Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
5f43489ac32b227a5f61dc04e7fb267cc6f6a9ae8e85ba60cd5dc0958b3e071a.exe
Resource
win10v2004-20241007-en
General
-
Target
5f43489ac32b227a5f61dc04e7fb267cc6f6a9ae8e85ba60cd5dc0958b3e071a.exe
-
Size
709KB
-
MD5
8f92ba54dcdaab9ce8dd43ad6407346d
-
SHA1
b28a84935486e2fe10313816772cc276211b1d73
-
SHA256
5f43489ac32b227a5f61dc04e7fb267cc6f6a9ae8e85ba60cd5dc0958b3e071a
-
SHA512
fc35673221857d47c0368ea10edb2ae7c2153da1e72b6753f37222ddf92c098d3e9f79f9b8f28574e3d0f0658ed9ee9001d2ba32883f35c71c6b578e104e4a77
-
SSDEEP
12288:VMr0y90zM7mXyIe8vkb6Kx/pvXha6NuvyxJ3A77nz9B7lG:ZyoM888v8/pvXhtNuKxNcJG
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b99-12.dat family_redline behavioral1/memory/1452-15-0x00000000000E0000-0x0000000000108000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2044 x2278100.exe 1452 g3177496.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5f43489ac32b227a5f61dc04e7fb267cc6f6a9ae8e85ba60cd5dc0958b3e071a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x2278100.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5f43489ac32b227a5f61dc04e7fb267cc6f6a9ae8e85ba60cd5dc0958b3e071a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x2278100.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g3177496.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 116 wrote to memory of 2044 116 5f43489ac32b227a5f61dc04e7fb267cc6f6a9ae8e85ba60cd5dc0958b3e071a.exe 83 PID 116 wrote to memory of 2044 116 5f43489ac32b227a5f61dc04e7fb267cc6f6a9ae8e85ba60cd5dc0958b3e071a.exe 83 PID 116 wrote to memory of 2044 116 5f43489ac32b227a5f61dc04e7fb267cc6f6a9ae8e85ba60cd5dc0958b3e071a.exe 83 PID 2044 wrote to memory of 1452 2044 x2278100.exe 84 PID 2044 wrote to memory of 1452 2044 x2278100.exe 84 PID 2044 wrote to memory of 1452 2044 x2278100.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f43489ac32b227a5f61dc04e7fb267cc6f6a9ae8e85ba60cd5dc0958b3e071a.exe"C:\Users\Admin\AppData\Local\Temp\5f43489ac32b227a5f61dc04e7fb267cc6f6a9ae8e85ba60cd5dc0958b3e071a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2278100.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2278100.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3177496.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3177496.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1452
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
417KB
MD59caafcb82be68e8340e2edd56ae1e2c4
SHA12f137367de8014862929306808d51c31e35b46c7
SHA256c759a7f7e29275d8a6d3a18b55de9e0413a04ee292355ce2f81d90ed346ddec2
SHA51202c6a0a31faad3a316fb7ea3376c0019c147eeb504385d77a71471039036bde317335910136f4bc02b7bfd6db2f87714ac949b1e90977a48e0ac41ac8b52acaf
-
Filesize
136KB
MD595e6b81c09e6a45f50676fe115199131
SHA1b1be5c2cd2e74a249ca3de5ea97d4a96b94ed0b1
SHA256176fb5a51706223d7aa94dc5d6758a0e548ad05bd190e47e3f07acc123796d37
SHA5123bb6fe301b091827a36d35761a9e1dea0f3311e8079246d4c271b83de5d70a2c8f656997f5713c1f5e0b5f41ba4ac7680e51b404b312a186e290971f65729cce