Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
10dee72f113c5b66414a745b8a72151f55e50a9d3ed3cac5d0c3c5eae8e46154.exe
Resource
win10v2004-20241007-en
General
-
Target
10dee72f113c5b66414a745b8a72151f55e50a9d3ed3cac5d0c3c5eae8e46154.exe
-
Size
479KB
-
MD5
6f6d66435577918c33d2136ad447dbbb
-
SHA1
5bd81e94c6186a0693f2935804ea56fb0081ff80
-
SHA256
10dee72f113c5b66414a745b8a72151f55e50a9d3ed3cac5d0c3c5eae8e46154
-
SHA512
bedb0c2bfd6046918983d1d5e2fa97c4e759dde041357a6e0f4d7ab463b678488b9f7f789fe4a059bd17c6d31c43a53b60c5cc29c1ca1372a7464b246ff988f0
-
SSDEEP
6144:Kfy+bnr+kp0yN90QE94qTyzsEptNOlBzgkyPv+2EcWDG8630zGXRZbMySImTPn5:hMroy90ooIO+XPvgG8SXEySImd
Malware Config
Extracted
redline
domor
217.196.96.101:4132
-
auth_value
39471bda00546bb0435bc7adfd6881dc
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b62-12.dat family_redline behavioral1/memory/1224-15-0x0000000000330000-0x000000000035E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4568 x1506717.exe 1224 g4164139.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 10dee72f113c5b66414a745b8a72151f55e50a9d3ed3cac5d0c3c5eae8e46154.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1506717.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10dee72f113c5b66414a745b8a72151f55e50a9d3ed3cac5d0c3c5eae8e46154.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x1506717.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4164139.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2960 wrote to memory of 4568 2960 10dee72f113c5b66414a745b8a72151f55e50a9d3ed3cac5d0c3c5eae8e46154.exe 83 PID 2960 wrote to memory of 4568 2960 10dee72f113c5b66414a745b8a72151f55e50a9d3ed3cac5d0c3c5eae8e46154.exe 83 PID 2960 wrote to memory of 4568 2960 10dee72f113c5b66414a745b8a72151f55e50a9d3ed3cac5d0c3c5eae8e46154.exe 83 PID 4568 wrote to memory of 1224 4568 x1506717.exe 84 PID 4568 wrote to memory of 1224 4568 x1506717.exe 84 PID 4568 wrote to memory of 1224 4568 x1506717.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\10dee72f113c5b66414a745b8a72151f55e50a9d3ed3cac5d0c3c5eae8e46154.exe"C:\Users\Admin\AppData\Local\Temp\10dee72f113c5b66414a745b8a72151f55e50a9d3ed3cac5d0c3c5eae8e46154.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1506717.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1506717.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4164139.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4164139.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1224
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5e9630724e06a077ec2ff25e089d4594a
SHA14beb12336e5dd3a11d13791595165a9dd831ce23
SHA2566816d7a131487ac07d470da58249d0f071e89cde4d2a4435a8d3106e57801cae
SHA5128af6505cfe3f8afd2951cd982d658590422816b69a37732d46620ebd31acd3970534a5e20b6065821d1cadf98c5923b6d810564edb475fbf09027f1397732607
-
Filesize
168KB
MD5d492197d1fd2da105a770e26e2950033
SHA180014c1e62e7f42ab3be66b4cccda186cb5a07b4
SHA25680108a2af5fbe55cda7478c201d2d85e6ae6918fd78918fdc63a78df2f94f65b
SHA51266962459d2f06c01d636deba8e0f2eff74bdf35f956c55e56ec94374b3b58beaec892434fb056f545d65c576290334eb854b33c99d070e659b98d2a18766c52b