Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 11:00
Static task
static1
Behavioral task
behavioral1
Sample
ed94161be05e412bbc756d228e23af65e9b00329a3af64471cb5d87d0d932deb.exe
Resource
win10v2004-20241007-en
General
-
Target
ed94161be05e412bbc756d228e23af65e9b00329a3af64471cb5d87d0d932deb.exe
-
Size
376KB
-
MD5
7ab6db8160f105a7f87eddeb491da431
-
SHA1
59e01e693541b8c355526ae97b36fa94f4bbc5ba
-
SHA256
ed94161be05e412bbc756d228e23af65e9b00329a3af64471cb5d87d0d932deb
-
SHA512
e22b332a89a6eb4749e993af39f2df6d3bdae50697a6b79c0488aa1aad3269072d7a4a950d85c546c9f6a0d950b5195702f30b2caf86bc80ca20169b5c10a0c8
-
SSDEEP
6144:K7y+bnr+Op0yN90QEQet819q/r8SEcGoBT5TZrQb36zytBjmK:5MrGy901219qjJzG/76zytBjF
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c69-12.dat family_redline behavioral1/memory/664-15-0x0000000000E60000-0x0000000000E88000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3516 x3144207.exe 664 g2362005.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ed94161be05e412bbc756d228e23af65e9b00329a3af64471cb5d87d0d932deb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x3144207.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed94161be05e412bbc756d228e23af65e9b00329a3af64471cb5d87d0d932deb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x3144207.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2362005.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2612 wrote to memory of 3516 2612 ed94161be05e412bbc756d228e23af65e9b00329a3af64471cb5d87d0d932deb.exe 83 PID 2612 wrote to memory of 3516 2612 ed94161be05e412bbc756d228e23af65e9b00329a3af64471cb5d87d0d932deb.exe 83 PID 2612 wrote to memory of 3516 2612 ed94161be05e412bbc756d228e23af65e9b00329a3af64471cb5d87d0d932deb.exe 83 PID 3516 wrote to memory of 664 3516 x3144207.exe 84 PID 3516 wrote to memory of 664 3516 x3144207.exe 84 PID 3516 wrote to memory of 664 3516 x3144207.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed94161be05e412bbc756d228e23af65e9b00329a3af64471cb5d87d0d932deb.exe"C:\Users\Admin\AppData\Local\Temp\ed94161be05e412bbc756d228e23af65e9b00329a3af64471cb5d87d0d932deb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3144207.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3144207.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2362005.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2362005.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:664
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD57b44eb70515094744f3ddc2196dce439
SHA16107563379902fd195b9506ee863756f3f6f982f
SHA256f50647a1a7c5956a42e7c64dc728c378867f22f50b25731dc012b1620f376128
SHA5125f9eea400018380c6aea35f6511d747d347810e4abbcbf075eb89452849ea32c883f1714cf3357d1e7244ff0affdb849db43c8a449b6718fa617eebdfcbde1ae
-
Filesize
136KB
MD5700f12a0cf80290016ec436cbf1325a4
SHA1b0014ad2c582271450e5987ed30929ea1ebd1f0c
SHA256ac4f7f5d95cef824c563ef4c955be59b77ab421726e4608e7f3bae36f7757499
SHA5123619d5b9a884f5dd3f9c890bf380009b16235a467d68b50ba241d27f52ceeb47a99907ea1ef3944bf4c73f564f3f9931a01ee61f2f57b3ec4a35fafaf1fe089d