Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 08:06
Static task
static1
Behavioral task
behavioral1
Sample
6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe
Resource
win10v2004-20241007-en
General
-
Target
6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe
-
Size
1.1MB
-
MD5
005e7f9debdf573a6fddad49c1311cf6
-
SHA1
6779582ea1deca54999b84b9d0ad698598649f09
-
SHA256
6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89
-
SHA512
d79da55cdd944c63477f469a444d8598688012236fc798750dc7f19a9667660ddcfc45eb334f377c437d39edbbb9a245c63ac78b4e360061a0c9bb6ef58d91f6
-
SSDEEP
24576:yyGLjMu1b+0TFkYkDtEzCESAUPQLQ12u2d9T+r/6TbD:ZgjlTFkYkKCES14LK2rd06T
Malware Config
Extracted
redline
doma
185.161.248.75:4132
-
auth_value
8be53af7f78567706928d0abef953ef4
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k4028986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k4028986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k4028986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k4028986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k4028986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k4028986.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023caf-54.dat family_redline behavioral1/memory/4808-56-0x00000000002A0000-0x00000000002CA000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 3528 y3389223.exe 2176 y7962986.exe 1664 k4028986.exe 4808 l3177548.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k4028986.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k4028986.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y3389223.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y7962986.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y3389223.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y7962986.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k4028986.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l3177548.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1664 k4028986.exe 1664 k4028986.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1664 k4028986.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3188 wrote to memory of 3528 3188 6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe 83 PID 3188 wrote to memory of 3528 3188 6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe 83 PID 3188 wrote to memory of 3528 3188 6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe 83 PID 3528 wrote to memory of 2176 3528 y3389223.exe 84 PID 3528 wrote to memory of 2176 3528 y3389223.exe 84 PID 3528 wrote to memory of 2176 3528 y3389223.exe 84 PID 2176 wrote to memory of 1664 2176 y7962986.exe 86 PID 2176 wrote to memory of 1664 2176 y7962986.exe 86 PID 2176 wrote to memory of 1664 2176 y7962986.exe 86 PID 2176 wrote to memory of 4808 2176 y7962986.exe 94 PID 2176 wrote to memory of 4808 2176 y7962986.exe 94 PID 2176 wrote to memory of 4808 2176 y7962986.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe"C:\Users\Admin\AppData\Local\Temp\6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3389223.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3389223.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7962986.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7962986.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4028986.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4028986.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3177548.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3177548.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4808
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
748KB
MD5fc97d61eeeddb56f41b8de123737f501
SHA1d1bc89e883aafe9b77676c30625886fc70838d85
SHA25628cd0114cfa1522e984db394edf1b1f0914543d5f0ff871893d8878274238e28
SHA512fbfb393ef3d4555f2e89052ecc4a0a2d17c58c126606ac42210836f16500898be83b511590ed420795d3bd4c5dae8074d03b3aab35ad42ad429d40da2d0ba732
-
Filesize
304KB
MD5afdecd7d32467df31c9353496918f411
SHA1ed3124ac449a66d7c27aed410353accf00510d28
SHA256a5ffe10d687eac9f2771bb59b5337594baec47d92b8e3ebc4c01d3d916e05478
SHA5120f55c37c5e56064c92b9b069779e2879ad6409ff546b44f971bece0f74ae6ce99e18fd44177e17eaded6f8e2a790f7ae7d84511dabec4906a3c25700988556dc
-
Filesize
183KB
MD575df6a4aaf5c63bc4f42ac5ec8ecc76a
SHA18d9da11aa11364c1b580b12faa446403f527ff83
SHA256d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05
SHA51272d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe
-
Filesize
145KB
MD5cf63b13eb092a69f74be861904e7d695
SHA131cfcf910573da78bd89cf507de0ba4fe5227daf
SHA2567b946a95ba449082ae7d118dfb8ce7a1e92c2f859878c4be5ec842af63a2b81e
SHA512a4255f0902197a577d2b94ca48f8e137b065ec927c569f1413c746976526abed26555c954c9cdbc27dab13b786184cd846c19ddf548f233b864e0a84cc0fa43d