Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:01
Static task
static1
Behavioral task
behavioral1
Sample
8c7650443226a4585ba8c07b9d20b05259391dbdb64770d988860acc042cf827.exe
Resource
win10v2004-20241007-en
General
-
Target
8c7650443226a4585ba8c07b9d20b05259391dbdb64770d988860acc042cf827.exe
-
Size
599KB
-
MD5
06712875e69a0726a481ddf65ee1e61b
-
SHA1
2224a78308047c8e58a595d242bff7fc5d893585
-
SHA256
8c7650443226a4585ba8c07b9d20b05259391dbdb64770d988860acc042cf827
-
SHA512
4b681bcb76d3831c72513be21d121c0226ec24fe6eb74d0c5c2eb98b6f7b2238479c0c3e220461ee29498f48443facd1b2eaec44d603c3c1ee6e40aa56d141b9
-
SSDEEP
12288:ZMrGy90sfswDV04MBYEmWl8Oqy/TztVQRx4Udb3UooRlwm/UsiGD2QO:zybfs54LbE80b4L4pDe
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c97-12.dat family_redline behavioral1/memory/2332-15-0x00000000008B0000-0x00000000008D8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 5104 y9275754.exe 2332 k0001006.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8c7650443226a4585ba8c07b9d20b05259391dbdb64770d988860acc042cf827.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y9275754.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y9275754.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k0001006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c7650443226a4585ba8c07b9d20b05259391dbdb64770d988860acc042cf827.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5116 wrote to memory of 5104 5116 8c7650443226a4585ba8c07b9d20b05259391dbdb64770d988860acc042cf827.exe 84 PID 5116 wrote to memory of 5104 5116 8c7650443226a4585ba8c07b9d20b05259391dbdb64770d988860acc042cf827.exe 84 PID 5116 wrote to memory of 5104 5116 8c7650443226a4585ba8c07b9d20b05259391dbdb64770d988860acc042cf827.exe 84 PID 5104 wrote to memory of 2332 5104 y9275754.exe 86 PID 5104 wrote to memory of 2332 5104 y9275754.exe 86 PID 5104 wrote to memory of 2332 5104 y9275754.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c7650443226a4585ba8c07b9d20b05259391dbdb64770d988860acc042cf827.exe"C:\Users\Admin\AppData\Local\Temp\8c7650443226a4585ba8c07b9d20b05259391dbdb64770d988860acc042cf827.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9275754.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9275754.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0001006.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0001006.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD53538fde2d5363b6c21bedaaf748b1db8
SHA1ccb40e106b65d8d68c39477f3b3510628527af21
SHA256a0acc70a2cd1362d6a33e54abe8d823cb9c6e95bdb07eeaf423fc227993403de
SHA5125458e723f2b5383ad182584dd21944baf8f7834255bedfe8e907ff5d8bf9362b083e0bb988fdf3f9422021a17c88bff05f78cc42fc2839bec714a8e7c304a5c3
-
Filesize
136KB
MD54262589e61fe516772bc61d54e90ffb5
SHA1c3366085b42403069a2e06ccd7d2e4658b9c59fd
SHA256b07ce56647b591297afbd2d389ab4a541c7101df071801071b696c5745e03822
SHA5124f03cfaf9417cb0e193567acca9a453132aed81c1dee0cb408454277400587eaed87c5ed4fcbca10afef0550c597c6fa64dc9948b618c5ab41b0ec7e67d63c41