Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exe
Resource
win10v2004-20241007-en
General
-
Target
d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exe
-
Size
473KB
-
MD5
324df6b5e4049f0ed429e2daf9008c9d
-
SHA1
8021b92690d25f2dde981d0643b1f02846f4d098
-
SHA256
d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7
-
SHA512
951d369788b2031abead0fd1eedf7e98fafc13eb61ee3faa309a088aad2b577d10e0b69e2600bf97713137441e763a57003b9aaefe6fd9df949868eaf7720301
-
SSDEEP
6144:Khy+bnr+mjp0yN90QEfbUig7Qb7JQ7WfNU5euRRKkdpSlMi4PqL4D3rV3ksZS:7Mrqy90REQhpfNTunKkoMxysbKH
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cb9-12.dat family_redline behavioral1/memory/3648-15-0x00000000005D0000-0x0000000000602000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
ngH09.exebZe87.exepid Process 1112 ngH09.exe 3648 bZe87.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exengH09.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ngH09.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bZe87.exed956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exengH09.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bZe87.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngH09.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exengH09.exedescription pid Process procid_target PID 900 wrote to memory of 1112 900 d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exe 83 PID 900 wrote to memory of 1112 900 d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exe 83 PID 900 wrote to memory of 1112 900 d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exe 83 PID 1112 wrote to memory of 3648 1112 ngH09.exe 84 PID 1112 wrote to memory of 3648 1112 ngH09.exe 84 PID 1112 wrote to memory of 3648 1112 ngH09.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exe"C:\Users\Admin\AppData\Local\Temp\d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ngH09.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ngH09.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bZe87.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bZe87.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3648
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD52c654f781f6832aec7bea8eebaf800d6
SHA15e546c0b3bc32be5897b43fa615ac7af544ba6a4
SHA25632ec10d5451900ef35b7c81b75c3598769c7beff367ecb77b3f0ee6369cecb4f
SHA51231552ceded08e3a03ccb7bc0e9c9537d271144a5683e84e20a2672898bb4414f508837bbda493eb4ee6553d9ffb2e237d503701323b6173f2b4c5ac11cc67d7a
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec