Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 10:18
Static task
static1
Behavioral task
behavioral1
Sample
7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653.exe
Resource
win10v2004-20241007-en
General
-
Target
7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653.exe
-
Size
478KB
-
MD5
9ac1d2cbd939f7210447296f6b69e6a6
-
SHA1
1de474d008f3ac5c759892915c3859283fea2581
-
SHA256
7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653
-
SHA512
60e12d625038344b703d7a427b8723b206e9c3e7d5989fff4b143afd3fc191bf74b3ab410d326fcdae35db5d12ab3f3880e473fdeca4b2de329660c9ebeebca0
-
SSDEEP
6144:KCy+bnr+Fp0yN90QExhM39eS5zNLWSUme6Udw+036qUgh2EMw/yJ6M8YzT5Okrkv:SMrpy90sHzsN6Ea5BxzMhzT5nQURM
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000f000000023baa-12.dat family_redline behavioral1/memory/4424-15-0x0000000000640000-0x0000000000672000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nGD03.exebgq72.exepid Process 4932 nGD03.exe 4424 bgq72.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653.exenGD03.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nGD03.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653.exenGD03.exebgq72.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nGD03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bgq72.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653.exenGD03.exedescription pid Process procid_target PID 2748 wrote to memory of 4932 2748 7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653.exe 83 PID 2748 wrote to memory of 4932 2748 7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653.exe 83 PID 2748 wrote to memory of 4932 2748 7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653.exe 83 PID 4932 wrote to memory of 4424 4932 nGD03.exe 84 PID 4932 wrote to memory of 4424 4932 nGD03.exe 84 PID 4932 wrote to memory of 4424 4932 nGD03.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653.exe"C:\Users\Admin\AppData\Local\Temp\7a9200a5ead7e70b2455e8e726c7c1dce177e09235b4a6c7acd85946153b5653.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGD03.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGD03.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bgq72.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bgq72.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4424
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5cc76a057c9f4a13ffefc5b85c9821404
SHA1eb8918451ac47d7e751e8f6000fdac8791cb3239
SHA2562fd9a3fc0eb7ae86f36e1838e477329a475453f38f18f1695f900b59d38ed6b5
SHA51270afce983f449b4f02dc3e6600344ebe8d034712506c5d96bc55dd1a2a4df63c8ad8130f98959dea8beb7af9b76923aa688cbce3e47bca797447bda136b2bab6
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec