Temp\7d734f1e006e90893900adba8a78f079e736ecb2e5f932d1b1f86a548c1d2b01.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nmF28.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nmF28.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bKY55.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bKY55.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:372
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD5dde431cc46e23c369c13bebec496b229
SHA1f667504c7c8328f486b2d51bf5d1bdcddbf35dda
SHA256ba6a65d3007d29f82cc3cc09873541274b5f25c7a0928ddaec104d2fd198839b
SHA512e2a84c90c2b40dbf723268e3b6f51b8a830e4d714fec859edde0f48d6e85982b1f212ee7e1a5d33a7b57d4dbba7873ce99ca8f966f23567a758da9789eb95b00
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec