Analysis
-
max time kernel
109s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:05
Static task
static1
Behavioral task
behavioral1
Sample
2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exe
Resource
win10v2004-20241007-en
General
-
Target
2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exe
-
Size
479KB
-
MD5
90a36657350916d24776e38c71043820
-
SHA1
a8eb65a18d5b0736b5b0abed76ea2e79abfe6411
-
SHA256
2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48
-
SHA512
1e57db1b3b60633988a80b03dd02d1e2dfeb6447fa9ea267034de1dd50dd9f090a1db0d427a607ba41b42fcb8b45c51de8f6a0570d2ef04fc511cd89809fb34f
-
SSDEEP
12288:8z2/F3bj2fsc9W2YulMgUz0JJZqeA6ebOhr14TaNsZZK7N:G6Fxclyhze3qJOj4TaKZZK
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3804-2155-0x0000000005880000-0x00000000058B2000-memory.dmp family_redline behavioral2/files/0x0002000000022b11-2160.dat family_redline behavioral2/memory/4136-2169-0x00000000007D0000-0x00000000007FE000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exe -
Executes dropped EXE 1 IoCs
Processes:
1.exepid Process 4136 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1372 3804 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exe1.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exedescription pid Process Token: SeDebugPrivilege 3804 2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exedescription pid Process procid_target PID 3804 wrote to memory of 4136 3804 2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exe 86 PID 3804 wrote to memory of 4136 3804 2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exe 86 PID 3804 wrote to memory of 4136 3804 2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exe"C:\Users\Admin\AppData\Local\Temp\2e029af2e2e92161dc56d8b8238308dacea1ed482d8a24ddb17e5c12ed737a48N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4136
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 14682⤵
- Program crash
PID:1372
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3804 -ip 38041⤵PID:4524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf