Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
acc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb.exe
Resource
win10v2004-20241007-en
General
-
Target
acc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb.exe
-
Size
550KB
-
MD5
f1827b9dafc5b68b2096459b145d884d
-
SHA1
13aaf3faa4e04bb9c63e9e809ea840433e99e917
-
SHA256
acc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb
-
SHA512
44d574a5fe56c1705d5e93ffff63b7e03f25bdce6c543f94e96164ff748577d0d18b190aed47418abff5c291c1bbd91ce6093099b59f4e2d9b6cc46751ed7ed9
-
SSDEEP
12288:gMr0y90XYMVNdcOgCFfPsX8U/r4FCTmV0NZ3jgPXSle7:EyUVc1C1jhFxGjjgye7
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b42-12.dat family_redline behavioral1/memory/3460-15-0x0000000000A70000-0x0000000000AA2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nDK74.exebtq06.exepid Process 4484 nDK74.exe 3460 btq06.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
acc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb.exenDK74.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" acc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nDK74.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
nDK74.exebtq06.exeacc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nDK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btq06.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
acc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb.exenDK74.exedescription pid Process procid_target PID 1384 wrote to memory of 4484 1384 acc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb.exe 83 PID 1384 wrote to memory of 4484 1384 acc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb.exe 83 PID 1384 wrote to memory of 4484 1384 acc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb.exe 83 PID 4484 wrote to memory of 3460 4484 nDK74.exe 84 PID 4484 wrote to memory of 3460 4484 nDK74.exe 84 PID 4484 wrote to memory of 3460 4484 nDK74.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\acc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb.exe"C:\Users\Admin\AppData\Local\Temp\acc2aaee5f7ce818f29403a2d498875013303a13de5a1eb50521530cc5867eeb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nDK74.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nDK74.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\btq06.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\btq06.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3460
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5f89a25ecbb0581756eaae588cce5e640
SHA1e3d1d7786b694f9889c68300e04de8c7c688be9e
SHA256d67f606942426988ed4ca688ec11690663e1cf58c0584eb1e7b95e5a25f6efdb
SHA5127322165a93fac4197580e5ea343e87cfb715d4b3fb19b87d3e7fbac68f066b24c32dbd4720dee5612c04d6cdbc86d0a412a159b3370e04e729edaaaeb03042b8
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec