Analysis
-
max time kernel
111s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 06:57
Static task
static1
Behavioral task
behavioral1
Sample
1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729.exe
Resource
win10v2004-20241007-en
General
-
Target
1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729.exe
-
Size
590KB
-
MD5
e00e7badafe8e2d70a585c0bf566ccf1
-
SHA1
8ba207eefcc1b90b34bf23a0068740b0a0548308
-
SHA256
1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729
-
SHA512
17e2829dfd98030303339a4c040776c185ec6c605ab918db615e659241ba82be99ae60e3e7de59404ff7d578650ba6fc7e1207f80f28bb37688c3a9412fee7c0
-
SSDEEP
12288:jy90VlksIHAyctATZU57pCp/BQ2QBMMzj38g:jyczpFyG+mj38g
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2692-2161-0x00000000059C0000-0x00000000059F2000-memory.dmp family_redline behavioral1/files/0x000a00000001e57d-2166.dat family_redline behavioral1/memory/2760-2174-0x0000000000DE0000-0x0000000000E0E000-memory.dmp family_redline behavioral1/files/0x000a000000023b8f-2188.dat family_redline behavioral1/memory/824-2190-0x00000000003E0000-0x0000000000410000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation p14837422.exe -
Executes dropped EXE 3 IoCs
pid Process 2692 p14837422.exe 2760 1.exe 824 r91041821.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5908 2692 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p14837422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r91041821.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2692 p14837422.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3132 wrote to memory of 2692 3132 1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729.exe 84 PID 3132 wrote to memory of 2692 3132 1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729.exe 84 PID 3132 wrote to memory of 2692 3132 1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729.exe 84 PID 2692 wrote to memory of 2760 2692 p14837422.exe 88 PID 2692 wrote to memory of 2760 2692 p14837422.exe 88 PID 2692 wrote to memory of 2760 2692 p14837422.exe 88 PID 3132 wrote to memory of 824 3132 1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729.exe 95 PID 3132 wrote to memory of 824 3132 1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729.exe 95 PID 3132 wrote to memory of 824 3132 1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729.exe"C:\Users\Admin\AppData\Local\Temp\1cb3b0520c927b8da3fa5eeef14d4565466accc1681b45d0c9035c031851f729.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\p14837422.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\p14837422.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 13763⤵
- Program crash
PID:5908
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r91041821.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r91041821.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2692 -ip 26921⤵PID:5820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530KB
MD54ed68a3e7843bf34d04316803787e754
SHA1f38a086d4fc31ac2f481bdbbf06b98bb99221520
SHA256bd701ed09d1080f8ee8468140bb05b34de48d61ede3e975f827655699dabc9ed
SHA5123fddd5dd76c8e431d8f4b2bfbc9599c0c4e4d411f0fbea19c440944e7d2a2e0e2e7b027907a5181192fd78d8bfa19ddfe3087ba334ebe9b107127296f60c223c
-
Filesize
168KB
MD5e05373f06c517d980a561efd0c262413
SHA1ce6b368bfc32c1c0e854f013cd89ad48c184c7c7
SHA256bac5dfa56ac5e7cf4fce5d05c7bda101581080ab37487d79aea82d6ee5601364
SHA51240c16b933699af7bd07392458a610e15db4244644edab770fd0b0a75dca0a72d54a26715bb93b3b2e405d355354fd8f2579b36eac6a7eeab2b769151ab03b607
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf