Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 19:59
Static task
static1
Behavioral task
behavioral1
Sample
522f37adb19ae92f2637ecb1d6276305b114a8e4b21d779581c7ca3f74a78199.exe
Resource
win10v2004-20241007-en
General
-
Target
522f37adb19ae92f2637ecb1d6276305b114a8e4b21d779581c7ca3f74a78199.exe
-
Size
773KB
-
MD5
534db34fc88209f3f69a22fe95ee6b92
-
SHA1
dce841ccf3c796e02cc7bb5b80c67dc3089c8040
-
SHA256
522f37adb19ae92f2637ecb1d6276305b114a8e4b21d779581c7ca3f74a78199
-
SHA512
fdda3afdae0f12c555640c539dc95c0cd2621a45048f142ef890c83b96e7314ab659a31d69f95dd87bb78b3fccab0b682036923ecdf70b4ad78ba8c5abc09519
-
SSDEEP
12288:Fy90C95wdZuZ7h1jvyYw0e0cdYPEObkDVB6IQj3035X5NlD/dx+kP1bQ:Fyedoz1jvZcePEObsBtHJXVdFP1c
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/5064-2168-0x0000000005620000-0x0000000005652000-memory.dmp family_redline behavioral1/files/0x000c000000023b5c-2173.dat family_redline behavioral1/memory/4988-2181-0x0000000000100000-0x000000000012E000-memory.dmp family_redline behavioral1/files/0x0007000000023cab-2193.dat family_redline behavioral1/memory/640-2195-0x0000000000AF0000-0x0000000000B20000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation m98029256.exe -
Executes dropped EXE 4 IoCs
pid Process 2424 x89854166.exe 5064 m98029256.exe 4988 1.exe 640 n29505572.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 522f37adb19ae92f2637ecb1d6276305b114a8e4b21d779581c7ca3f74a78199.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x89854166.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2428 5064 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language n29505572.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 522f37adb19ae92f2637ecb1d6276305b114a8e4b21d779581c7ca3f74a78199.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x89854166.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m98029256.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5064 m98029256.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2424 2108 522f37adb19ae92f2637ecb1d6276305b114a8e4b21d779581c7ca3f74a78199.exe 83 PID 2108 wrote to memory of 2424 2108 522f37adb19ae92f2637ecb1d6276305b114a8e4b21d779581c7ca3f74a78199.exe 83 PID 2108 wrote to memory of 2424 2108 522f37adb19ae92f2637ecb1d6276305b114a8e4b21d779581c7ca3f74a78199.exe 83 PID 2424 wrote to memory of 5064 2424 x89854166.exe 85 PID 2424 wrote to memory of 5064 2424 x89854166.exe 85 PID 2424 wrote to memory of 5064 2424 x89854166.exe 85 PID 5064 wrote to memory of 4988 5064 m98029256.exe 88 PID 5064 wrote to memory of 4988 5064 m98029256.exe 88 PID 5064 wrote to memory of 4988 5064 m98029256.exe 88 PID 2424 wrote to memory of 640 2424 x89854166.exe 94 PID 2424 wrote to memory of 640 2424 x89854166.exe 94 PID 2424 wrote to memory of 640 2424 x89854166.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\522f37adb19ae92f2637ecb1d6276305b114a8e4b21d779581c7ca3f74a78199.exe"C:\Users\Admin\AppData\Local\Temp\522f37adb19ae92f2637ecb1d6276305b114a8e4b21d779581c7ca3f74a78199.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x89854166.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x89854166.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m98029256.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m98029256.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 13844⤵
- Program crash
PID:2428
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n29505572.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n29505572.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:640
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5064 -ip 50641⤵PID:3472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569KB
MD59dbbcb53223302392a7ffeef2fb8c5a5
SHA19e29fc3db8dd99984e8fe94e52b4c7a723a2f806
SHA25617a5a9126dc5fde27db5da6d6cb80135491143b528ceda11e3c1f3f484981902
SHA512de70b0377cce963d017309cf547f58728003002b187114a67e73b88635fac22c8626343dbd7a00d22a5fd70d7970dbe2e8b86a4a8c53bb81f4fb086ee4910691
-
Filesize
479KB
MD519bbd49eb1a80da954d4174aaabe0e86
SHA1489ae5f8ebe97397cd52bfebe83a9028b4e97d8f
SHA256d1d9c37a0898840f0319f6d96be75b4be68291d00d62fa8fdf54e3535e327d15
SHA5123362105372d3045ab9c1cf69b33f7c0076d9c43aadc8c1df51030b600c1f2956853b55f48e0bb92581f43fe81159e1f56de69151cbc65b72ed512b920ae1e191
-
Filesize
169KB
MD5d9623936095052f59e27a3e871f9af69
SHA1bd8e9473554f44429ad52feda00677c9fc7e86e6
SHA2561c68e0a1471612c2e0dcf32bf579c90f08e066270d2ee987d28cb6f43c349274
SHA5120d1f536ad9a0f6231d89cab0b09f78768e6647028b7e5e617c62c915f556a8d3d077dec23893f5f911b77b25ad0bf61c2fb04765d36eaa4ffcade0cf66eee722
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf