Analysis
-
max time kernel
108s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:11
Static task
static1
Behavioral task
behavioral1
Sample
9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exe
Resource
win10v2004-20241007-en
General
-
Target
9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exe
-
Size
495KB
-
MD5
a21b885d1c93757439bc051ce74c6b0a
-
SHA1
b54bfecc7a957d921f20b8dfe7aeacd9850926fa
-
SHA256
9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6
-
SHA512
b24b1c21db2d9b6ffecda6c2cabf3f19d788a8f4e20206fb1e1b6f09348f397b80dace8c87f1e90d6c6c96c28c8f1475887d47563ed08e93de10d30a98483a9c
-
SSDEEP
12288:nVYT8EAmbt0A7Y85j9z54lIZwbyjDQxj2xlNU/CqoMipj:nVQymh0kYJEGCDGMMfoHpj
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4112-2089-0x0000000002C10000-0x0000000002C42000-memory.dmp family_redline behavioral2/files/0x0008000000023c74-2094.dat family_redline behavioral2/memory/3096-2103-0x0000000000040000-0x0000000000070000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exe -
Executes dropped EXE 1 IoCs
Processes:
1.exepid Process 3096 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5628 4112 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exe1.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exedescription pid Process Token: SeDebugPrivilege 4112 9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exedescription pid Process procid_target PID 4112 wrote to memory of 3096 4112 9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exe 87 PID 4112 wrote to memory of 3096 4112 9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exe 87 PID 4112 wrote to memory of 3096 4112 9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exe"C:\Users\Admin\AppData\Local\Temp\9f44d8cc712852876e236b9278a24df969f146f8c91140116ef0b4cf031b5be6.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3096
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 13042⤵
- Program crash
PID:5628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4112 -ip 41121⤵PID:5444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0