Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 15:03
Static task
static1
Behavioral task
behavioral1
Sample
62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe
Resource
win10v2004-20241007-en
General
-
Target
62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe
-
Size
739KB
-
MD5
e32ccfa07bd2f9eb2da9ab07037008d8
-
SHA1
8575f1f976479df6d669ac6220d0613a58753b82
-
SHA256
62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465
-
SHA512
f2307773cf2719b8594a8b1a116427bd4cd7f57e04af37a0d023dcaf95fe43559dfcd6b0b9f5d885b3198e8cd272b150353abb10505c89fd9e1aa2a58116fc8e
-
SSDEEP
12288:fMrty900xAAFLob31Fm2HQwh5iFsAF2eN6i8fFR5EUoeNQpQamvndRmgZ:GyKKw1sgQCWsAF2eN6i8fFR5EHuQ0viy
Malware Config
Extracted
redline
ruma
193.233.20.13:4136
-
auth_value
647d00dfaba082a4a30f383bca5d1a2a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/3672-22-0x0000000002820000-0x0000000002866000-memory.dmp family_redline behavioral1/memory/3672-24-0x0000000004E90000-0x0000000004ED4000-memory.dmp family_redline behavioral1/memory/3672-86-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-78-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-56-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-88-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-84-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-82-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-80-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-76-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-74-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-72-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-70-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-68-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-66-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-64-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-62-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-60-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-58-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-54-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-52-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-50-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-48-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-47-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-44-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-42-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-40-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-38-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-36-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-34-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-32-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-30-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-28-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-26-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline behavioral1/memory/3672-25-0x0000000004E90000-0x0000000004ECE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
vMP23.exevkv79.exedlf76.exepid Process 4556 vMP23.exe 1360 vkv79.exe 3672 dlf76.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exevMP23.exevkv79.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vMP23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vkv79.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exevMP23.exevkv79.exedlf76.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vMP23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkv79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlf76.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dlf76.exedescription pid Process Token: SeDebugPrivilege 3672 dlf76.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exevMP23.exevkv79.exedescription pid Process procid_target PID 2384 wrote to memory of 4556 2384 62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe 83 PID 2384 wrote to memory of 4556 2384 62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe 83 PID 2384 wrote to memory of 4556 2384 62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe 83 PID 4556 wrote to memory of 1360 4556 vMP23.exe 84 PID 4556 wrote to memory of 1360 4556 vMP23.exe 84 PID 4556 wrote to memory of 1360 4556 vMP23.exe 84 PID 1360 wrote to memory of 3672 1360 vkv79.exe 85 PID 1360 wrote to memory of 3672 1360 vkv79.exe 85 PID 1360 wrote to memory of 3672 1360 vkv79.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe"C:\Users\Admin\AppData\Local\Temp\62d0e87b30d621f9ab2a55f1ef9f8d5cb627855a630abfeaac77d3c35703c465.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMP23.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMP23.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkv79.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkv79.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlf76.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlf76.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
635KB
MD50f0d1b3b482a1228914a2b3124b2938d
SHA15a776f0241474aa21e51fed0b5eafa178e46a090
SHA256806af668edc29d7b8670c7bc5773ac61ef6f78a65a560352700883fce0b8a014
SHA5127dfe8e0e44d337a620bf974c837cde56fa31070917d7ab3742433eeee87cb5c41773f9df773b6b16736ddcb395081f686e3d35dde19a66166f299ff2c39e29bc
-
Filesize
491KB
MD5aba82c5edd0f7d206969bc14c9539e82
SHA146774153e3e2a591c52086453c2499459664e117
SHA2564d5c570fbb2948fcf459598d3ed373a11db071626e6634cc8f969cb39c4b72b8
SHA512f02c4aba13961fe6f737d93991a18f3fe07c5e5ce324c9bad7f7346fb0766e1e340ccfd9bb88412de56f077d5e307e7414ea99413a899ec2c15324b75d8583a3
-
Filesize
293KB
MD5b5b088e47af91c344e3583ef9391586f
SHA181c28284f693f66d1d30b8ee09f0d69e27457333
SHA2563f201ce75b624c56d73e6aa11e0d93825455d0ee88d3fdcc8e2f3bafae6cc739
SHA5129d0789dfa16b849709e3bb04159ed2bf6ccd74975472efe87aeb9d8ff0539b8953cb0937b4d646fba7d1460ea8c1fd0ee4dfb9ec2debfefdee70ab9b05ca1a3b