Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:02
Static task
static1
Behavioral task
behavioral1
Sample
770453ee69ee95d05fceec377716cb2c2b8e267c2219091b5752c58a5b7a3ff4.exe
Resource
win10v2004-20241007-en
General
-
Target
770453ee69ee95d05fceec377716cb2c2b8e267c2219091b5752c58a5b7a3ff4.exe
-
Size
589KB
-
MD5
70294e93eea8a460352231e44f36c02c
-
SHA1
ee6b4cebe25905b2745496a75aa9b08b3dc9779c
-
SHA256
770453ee69ee95d05fceec377716cb2c2b8e267c2219091b5752c58a5b7a3ff4
-
SHA512
9b156c1726387fe386578acefa0c0c1f636a1775ccb630d8c565b9512e5a3eb0d688140e19b3f67d23c81d243c1747a77a2632a06c5bbe5d1ca18c30239d696c
-
SSDEEP
12288:WMrNy90cXjdQfJ0brhtlpx4kCJY7T3vKq:DypXkJ0brh/pOY7TvKq
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b9e-12.dat family_redline behavioral1/memory/2376-15-0x0000000000C60000-0x0000000000C88000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4008 x4548890.exe 2376 g0828639.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 770453ee69ee95d05fceec377716cb2c2b8e267c2219091b5752c58a5b7a3ff4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4548890.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 770453ee69ee95d05fceec377716cb2c2b8e267c2219091b5752c58a5b7a3ff4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x4548890.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0828639.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2892 wrote to memory of 4008 2892 770453ee69ee95d05fceec377716cb2c2b8e267c2219091b5752c58a5b7a3ff4.exe 84 PID 2892 wrote to memory of 4008 2892 770453ee69ee95d05fceec377716cb2c2b8e267c2219091b5752c58a5b7a3ff4.exe 84 PID 2892 wrote to memory of 4008 2892 770453ee69ee95d05fceec377716cb2c2b8e267c2219091b5752c58a5b7a3ff4.exe 84 PID 4008 wrote to memory of 2376 4008 x4548890.exe 85 PID 4008 wrote to memory of 2376 4008 x4548890.exe 85 PID 4008 wrote to memory of 2376 4008 x4548890.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\770453ee69ee95d05fceec377716cb2c2b8e267c2219091b5752c58a5b7a3ff4.exe"C:\Users\Admin\AppData\Local\Temp\770453ee69ee95d05fceec377716cb2c2b8e267c2219091b5752c58a5b7a3ff4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4548890.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4548890.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0828639.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0828639.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
417KB
MD546528375980e8cdc8def5c32fb4c46de
SHA1d2481d11be9fed8bb1dbb49d462411fd771270f9
SHA256944b7f4801f730d5d4b676c654c23d1df33ba19e1f8cc5adad6b20c19a0a2bab
SHA512a02afcaa8d18c6dabb8cb75398204b93ab46102e3bbed892a615a172e928bed2d09b8e93c65d2b9f2e7c8f3f6e40bbfebf1bb8987bb5c42db20ce71dc68b84d5
-
Filesize
136KB
MD57866b019181b680a3c91ac98c03a1554
SHA18789d9d95d00d7d23772a223b29bdd5a4299df2c
SHA2568e6b2e477ab405351f663e19c5d9a1bdc1acb36586a03f9a70441b57ddac0385
SHA5128b4f2b2827f7c95f5801247752694658131d944341bce63a1f4d0742cabcef9360cda144c01004c4824a1d30bab01f84e032078bfbb6f59ad890619366962033