Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
ad1e6ac46401d151f00297931089ca65a1ab931461390549dfe90c99fe82b119.exe
Resource
win10v2004-20241007-en
General
-
Target
ad1e6ac46401d151f00297931089ca65a1ab931461390549dfe90c99fe82b119.exe
-
Size
488KB
-
MD5
05948601b504afed74cd9ef32f1c757b
-
SHA1
318f9a04cd21a7f5f47a2fb7bb2d13fe385fb14d
-
SHA256
ad1e6ac46401d151f00297931089ca65a1ab931461390549dfe90c99fe82b119
-
SHA512
632f74c2d9f0ef1812fb139a7f3325c8187e5690c26df5ab77e2844832059a35116271d3e803edde7f16e18ab1a38f7a0214c597bcf82bd3a4fe8fd8e4237569
-
SSDEEP
12288:5Mrdy90bIBggQgHNHqfREq7vK9oayvJ5Iph:sy1hQgHphyK9oaGJqn
Malware Config
Extracted
redline
mauga
217.196.96.102:4132
-
auth_value
36f5411cf117f54076fbbb9ea0631fee
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3578482.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3578482.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3578482.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a3578482.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3578482.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3578482.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c98-55.dat family_redline behavioral1/memory/2636-56-0x0000000000100000-0x000000000012E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 780 v3021075.exe 4972 a3578482.exe 2636 b2965018.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a3578482.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a3578482.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ad1e6ac46401d151f00297931089ca65a1ab931461390549dfe90c99fe82b119.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3021075.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad1e6ac46401d151f00297931089ca65a1ab931461390549dfe90c99fe82b119.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v3021075.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3578482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2965018.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4972 a3578482.exe 4972 a3578482.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4972 a3578482.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2224 wrote to memory of 780 2224 ad1e6ac46401d151f00297931089ca65a1ab931461390549dfe90c99fe82b119.exe 83 PID 2224 wrote to memory of 780 2224 ad1e6ac46401d151f00297931089ca65a1ab931461390549dfe90c99fe82b119.exe 83 PID 2224 wrote to memory of 780 2224 ad1e6ac46401d151f00297931089ca65a1ab931461390549dfe90c99fe82b119.exe 83 PID 780 wrote to memory of 4972 780 v3021075.exe 85 PID 780 wrote to memory of 4972 780 v3021075.exe 85 PID 780 wrote to memory of 4972 780 v3021075.exe 85 PID 780 wrote to memory of 2636 780 v3021075.exe 95 PID 780 wrote to memory of 2636 780 v3021075.exe 95 PID 780 wrote to memory of 2636 780 v3021075.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad1e6ac46401d151f00297931089ca65a1ab931461390549dfe90c99fe82b119.exe"C:\Users\Admin\AppData\Local\Temp\ad1e6ac46401d151f00297931089ca65a1ab931461390549dfe90c99fe82b119.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3021075.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3021075.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3578482.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3578482.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2965018.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2965018.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
316KB
MD5fb257522a110895db1c9cf5b0e1ed15b
SHA1849ea92a3d081a8572fb03fcccce025aca82fbeb
SHA256d17f09d4e37c14b6fa7dbdc98549be946cde78ff0216fc73285b354dc193b735
SHA51206654526f40a8b3660f5c562f0a05442b4781bb9528f0b536c10902c728a493f6ca191c922a201feea81af421cbda6ef17d07855ba3eaa159cf96f282136a211
-
Filesize
184KB
MD5567c0f0e4bf3b7c19166b07da544d803
SHA1f5fab8800e13f57dd74d9580b345f95137703633
SHA256b38ff8c318003f20558995ea912dc6f0a8a80cc18eaeda1172541fcca71e05f5
SHA5125dc6d3528f0c51b77f80209f46a933a071a050952e37e45aec4cc4f83663dd1f657ab629b18ed7a3a288a6f669cf57f74db26e308634aecd75fbd130c142fe59
-
Filesize
168KB
MD5782f46bb09df52f1a8f7a6ccab5db249
SHA1b3bbdfb36b563ee31174968b5f40e8171f6a025c
SHA256a5b596ab91ddb9ba1aa69c14e5b6851ee650161416702529378dd2e7546981ca
SHA51234829cc10dbb63d0f94775bcfaa5ceef9e7905549ba30f01e91fcbd3105566b18e1dd7811074cefe9d7ff0f3be7c43a388b178a8d63810d4a15645159b21db45