Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:46
Static task
static1
Behavioral task
behavioral1
Sample
f96905316aef783d207c3dfd3059eb6c9c8c1d36e4ac284389ae2ff2f335b303.exe
Resource
win10v2004-20241007-en
General
-
Target
f96905316aef783d207c3dfd3059eb6c9c8c1d36e4ac284389ae2ff2f335b303.exe
-
Size
479KB
-
MD5
a0b424246e704dfcf024f87de51b61fc
-
SHA1
be9f7089a8f04cdf092421516fc41d812e613c22
-
SHA256
f96905316aef783d207c3dfd3059eb6c9c8c1d36e4ac284389ae2ff2f335b303
-
SHA512
d2c9a81bd5bd712e61b533be2aed5fed8fd07330bab9d570419ed736f7aa2727a8dc30351a62819949a62248d5e33d8c2f476354e1a4fa872e493e33e6829237
-
SSDEEP
12288:mMr7y901kazwZQ1JpvAsq/kFKupRRW1Bg9zs0iCRSPQW3e:ZyMZ9NA5Kvk1uu0iCPWO
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b91-12.dat family_redline behavioral1/memory/1932-15-0x0000000000AE0000-0x0000000000B08000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3208 x2357856.exe 1932 g8692616.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f96905316aef783d207c3dfd3059eb6c9c8c1d36e4ac284389ae2ff2f335b303.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x2357856.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f96905316aef783d207c3dfd3059eb6c9c8c1d36e4ac284389ae2ff2f335b303.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x2357856.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8692616.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1192 wrote to memory of 3208 1192 f96905316aef783d207c3dfd3059eb6c9c8c1d36e4ac284389ae2ff2f335b303.exe 83 PID 1192 wrote to memory of 3208 1192 f96905316aef783d207c3dfd3059eb6c9c8c1d36e4ac284389ae2ff2f335b303.exe 83 PID 1192 wrote to memory of 3208 1192 f96905316aef783d207c3dfd3059eb6c9c8c1d36e4ac284389ae2ff2f335b303.exe 83 PID 3208 wrote to memory of 1932 3208 x2357856.exe 84 PID 3208 wrote to memory of 1932 3208 x2357856.exe 84 PID 3208 wrote to memory of 1932 3208 x2357856.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\f96905316aef783d207c3dfd3059eb6c9c8c1d36e4ac284389ae2ff2f335b303.exe"C:\Users\Admin\AppData\Local\Temp\f96905316aef783d207c3dfd3059eb6c9c8c1d36e4ac284389ae2ff2f335b303.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2357856.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2357856.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8692616.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8692616.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5a9b4b04318bbd3014ecdde528647f8bf
SHA175ec8f017e308c13f03d3f344e280562059c9bc8
SHA2563f07676981025cf101c7da9c063597675d51d93dd0237f10b75bc8f154960438
SHA5129f8646f4ced2b27fc4b7438e865a5e8b626961c4b1209b9def2a3ae7fce44c2730c003950fb1c5e0ce067876de6bc783427e5c49727e53f5c16f4bbc31a0ab68
-
Filesize
136KB
MD5e962daa39b92b462e69275aa1f9f7a34
SHA11bd070310028850f77e250710d6add3bbcc2bbd6
SHA256c4e5b375d1480e00a09010cad6a65a4fd992dde4f29a24e041203e426beece7a
SHA512c4c97b9448466c3faad0ceb45f0546ff3e1585bfba921bde588c69f0b5f5711fe2beb1d762dfbee771e71842d78e5ac1ffa25add0b5d2b02e4879c8f318c848c