Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:38
Static task
static1
Behavioral task
behavioral1
Sample
286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exe
Resource
win10v2004-20241007-en
General
-
Target
286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exe
-
Size
574KB
-
MD5
f623a489680149872f07998675be89df
-
SHA1
9f9e633f612c9004c203c22b1de96990e033314a
-
SHA256
286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce
-
SHA512
9ba70c46d6006b7c19a04790fabe5ecf19008e72d025c50768f014999611fa59800f4884586d4f27f82e01efc64f7e266591a007b97e1b72b3dad2aa9ec8cea0
-
SSDEEP
6144:SJm3F0a3IQIfRRc8Uf+9YbUtj7a4CQ3gtNssR8Z+n/Su0miJEoMsfhVbeSxfq:SJm10a3IQu5UWaojW4VvEZSJ9MsZ
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2916-2154-0x0000000005770000-0x00000000057A2000-memory.dmp family_redline behavioral2/files/0x000c000000023b0a-2160.dat family_redline behavioral2/memory/2560-2168-0x00000000006A0000-0x00000000006CE000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exe -
Executes dropped EXE 1 IoCs
Processes:
1.exepid Process 2560 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5784 2916 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1.exe286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exedescription pid Process Token: SeDebugPrivilege 2916 286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exedescription pid Process procid_target PID 2916 wrote to memory of 2560 2916 286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exe 86 PID 2916 wrote to memory of 2560 2916 286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exe 86 PID 2916 wrote to memory of 2560 2916 286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exe"C:\Users\Admin\AppData\Local\Temp\286427088efeecda9092b7304bfe9ae54dade93b99673ae5387d4db74e2cbdce.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 8522⤵
- Program crash
PID:5784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2916 -ip 29161⤵PID:5712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf