Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe
Resource
win10v2004-20241007-en
General
-
Target
399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe
-
Size
376KB
-
MD5
ee94fc5cc7de14385f4a7ab654990020
-
SHA1
fbeb5f0263a1b68c9172e6f74b23d5c89c76af95
-
SHA256
399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725
-
SHA512
d2986c3e8fcefb81129131c35aae593ace9303fbd507f61aa832afdfa84f076094e3760da42853f492c49a0f5a04eb21023420acbbb6bdc5dc6100afaa62b38b
-
SSDEEP
6144:Kdy+bnr+Hp0yN90QEH3ilc5H+X5VKQLkj2OoqMBOTs716VYz+Lhed:rMr/y90J3iidQynoOTs7oaiNed
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023bc3-12.dat family_redline behavioral1/memory/4568-15-0x0000000000CD0000-0x0000000000CF8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1752 x8194485.exe 4568 g8398904.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8194485.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8398904.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x8194485.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1752 1968 399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe 83 PID 1968 wrote to memory of 1752 1968 399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe 83 PID 1968 wrote to memory of 1752 1968 399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe 83 PID 1752 wrote to memory of 4568 1752 x8194485.exe 85 PID 1752 wrote to memory of 4568 1752 x8194485.exe 85 PID 1752 wrote to memory of 4568 1752 x8194485.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe"C:\Users\Admin\AppData\Local\Temp\399ee73ca5fd42f4aeda9593c0d2ce8624c81c22117a37e3c7d13673e8bf0725.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8194485.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8194485.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8398904.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8398904.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD547f978dafeda927083137d749241a5cb
SHA16c97b19fcd82b00ab2fb376edf899936c1a50767
SHA2564d72136d289f0f955553a0610fa8beeccd4e453ed9b9829c94b5de023cf70d46
SHA512759db6d77e9b52f0c783d0d75adc993cdb6011dd5658f0465bea68125bd2d5bc4ed5ef916c55d7280c7287ff1bf5cccf396cbde5dbefc74701cf729728467c0b
-
Filesize
136KB
MD58f30f7f88229560306c5959c605316de
SHA136f26a905a9743f6dd1608e39b37d1116cafcc0a
SHA2563a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7
SHA512267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0