Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55.exe
Resource
win10v2004-20241007-en
General
-
Target
7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55.exe
-
Size
470KB
-
MD5
d8c3f939fbe726501f11e764c4e90a87
-
SHA1
eba7a1eb00b8522f3a4ac2b0e9150aa1cd37b959
-
SHA256
7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55
-
SHA512
1912d8a3d1884a9f5e54df81033b88e7a8d5a5f0b924f0953cd7df6c3ef165d0e5dfba973b2959fd1922c8496a16297f79cde870e7bca2459b4d6f05cbe800fc
-
SSDEEP
12288:SMr+y90KlnohLkGvyS7DivHYCWy6Sz8n:AyJohD17DvFn
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b33-12.dat family_redline behavioral1/memory/3100-15-0x0000000000940000-0x0000000000972000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nnX79.exebiO37.exepid Process 1792 nnX79.exe 3100 biO37.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55.exennX79.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nnX79.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55.exennX79.exebiO37.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnX79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biO37.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55.exennX79.exedescription pid Process procid_target PID 952 wrote to memory of 1792 952 7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55.exe 84 PID 952 wrote to memory of 1792 952 7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55.exe 84 PID 952 wrote to memory of 1792 952 7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55.exe 84 PID 1792 wrote to memory of 3100 1792 nnX79.exe 86 PID 1792 wrote to memory of 3100 1792 nnX79.exe 86 PID 1792 wrote to memory of 3100 1792 nnX79.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55.exe"C:\Users\Admin\AppData\Local\Temp\7a34c513c4ce9baed14addeaac5a592f90f5af5228efe46c514c2c677b0c5a55.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nnX79.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nnX79.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\biO37.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\biO37.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3100
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD5de85c256ac82cd9ba7bc3fa904565ab6
SHA12fdcc8f6267cd277c2ce05ef796866c3f67c0423
SHA256deaa2034bf5f33cdbda5446740e72d5f690b80709fee5f0befede43a177f921b
SHA512098179b1a05592bb55cd105427e4e56ea4cefff054c01ae32f31d1fd4e76fc15e50a60fc974a4a5d165fdf3db523fed150bac07f53b55bb242b33c6ae6274ec3
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec