Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 04:19
Static task
static1
Behavioral task
behavioral1
Sample
f68d6cb535e5147094dbdd414898898444284288d04acc4e477d8bce5a929006.exe
Resource
win10v2004-20241007-en
General
-
Target
f68d6cb535e5147094dbdd414898898444284288d04acc4e477d8bce5a929006.exe
-
Size
794KB
-
MD5
f2a151c4b095000d4c6d1a0c276eec63
-
SHA1
74309b9b8e23c32c68567f047f08848948c8226b
-
SHA256
f68d6cb535e5147094dbdd414898898444284288d04acc4e477d8bce5a929006
-
SHA512
7212435dea8950b02f8caaeee8fe457f8857395a6be799dfaba2b04fd0c9d1a26b0263e1f93e6919dbdc44a06d34967e3b95a2e46f54c80b8c229bcbe1836454
-
SSDEEP
12288:Xy90o5fjM8sqZaYn3NYinn8DUrR5jwF7Pehwnep2zH98uIEqqSJaZAyXMF:Xy7LShiddnBReF72hPp2zagPcKn8F
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/1004-2170-0x0000000005290000-0x00000000052C2000-memory.dmp family_redline behavioral1/files/0x0002000000022dcd-2175.dat family_redline behavioral1/memory/2456-2183-0x00000000002D0000-0x00000000002FE000-memory.dmp family_redline behavioral1/files/0x0007000000023c67-2194.dat family_redline behavioral1/memory/4024-2196-0x00000000006B0000-0x00000000006E0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation m26977204.exe -
Executes dropped EXE 4 IoCs
pid Process 4940 x16235829.exe 1004 m26977204.exe 2456 1.exe 4024 n67329753.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f68d6cb535e5147094dbdd414898898444284288d04acc4e477d8bce5a929006.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x16235829.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1764 1004 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x16235829.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m26977204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language n67329753.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f68d6cb535e5147094dbdd414898898444284288d04acc4e477d8bce5a929006.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1004 m26977204.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1992 wrote to memory of 4940 1992 f68d6cb535e5147094dbdd414898898444284288d04acc4e477d8bce5a929006.exe 85 PID 1992 wrote to memory of 4940 1992 f68d6cb535e5147094dbdd414898898444284288d04acc4e477d8bce5a929006.exe 85 PID 1992 wrote to memory of 4940 1992 f68d6cb535e5147094dbdd414898898444284288d04acc4e477d8bce5a929006.exe 85 PID 4940 wrote to memory of 1004 4940 x16235829.exe 87 PID 4940 wrote to memory of 1004 4940 x16235829.exe 87 PID 4940 wrote to memory of 1004 4940 x16235829.exe 87 PID 1004 wrote to memory of 2456 1004 m26977204.exe 91 PID 1004 wrote to memory of 2456 1004 m26977204.exe 91 PID 1004 wrote to memory of 2456 1004 m26977204.exe 91 PID 4940 wrote to memory of 4024 4940 x16235829.exe 97 PID 4940 wrote to memory of 4024 4940 x16235829.exe 97 PID 4940 wrote to memory of 4024 4940 x16235829.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\f68d6cb535e5147094dbdd414898898444284288d04acc4e477d8bce5a929006.exe"C:\Users\Admin\AppData\Local\Temp\f68d6cb535e5147094dbdd414898898444284288d04acc4e477d8bce5a929006.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x16235829.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x16235829.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m26977204.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m26977204.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 9884⤵
- Program crash
PID:1764
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n67329753.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n67329753.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4024
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1004 -ip 10041⤵PID:4852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
590KB
MD5f9e3a65111d019392c669dde69849fce
SHA1b909d176092abb48e326693efb3b98db6e906ac9
SHA2567e86465f6fb2829aed84268501fa3a487a32342a1e573171161b2b8c418d6fcf
SHA512c956fe98ad6c8ca634a39c0fc61d37fc855b423088fc91af93e0ec8a7fe82ae28ccba8234cd6007fd77bba83d64ab5a03655c4072703fd5c6eb382f747517900
-
Filesize
530KB
MD55a9a14adba819ca86cc355d9e2c9e3ea
SHA13bd24a0d125170aab8a6978b1d4a28b184434812
SHA2563b108431dc4184de7baec44c00c877c15191717146994934e467bcb36de4f0f5
SHA5128c9651ca9c2bc81c01baf7f41ccc8ef67348302bb552b28ab9ea54bed06c878ebb93c46526079bc7205c1a342e70d1afec7fbaae9065e1f6b06a884d04337e1b
-
Filesize
168KB
MD5c99661e42874fd955ffa441e5ca6ef17
SHA13e4339200466a25cdaaa72503283866f8341d790
SHA256a80b63838431c2841b66344885b529d742a8021ce6850ea5639377ef1080e51f
SHA512a761f47312deb2054903cd6b60c512eb0dae4b9b3127bacd5fafcf444e909f9b1a02a1b314f251320eec70941bdb8dd88690e5b8c9322fd0a5b6acc16792d255
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf