redline | 7d09cb6f631f4caa17ea77571824c1ebc7f687c02420e8055ebc53a72f10a99b

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d09cb6f631f4caa17ea77571824c1ebc7f687c02420e8055ebc53a72f10a99b.exe
Size

307KB
MD5

4bd1fe91ce3733f08aaeceb10778c944
SHA1

82d9ca12c3f0025b070f326fb388e876876a2f5c
SHA256

7d09cb6f631f4caa17ea77571824c1ebc7f687c02420e8055ebc53a72f10a99b
SHA512

870be95f233d8aa277c2cc428d4fca02d2b6bf61aafc7425a83bb123f2ace371a783fd024e43d73e8410ed531f5d45499478ea705da5396967ffe497c666f46b
SSDEEP

6144:Kjy+bnr+2p0yN90QEnwSAlkPGP+sJWbKXm:dMrGy90CrkP3o/Xm

Score

10^/10

redline dumud discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d000000023b9d-5.dat	family_redline
behavioral1/memory/4808-8-0x0000000000450000-0x0000000000480000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 1 IoCs

pid	Process
4808	g9511408.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7d09cb6f631f4caa17ea77571824c1ebc7f687c02420e8055ebc53a72f10a99b.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d09cb6f631f4caa17ea77571824c1ebc7f687c02420e8055ebc53a72f10a99b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g9511408.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 4808	1116	7d09cb6f631f4caa17ea77571824c1ebc7f687c02420e8055ebc53a72f10a99b.exe	83
PID 1116 wrote to memory of 4808	1116	7d09cb6f631f4caa17ea77571824c1ebc7f687c02420e8055ebc53a72f10a99b.exe	83
PID 1116 wrote to memory of 4808	1116	7d09cb6f631f4caa17ea77571824c1ebc7f687c02420e8055ebc53a72f10a99b.exe	83

C:\Users\Admin\AppData\Local\Temp\7d09cb6f631f4caa17ea77571824c1ebc7f687c02420e8055ebc53a72f10a99b.exe
"C:\Users\Admin\AppData\Local\Temp\7d09cb6f631f4caa17ea77571824c1ebc7f687c02420e8055ebc53a72f10a99b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g9511408.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g9511408.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g9511408.exe

Filesize
168KB

MD5
e34ec6b2a643085071d89d8867340811

SHA1
4e10bde66acacf846632fddbf3f2913e5ee7728b

SHA256
d63114558c43a27d78c11eab7ddc35f6ebf7f6447cc8f3a25b17b1518a3f742f

SHA512
219e73524318616080d1367d6d649a0590aec880ddae7c8f97c1b23b9c4d4db6d96e797f1d8c75a5137bdce0b55f8cc0df20c5a555413d847e24a760adb952e4

Download Submit
memory/4808-7-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/4808-8-0x0000000000450000-0x0000000000480000-memory.dmp

Filesize
192KB

Download
memory/4808-9-0x0000000000C30000-0x0000000000C36000-memory.dmp

Filesize
24KB

Download
memory/4808-10-0x000000000A940000-0x000000000AF58000-memory.dmp

Filesize
6.1MB

Download
memory/4808-11-0x000000000A430000-0x000000000A53A000-memory.dmp

Filesize
1.0MB

Download
memory/4808-12-0x000000000A340000-0x000000000A352000-memory.dmp

Filesize
72KB

Download
memory/4808-13-0x000000000A3A0000-0x000000000A3DC000-memory.dmp

Filesize
240KB

Download
memory/4808-14-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/4808-15-0x00000000027E0000-0x000000000282C000-memory.dmp

Filesize
304KB

Download
memory/4808-16-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/4808-17-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads