Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:55
Static task
static1
Behavioral task
behavioral1
Sample
3e5ff4dcfa5551092dc8230631ebd9f0045a46eb8118fb382f98fbb4cc628693.exe
Resource
win10v2004-20241007-en
General
-
Target
3e5ff4dcfa5551092dc8230631ebd9f0045a46eb8118fb382f98fbb4cc628693.exe
-
Size
1.1MB
-
MD5
0b094db892273b6f84f33a15f2f72fc9
-
SHA1
9a87bddb1e37f64e3a6207d65e59538f7420d44d
-
SHA256
3e5ff4dcfa5551092dc8230631ebd9f0045a46eb8118fb382f98fbb4cc628693
-
SHA512
4e024d048d8c3ab36c4b0f229b2a80bd1e2eaed9e0b9c6219ac98c44565b6cec9ae8f74e1b49a3558adfb85d87ca77c4fc82de43773d9835d6d8777c166c89c3
-
SSDEEP
24576:JyekFtwOuLVmR1tKpEKVMRkvsyPOoRHI8j+LpZO14MaHX13at:8eQuZm7tuEK2xy95+LpnMY1
Malware Config
Extracted
redline
dedu
185.161.248.75:4132
-
auth_value
43fb2cf55df7896aeff6ce27ec070fea
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k3849473.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k3849473.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k3849473.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k3849473.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k3849473.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k3849473.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c8d-54.dat family_redline behavioral1/memory/1792-56-0x0000000000060000-0x000000000008A000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 1556 y3516284.exe 4948 y6854512.exe 3720 k3849473.exe 1792 l1575582.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k3849473.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k3849473.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3e5ff4dcfa5551092dc8230631ebd9f0045a46eb8118fb382f98fbb4cc628693.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y3516284.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y6854512.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y3516284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y6854512.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k3849473.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l1575582.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e5ff4dcfa5551092dc8230631ebd9f0045a46eb8118fb382f98fbb4cc628693.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3720 k3849473.exe 3720 k3849473.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3720 k3849473.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1092 wrote to memory of 1556 1092 3e5ff4dcfa5551092dc8230631ebd9f0045a46eb8118fb382f98fbb4cc628693.exe 83 PID 1092 wrote to memory of 1556 1092 3e5ff4dcfa5551092dc8230631ebd9f0045a46eb8118fb382f98fbb4cc628693.exe 83 PID 1092 wrote to memory of 1556 1092 3e5ff4dcfa5551092dc8230631ebd9f0045a46eb8118fb382f98fbb4cc628693.exe 83 PID 1556 wrote to memory of 4948 1556 y3516284.exe 84 PID 1556 wrote to memory of 4948 1556 y3516284.exe 84 PID 1556 wrote to memory of 4948 1556 y3516284.exe 84 PID 4948 wrote to memory of 3720 4948 y6854512.exe 85 PID 4948 wrote to memory of 3720 4948 y6854512.exe 85 PID 4948 wrote to memory of 3720 4948 y6854512.exe 85 PID 4948 wrote to memory of 1792 4948 y6854512.exe 98 PID 4948 wrote to memory of 1792 4948 y6854512.exe 98 PID 4948 wrote to memory of 1792 4948 y6854512.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e5ff4dcfa5551092dc8230631ebd9f0045a46eb8118fb382f98fbb4cc628693.exe"C:\Users\Admin\AppData\Local\Temp\3e5ff4dcfa5551092dc8230631ebd9f0045a46eb8118fb382f98fbb4cc628693.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3516284.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3516284.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6854512.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6854512.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3849473.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3849473.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1575582.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1575582.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1792
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
748KB
MD5148e4bb133241b8f41adb1e58d5377a5
SHA100de3585e1a6ff527938bd0558d40b3d3de7a562
SHA2562f6c2ccb8fa17256e5a1b7f479518bc7eadf3160ff3fa18fb30e28314bad4a06
SHA512da703313693337b376fa979f742c4568a2f954872f258e0c4a11daed94f37e5b88e5db00606f72539638951a2615b94616f9e93aeac0f9c714c450da7adf9d6b
-
Filesize
305KB
MD527684e4167fe6450eaa5187a20066835
SHA173c5c508ead73d0baee6343717b4e747e419c923
SHA256d4dd883ffdd608f92053cf7fab217847d18d3cd4ad472248bd2996ba9781f322
SHA5129d9072445090f7b457abb6595447b9150d2792e01302f7d88db366ba7a326137350a74320c077219829c060ee0c9434d4af1c5c2b494ba7546d34ee2795e9164
-
Filesize
183KB
MD5d18dd7e957d8eab39abe21eefd498331
SHA12d7b11252dbb1ed8cefff8d63d447b0f697a0060
SHA25657f8f54609021997865fed724894ad76b78b39a48a51b47a1d97a92eb836c440
SHA512c383080be8f9fbb5fd313204cc47ca9ecca8b6148362aa5ef76c219217971184472d0c4be2f1d7e9c9fbee561079b34357346507ddb882d779b06741a5ad0581
-
Filesize
145KB
MD5faf73da48be070417ce9444afc86887d
SHA1aee61acaaffc15f3b2d0276bc89562da151474f4
SHA2562aa56be6310c51e4ee75d3fb87c468c55bda08b5dffe060cb1a8f887dd7665a4
SHA512c1d41ac93c718a121af28b914311fb478566d869378a07a895c9111d57ffad2dbc03058564b6205950920c62efff5b776be2bcb60d64f79398a6788f38b9bbcb