Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
4e2cf763d31a9eb48bc972642763754d8e4a055d95facfa13c57ea87663ddf4a.exe
Resource
win10v2004-20241007-en
General
-
Target
4e2cf763d31a9eb48bc972642763754d8e4a055d95facfa13c57ea87663ddf4a.exe
-
Size
889KB
-
MD5
c084c421eacf4d6bf099cecdca44f95c
-
SHA1
e965949237563726188098798eb8d6f27101d636
-
SHA256
4e2cf763d31a9eb48bc972642763754d8e4a055d95facfa13c57ea87663ddf4a
-
SHA512
aed5126ce07b6c793d202c531e41491af0f532292069536e3341db05989d6bf4c2418120e2132614a94cd2f7d0ee7e9be8bde625dbb2b6be8ba220b19b98d65b
-
SSDEEP
12288:ky90+ZL53gMunkcZY4AA8H1SzTH65Jfv4qFlfaflktXtua5qxjXJ40:kyDt3Xun1ZYsynlniktJkxjXO0
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dork
185.161.248.73:4164
-
auth_value
e81be7d6cfb453cc812e1b4890eeadad
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/3420-2169-0x00000000059C0000-0x00000000059F2000-memory.dmp family_redline behavioral1/files/0x000600000001e597-2174.dat family_redline behavioral1/memory/5376-2182-0x0000000000050000-0x000000000007E000-memory.dmp family_redline behavioral1/memory/4220-2196-0x0000000000770000-0x00000000007A0000-memory.dmp family_redline behavioral1/files/0x0007000000023cd9-2195.dat family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation p35379270.exe -
Executes dropped EXE 4 IoCs
pid Process 2560 y27941765.exe 3420 p35379270.exe 5376 1.exe 4220 r63382565.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4e2cf763d31a9eb48bc972642763754d8e4a055d95facfa13c57ea87663ddf4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y27941765.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 316 3420 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e2cf763d31a9eb48bc972642763754d8e4a055d95facfa13c57ea87663ddf4a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y27941765.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p35379270.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r63382565.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3420 p35379270.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4484 wrote to memory of 2560 4484 4e2cf763d31a9eb48bc972642763754d8e4a055d95facfa13c57ea87663ddf4a.exe 83 PID 4484 wrote to memory of 2560 4484 4e2cf763d31a9eb48bc972642763754d8e4a055d95facfa13c57ea87663ddf4a.exe 83 PID 4484 wrote to memory of 2560 4484 4e2cf763d31a9eb48bc972642763754d8e4a055d95facfa13c57ea87663ddf4a.exe 83 PID 2560 wrote to memory of 3420 2560 y27941765.exe 84 PID 2560 wrote to memory of 3420 2560 y27941765.exe 84 PID 2560 wrote to memory of 3420 2560 y27941765.exe 84 PID 3420 wrote to memory of 5376 3420 p35379270.exe 89 PID 3420 wrote to memory of 5376 3420 p35379270.exe 89 PID 3420 wrote to memory of 5376 3420 p35379270.exe 89 PID 2560 wrote to memory of 4220 2560 y27941765.exe 95 PID 2560 wrote to memory of 4220 2560 y27941765.exe 95 PID 2560 wrote to memory of 4220 2560 y27941765.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e2cf763d31a9eb48bc972642763754d8e4a055d95facfa13c57ea87663ddf4a.exe"C:\Users\Admin\AppData\Local\Temp\4e2cf763d31a9eb48bc972642763754d8e4a055d95facfa13c57ea87663ddf4a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y27941765.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y27941765.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p35379270.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p35379270.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 13804⤵
- Program crash
PID:316
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r63382565.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r63382565.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4220
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3420 -ip 34201⤵PID:4444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
589KB
MD50135a5bc3e4067a0f42fae9b2e1bee73
SHA17d2957e1e294dec50fb6b1693758576ef2aa9fd3
SHA2561d2f67ccc8c4fb69183d705d9a303ff543e4c82385cb3b5f56435f7ad5b1f8f7
SHA512bab86a1c17ccd61948547bd82adec5f585b8a6d667253edca5a63ea0f02a53b9b55b7fa94b82b658d136987992a91108e483a2fcdb429cfcebf543653d916a0c
-
Filesize
530KB
MD5bcc7a3a790d9b21f0547011a4a6f6a9e
SHA19475273ce03329d4ede999109ef8ae48d2b39370
SHA2564b9b22bcc7d957f69f51e4a7326c3066f81f90e958d6e509eacd80a5f2a0b499
SHA512bdcaf5898e608621b28f312670558eb156d9be40483a8c00f3395d870b754e85994acc3b4fd498217d5e3dc6841e112d1833f558e5f2f88ebbf3420b338db930
-
Filesize
169KB
MD5c7c724ef2f96cee316de2c4e7944352e
SHA15ae43b95430ec4362fc3b1c576ff4500f554e6ea
SHA256be5d195e100bbfb844984719c8fad17b39fcdc9c42087b440ae227453a2bb84e
SHA512a597eaf20b0438f0c3266f0f246524246f7e44bf240c6c135ce4b682acf356766da00cbb82784103563914082ee74a504a158308c8dc76f96074b8a74460b87f
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf