Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe
Resource
win10v2004-20241007-en
General
-
Target
9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe
-
Size
376KB
-
MD5
e59f30ac820ea021f3fa045aaed4fdf4
-
SHA1
635d53805796a58290d68613fe0f08edee053058
-
SHA256
9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f
-
SHA512
f2ae729530af105e5ec6bde2a0b6d4a7acef161aab872ad289fbdcd28159d989b493bb0ec44c1f0a0e8d96be7fd005ed302c37015c64d1580468817fae377d3c
-
SSDEEP
6144:Kpy+bnr+5p0yN90QERmWkWanZNdPR5d46kqab7aQUUArvkI15gY2BIzzq:HMrBy90nk4Vqab7dUXrf1j24q
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023ba1-12.dat family_redline behavioral1/memory/3396-15-0x00000000005B0000-0x00000000005D8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 624 x6750921.exe 3396 g1106060.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x6750921.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x6750921.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g1106060.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3528 wrote to memory of 624 3528 9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe 83 PID 3528 wrote to memory of 624 3528 9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe 83 PID 3528 wrote to memory of 624 3528 9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe 83 PID 624 wrote to memory of 3396 624 x6750921.exe 84 PID 624 wrote to memory of 3396 624 x6750921.exe 84 PID 624 wrote to memory of 3396 624 x6750921.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe"C:\Users\Admin\AppData\Local\Temp\9980ff61b4b54597cbc2ec2cfe111f78fa461ac0806cf05b5ab18dbc09e8737f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6750921.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6750921.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1106060.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1106060.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3396
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5befcf327de467b2ac7ec7ddbabed776f
SHA100cf220f3bf6640491a2b6cf3665d047b925f427
SHA256e4e3f113fb11ae031432bce8d9b2bfad807d0869144f012f80a7fbf1f48a730e
SHA512636f172ca418981cd5bbae135fc4cad7c7ad7e7a95a7c6ef5b6471d4cb8f914c943439d2a1b7a8d37851a4195532ed05316e15ccbf8eaf90b478a02e0ec55b1b
-
Filesize
136KB
MD56e8ef3264d2f20d394d84809a3042b6a
SHA1b8c91b452db622a589a774ead74cec244d40ac4c
SHA2568f488264baed9cca064c9ac8bb1566826336333ac5b1f891b45cfe0fb23ad815
SHA512099d02da0093e8c672d99a1836f108e9e2114505df6104d42ff5156d7a8a3316372eb9be88b16f86ea3c5ebcf5c2102a5fe2da8bc4d2ae625665224f7c863acc