Analysis
-
max time kernel
136s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 02:38
Static task
static1
Behavioral task
behavioral1
Sample
a41134e05c89c8151e7688e5687dd5dd25b0b76213da935073cb94070b585fc6.exe
Resource
win10v2004-20241007-en
General
-
Target
a41134e05c89c8151e7688e5687dd5dd25b0b76213da935073cb94070b585fc6.exe
-
Size
849KB
-
MD5
6eefe246e611115d1cf53786cab9c2d6
-
SHA1
13e083e45a67636851bfaeeb96cb6491097f77ad
-
SHA256
a41134e05c89c8151e7688e5687dd5dd25b0b76213da935073cb94070b585fc6
-
SHA512
3f19acf6a0b7bfd0e0361490a3d8d4bea3cdb1d22e1b778fd885a92cc0d0ae31de40d44c31e6fc1e7c7359e26197dfb8b93887a39fa1f305d389396ae83f9ad5
-
SSDEEP
12288:7y90YLE9eKFltCYi/mZjkAGT9d3P8OSkDTBl0gdy015XwVVh4BEO0RqmojrokT:7y5KRZjA/P8OSsBug3Xwn6B6Rqm4v
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/4788-2169-0x0000000005760000-0x0000000005792000-memory.dmp family_redline behavioral1/files/0x0002000000022af2-2174.dat family_redline behavioral1/memory/5468-2182-0x0000000000A80000-0x0000000000AAE000-memory.dmp family_redline behavioral1/files/0x0007000000023c9e-2194.dat family_redline behavioral1/memory/5992-2196-0x0000000000C20000-0x0000000000C50000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation p70602310.exe -
Executes dropped EXE 4 IoCs
pid Process 2332 y47333768.exe 4788 p70602310.exe 5468 1.exe 5992 r02167900.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a41134e05c89c8151e7688e5687dd5dd25b0b76213da935073cb94070b585fc6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y47333768.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5664 4788 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a41134e05c89c8151e7688e5687dd5dd25b0b76213da935073cb94070b585fc6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y47333768.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p70602310.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r02167900.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4788 p70602310.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4008 wrote to memory of 2332 4008 a41134e05c89c8151e7688e5687dd5dd25b0b76213da935073cb94070b585fc6.exe 84 PID 4008 wrote to memory of 2332 4008 a41134e05c89c8151e7688e5687dd5dd25b0b76213da935073cb94070b585fc6.exe 84 PID 4008 wrote to memory of 2332 4008 a41134e05c89c8151e7688e5687dd5dd25b0b76213da935073cb94070b585fc6.exe 84 PID 2332 wrote to memory of 4788 2332 y47333768.exe 86 PID 2332 wrote to memory of 4788 2332 y47333768.exe 86 PID 2332 wrote to memory of 4788 2332 y47333768.exe 86 PID 4788 wrote to memory of 5468 4788 p70602310.exe 88 PID 4788 wrote to memory of 5468 4788 p70602310.exe 88 PID 4788 wrote to memory of 5468 4788 p70602310.exe 88 PID 2332 wrote to memory of 5992 2332 y47333768.exe 92 PID 2332 wrote to memory of 5992 2332 y47333768.exe 92 PID 2332 wrote to memory of 5992 2332 y47333768.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\a41134e05c89c8151e7688e5687dd5dd25b0b76213da935073cb94070b585fc6.exe"C:\Users\Admin\AppData\Local\Temp\a41134e05c89c8151e7688e5687dd5dd25b0b76213da935073cb94070b585fc6.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47333768.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47333768.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p70602310.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p70602310.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 13844⤵
- Program crash
PID:5664
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r02167900.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r02167900.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5992
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4788 -ip 47881⤵PID:5580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569KB
MD5070aec8ead182cec38622fb992c9cacb
SHA15687c6a59c929eb9739ecf7154fc59f2fdc1bf27
SHA25650d4820e44eec9bc661b705ca51ed8e37e18c8f71ec825aa4ea36ede85191924
SHA512c3090926190e2b375a9f468bb98898134fc0b9367a46c0dbdd297a0efba3f8865056ef40c638ee79d1790cb68bb76078d8946a2dcf5b46370e91998ad9042eff
-
Filesize
479KB
MD505c100514e13fc653d45a22eaa4036c7
SHA1d43028441ed77af9b6365c63dda939d1b4c5967a
SHA256afdeb9e56c9651765ec199bc1ddbd001e251f2ad7bde132dbf4f50844c5c80b5
SHA512af947c347e0b303bcc1d8722fec6e30a55447dba55cb9665649e05812a1b7be7ea8bbc814092e85981bb2cbbde5478250d49330bb54d5b84a1ca14b6415147a5
-
Filesize
169KB
MD5f3a298232d2375000785685833a1e9d5
SHA102c6ae3c64923839850487140631b6033b000fe3
SHA2563df7f565da25c4d4bec4cb4779b14422b36ac55c0241a15121c0cba075011845
SHA512acbe18a6dc69581cca259a53524f07ec13e869e6e02730d9605dd942aee4a54dcb0938585fbd4bda384d468c6446f4e6c7c9bf562b16ba92ee3d7faf92f896e2
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf