Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 19:22
Static task
static1
Behavioral task
behavioral1
Sample
7a3879abd45b5a301c6b7b213dbc4a0bd30ff1691fa902fff8dd029330112671.exe
Resource
win10v2004-20241007-en
General
-
Target
7a3879abd45b5a301c6b7b213dbc4a0bd30ff1691fa902fff8dd029330112671.exe
-
Size
774KB
-
MD5
aee34637d42227655020dfc235fc8362
-
SHA1
83dbeedda4023dde9122e0f5514091af545b3a7d
-
SHA256
7a3879abd45b5a301c6b7b213dbc4a0bd30ff1691fa902fff8dd029330112671
-
SHA512
686555355e871e50b4143dd436655833290b896a13dfb3cca23add1c1e025f52c5ce2388db9c91df3d499c336bb538948e56956f26ad67014981845f6d41fb2a
-
SSDEEP
12288:hy90cMwmni+j0QdxmPMSvATz/iIat4Y7KvgCuOzwB2b2UT9/WP7:hy0fn1RdxBSoT5NOSJT9uP7
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1404-2167-0x0000000005760000-0x0000000005792000-memory.dmp family_redline behavioral1/files/0x00110000000239f4-2172.dat family_redline behavioral1/memory/916-2183-0x0000000000EA0000-0x0000000000ECE000-memory.dmp family_redline behavioral1/files/0x000a000000023b44-2186.dat family_redline behavioral1/memory/3980-2188-0x0000000000870000-0x00000000008A0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation m00023662.exe -
Executes dropped EXE 4 IoCs
pid Process 3964 x84017045.exe 1404 m00023662.exe 916 1.exe 3980 n36778255.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7a3879abd45b5a301c6b7b213dbc4a0bd30ff1691fa902fff8dd029330112671.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x84017045.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x84017045.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m00023662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language n36778255.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a3879abd45b5a301c6b7b213dbc4a0bd30ff1691fa902fff8dd029330112671.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1404 m00023662.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2232 wrote to memory of 3964 2232 7a3879abd45b5a301c6b7b213dbc4a0bd30ff1691fa902fff8dd029330112671.exe 84 PID 2232 wrote to memory of 3964 2232 7a3879abd45b5a301c6b7b213dbc4a0bd30ff1691fa902fff8dd029330112671.exe 84 PID 2232 wrote to memory of 3964 2232 7a3879abd45b5a301c6b7b213dbc4a0bd30ff1691fa902fff8dd029330112671.exe 84 PID 3964 wrote to memory of 1404 3964 x84017045.exe 85 PID 3964 wrote to memory of 1404 3964 x84017045.exe 85 PID 3964 wrote to memory of 1404 3964 x84017045.exe 85 PID 1404 wrote to memory of 916 1404 m00023662.exe 88 PID 1404 wrote to memory of 916 1404 m00023662.exe 88 PID 1404 wrote to memory of 916 1404 m00023662.exe 88 PID 3964 wrote to memory of 3980 3964 x84017045.exe 89 PID 3964 wrote to memory of 3980 3964 x84017045.exe 89 PID 3964 wrote to memory of 3980 3964 x84017045.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a3879abd45b5a301c6b7b213dbc4a0bd30ff1691fa902fff8dd029330112671.exe"C:\Users\Admin\AppData\Local\Temp\7a3879abd45b5a301c6b7b213dbc4a0bd30ff1691fa902fff8dd029330112671.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x84017045.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x84017045.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m00023662.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m00023662.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:916
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n36778255.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n36778255.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3980
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
570KB
MD5d27fe93ff5b8b7532b63a19aaccd9774
SHA181f175b5ba5b9bff6a8f512c094b55b2085dd249
SHA2569b8991ca28ac28d36581af18ac79529e2987987b22949c55cdd3a8c4ea00e4d6
SHA512973079112b1048a5e18731505747940c0fe3dc84434a46b1167bb1d03706fe17accb68d75d24363562fa00a65454e4de6ad523ec196dc0190db51be8c74f7c69
-
Filesize
476KB
MD56d9f480a493c565876107055e424a9e5
SHA1c066e03f91f68e7646e290a809ec5fd0c50a2820
SHA256a0e93a68e67addfa9cd5be93c68ce2b0385cee27039fac3f1413be038c427c4c
SHA5127e38e6d962581dd37fec11e45751a6af2818b7e0271041368c788d08e43bebdd9da9d2b5d049b7d757d5f27d2e060c6a1d4f0111d8b5ac011383a4f57df82153
-
Filesize
169KB
MD5d5d57cdfc580a14c859cc72824a2a470
SHA18cc6d7e7f22f5e7ea7be36b23e05d11dc38757b4
SHA256b90f904116403933251942864d79a96712911037ddbb1a7a0b4c855a2cbf8653
SHA51260833cd2fc0c93b8f4df2bedb56f903cb71221773c62a08a3cc3e2a22fadc83d1c17087c9d8ee132478104190ebdd10050f0673aee3ac4d206271d6aef23d08b
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf