Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 07:54
Static task
static1
Behavioral task
behavioral1
Sample
a00e1b63a334572d366890c336714c12d4e5e6feb30cdbaaff1ca8a0b6debb3b.exe
Resource
win10v2004-20241007-en
General
-
Target
a00e1b63a334572d366890c336714c12d4e5e6feb30cdbaaff1ca8a0b6debb3b.exe
-
Size
890KB
-
MD5
adc1c5de298a24ffa7bd5e56520df57a
-
SHA1
a51cf0449ff0763a933d0a909c1f626f2619cd1a
-
SHA256
a00e1b63a334572d366890c336714c12d4e5e6feb30cdbaaff1ca8a0b6debb3b
-
SHA512
0828cba584b7a047578bca4be6ccfd94e5353664be73f4aa0b4131231967df08867c580b4fcb6a624d2b265fefd1706d402f1e1e85c25b0c9c9e99383c0cdb62
-
SSDEEP
24576:xyH6Ei8w1nDR3Hni1cOqv44b9oruXkCzox5ozLO:kaow1DVO2PSaXFc5oz
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/3956-2169-0x0000000005290000-0x00000000052C2000-memory.dmp family_redline behavioral1/files/0x0002000000022ab5-2174.dat family_redline behavioral1/memory/3596-2182-0x00000000002E0000-0x000000000030E000-memory.dmp family_redline behavioral1/files/0x000a000000023b93-2194.dat family_redline behavioral1/memory/3280-2196-0x0000000000170000-0x00000000001A0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation p25425769.exe -
Executes dropped EXE 4 IoCs
pid Process 1732 y34718768.exe 3956 p25425769.exe 3596 1.exe 3280 r40430071.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y34718768.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a00e1b63a334572d366890c336714c12d4e5e6feb30cdbaaff1ca8a0b6debb3b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4516 3956 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y34718768.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p25425769.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r40430071.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a00e1b63a334572d366890c336714c12d4e5e6feb30cdbaaff1ca8a0b6debb3b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3956 p25425769.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4736 wrote to memory of 1732 4736 a00e1b63a334572d366890c336714c12d4e5e6feb30cdbaaff1ca8a0b6debb3b.exe 83 PID 4736 wrote to memory of 1732 4736 a00e1b63a334572d366890c336714c12d4e5e6feb30cdbaaff1ca8a0b6debb3b.exe 83 PID 4736 wrote to memory of 1732 4736 a00e1b63a334572d366890c336714c12d4e5e6feb30cdbaaff1ca8a0b6debb3b.exe 83 PID 1732 wrote to memory of 3956 1732 y34718768.exe 84 PID 1732 wrote to memory of 3956 1732 y34718768.exe 84 PID 1732 wrote to memory of 3956 1732 y34718768.exe 84 PID 3956 wrote to memory of 3596 3956 p25425769.exe 89 PID 3956 wrote to memory of 3596 3956 p25425769.exe 89 PID 3956 wrote to memory of 3596 3956 p25425769.exe 89 PID 1732 wrote to memory of 3280 1732 y34718768.exe 94 PID 1732 wrote to memory of 3280 1732 y34718768.exe 94 PID 1732 wrote to memory of 3280 1732 y34718768.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a00e1b63a334572d366890c336714c12d4e5e6feb30cdbaaff1ca8a0b6debb3b.exe"C:\Users\Admin\AppData\Local\Temp\a00e1b63a334572d366890c336714c12d4e5e6feb30cdbaaff1ca8a0b6debb3b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y34718768.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y34718768.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p25425769.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p25425769.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 12204⤵
- Program crash
PID:4516
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r40430071.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r40430071.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3280
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3956 -ip 39561⤵PID:448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
589KB
MD5029fd6a506993ef492715ae626909751
SHA1e5dfd4aa9e620a14aaf737187c97ea69cac9fc5f
SHA256a12c55763f7f40b8933edf5c0f42f66147d7839f06fe8b333ca3957cab62d335
SHA512527b72dfb662ecac78cb224ea0820d23705d72f604c8a1dadb68c2e92679a4f0967df76f85ab53fe840a1d541d7db83126c184984d571756a3e6064bf21fe45d
-
Filesize
530KB
MD51aad0f2f69ae1dd361084ab270868663
SHA1f6d9f167f6106a52ff3d7cc0649035db2efe9a32
SHA256d20d43e7514d2580962fd6b0d0d6a6f1d333a86661c996ad9ab49cfd5d02e47f
SHA512bb2a3c92c49bd363b21462b2dae9fd0297f61edf1a097b79e6724777a0f98d79775b51e88414f6d5893c3f830f401c3320c1eebc242a7580c9854c15043157c7
-
Filesize
168KB
MD51d24153029fa634275c2d27bd6e8bb8f
SHA18ddbe6aa9234af26b0f55ef32138d088f480c7b6
SHA256ae52204b74b177579b3c7aff8791cdb9d63aea205de7f1bacb45476486a98445
SHA512374c320209fc4974edef569783de7f70755c185c9537fa2b83b646eb44649f8ce84e44b592118f3eb0ba35467bec92dbb6b828562febc9fcb9be9dff09d69129
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf