Analysis
-
max time kernel
132s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 08:42
Static task
static1
Behavioral task
behavioral1
Sample
73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7.exe
Resource
win10v2004-20241007-en
General
-
Target
73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7.exe
-
Size
472KB
-
MD5
2067aff350f128123091a41e4dc6197d
-
SHA1
2f2184a5211d021dda3df187f735c76e6bdbcb6c
-
SHA256
73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7
-
SHA512
2f2d5896804d0e99245a6cda39de776d143e62b2cc78b3eb494f0d2019188532f532b56562ef5a635328a2dbab353e7e7fccdd133d9e070b8366a4110d563d3f
-
SSDEEP
12288:SMrny90DBpkrVOa5R0Zc2gbrAvAYZxEur5XtM0V:JyCBAV55R0c2jvAGxEEV
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cb3-12.dat family_redline behavioral1/memory/3780-15-0x0000000000B00000-0x0000000000B32000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nIq14.exebBg52.exepid Process 1000 nIq14.exe 3780 bBg52.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7.exenIq14.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nIq14.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bBg52.exe73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7.exenIq14.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bBg52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nIq14.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7.exenIq14.exedescription pid Process procid_target PID 4356 wrote to memory of 1000 4356 73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7.exe 83 PID 4356 wrote to memory of 1000 4356 73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7.exe 83 PID 4356 wrote to memory of 1000 4356 73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7.exe 83 PID 1000 wrote to memory of 3780 1000 nIq14.exe 84 PID 1000 wrote to memory of 3780 1000 nIq14.exe 84 PID 1000 wrote to memory of 3780 1000 nIq14.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7.exe"C:\Users\Admin\AppData\Local\Temp\73d55200d97821b745041172c99c0d69653f116f9480cedd5243a9778166a4e7.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIq14.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIq14.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bBg52.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bBg52.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3780
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5f64bcdf286f00057008bff3ffa79ec7a
SHA1b28bf468bb50d310784b2fdb731d8028539055ad
SHA256022fe985a49324ec6ca97484e056f9944f7c0226bc869685ad06ba5d78041c3b
SHA512d04e6c00bd5dacbe29c14470730704bdf0fe1c5fa8b78f0f4b98b539fcdcbd65747e85e0e9ea24a695f78fdc5f1cfcb81fd09212ca2d885fe3c6271b83bcb028
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec