Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe
Resource
win10v2004-20241007-en
General
-
Target
51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe
-
Size
886KB
-
MD5
3b6f0ebbc4fc12c54d7098b8a30d0446
-
SHA1
cdcc2a1e55431713fb28c6a97bfab70eb26c2618
-
SHA256
51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403
-
SHA512
28a3d54cbf5e99dbd7d199addde166625302a129cd1aaa842682eb4672ad34e2eca53410912580ab227a4e78a04c874eb6332615d20c6d41f46f0ae4f97b384e
-
SSDEEP
24576:Py4W0EDHeKw4/Mr4Tiae6VfWjt+0mlGDmKkPY:a6ED5V84TiaeVRdBDmKa
Malware Config
Extracted
redline
mixa
185.161.248.75:4132
-
auth_value
9d14534b25ac495ab25b59800acf3bb2
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a0215221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a0215221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a0215221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a0215221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a0215221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a0215221.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b82-54.dat family_redline behavioral1/memory/4292-56-0x0000000000DA0000-0x0000000000DCE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 2404 v3604953.exe 2608 v1994845.exe 2680 a0215221.exe 4292 b2915517.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a0215221.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a0215221.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3604953.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v1994845.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v3604953.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v1994845.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0215221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2915517.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2680 a0215221.exe 2680 a0215221.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2680 a0215221.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1476 wrote to memory of 2404 1476 51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe 83 PID 1476 wrote to memory of 2404 1476 51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe 83 PID 1476 wrote to memory of 2404 1476 51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe 83 PID 2404 wrote to memory of 2608 2404 v3604953.exe 84 PID 2404 wrote to memory of 2608 2404 v3604953.exe 84 PID 2404 wrote to memory of 2608 2404 v3604953.exe 84 PID 2608 wrote to memory of 2680 2608 v1994845.exe 85 PID 2608 wrote to memory of 2680 2608 v1994845.exe 85 PID 2608 wrote to memory of 2680 2608 v1994845.exe 85 PID 2608 wrote to memory of 4292 2608 v1994845.exe 96 PID 2608 wrote to memory of 4292 2608 v1994845.exe 96 PID 2608 wrote to memory of 4292 2608 v1994845.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe"C:\Users\Admin\AppData\Local\Temp\51e92258193ecd9ae214c6940dea24683471bf912f183f21f98eabc8e9fa1403.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3604953.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1994845.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0215221.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2915517.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4292
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD5b8e462df97eb6c9b27bfa81dc5a6ec72
SHA1c7c3fe68fdb9f5cea51900f0255c79276bdc89db
SHA25636cf47120fcd4b71f989ce13edf46764c91c4ecbeb8ba49f455dad5a71c5f9e8
SHA5125d059f54958a4df6bb47bf5b57f0b869387c76d29538ba5ba0fe5d5ef2a0c9e865f95dde8ed0c0f89b036742c49aeda599930aebb7eeb70538a75328fcd80b12
-
Filesize
316KB
MD593ef0e9a3a2d6465200f788a722053e6
SHA1c1367f9baa6ca778edc75b9ea9ce7ad380f9c3a2
SHA256feb41c1421820612aea856752a440f5030ad82646383b722635a7f8e9aee6d0a
SHA51247de94ce27749890b172c4ab4aa81ec71d89d904ca980b4d8d5bfc4e2fbc65c4df9590ffa81e9bbcd3b7761570ce90811cc11ec9ebbfa8cd080633f5dc6af0c9
-
Filesize
184KB
MD5d4c640fb500618ad6c9fc5fe7d3e784d
SHA1850df0880e1685ce709b44afbbb365cab4f0fec4
SHA256a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b
SHA512a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd
-
Filesize
168KB
MD55366664936e30a322473778461d141fd
SHA1ef60738704e3518ee7d65ccdf956a73d16e7f130
SHA256e35dcf4d09dcfca6db8a08755e7d2115a3ddd2dc4faa571d96482ffaf3669c01
SHA512ab67b7995b4f8052f7fe287471cfb155744a8c9bf6e7cd00c1d592ef2de63b7eb89812f4c9612625026068d31ead1954fd3c30dabb11e9bb563c70eca9ad346d