Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 11:20
Static task
static1
Behavioral task
behavioral1
Sample
3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe
Resource
win10v2004-20231023-en
General
-
Target
3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe
-
Size
1.1MB
-
MD5
d7b87eeedb079ef8ecefdbe3b35ba3f0
-
SHA1
510b4f732541dc7e9de573b905d4caa06037c5e2
-
SHA256
3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf
-
SHA512
65274041ddf2ead4af7e1b87848ba7d4708fff97c383c7b7277b7d629b35cb3a6b8b328d13aa807e7c1856d3ca8dcae5af51b67d65cecbdef5b99800863d6e13
-
SSDEEP
24576:YyypR8zly/ndgziz1gXy5ksWJwdJKgsJl6fYKp1:fypAQnbgX2kt6fYo
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/3416-7-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 2032 11kT9627.exe 2132 12GG299.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ipinfo.io 11 ipinfo.io -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2032 set thread context of 3416 2032 11kT9627.exe 86 PID 2132 set thread context of 4772 2132 12GG299.exe 93 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4772 AppLaunch.exe 4772 AppLaunch.exe 3416 AppLaunch.exe 3416 AppLaunch.exe 3416 AppLaunch.exe 3416 AppLaunch.exe 3416 AppLaunch.exe 3416 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3416 AppLaunch.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4860 wrote to memory of 2032 4860 3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe 83 PID 4860 wrote to memory of 2032 4860 3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe 83 PID 4860 wrote to memory of 2032 4860 3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe 83 PID 2032 wrote to memory of 3416 2032 11kT9627.exe 86 PID 2032 wrote to memory of 3416 2032 11kT9627.exe 86 PID 2032 wrote to memory of 3416 2032 11kT9627.exe 86 PID 2032 wrote to memory of 3416 2032 11kT9627.exe 86 PID 2032 wrote to memory of 3416 2032 11kT9627.exe 86 PID 2032 wrote to memory of 3416 2032 11kT9627.exe 86 PID 2032 wrote to memory of 3416 2032 11kT9627.exe 86 PID 2032 wrote to memory of 3416 2032 11kT9627.exe 86 PID 4860 wrote to memory of 2132 4860 3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe 88 PID 4860 wrote to memory of 2132 4860 3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe 88 PID 4860 wrote to memory of 2132 4860 3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe 88 PID 2132 wrote to memory of 4772 2132 12GG299.exe 93 PID 2132 wrote to memory of 4772 2132 12GG299.exe 93 PID 2132 wrote to memory of 4772 2132 12GG299.exe 93 PID 2132 wrote to memory of 4772 2132 12GG299.exe 93 PID 2132 wrote to memory of 4772 2132 12GG299.exe 93 PID 2132 wrote to memory of 4772 2132 12GG299.exe 93 PID 2132 wrote to memory of 4772 2132 12GG299.exe 93 PID 2132 wrote to memory of 4772 2132 12GG299.exe 93 PID 2132 wrote to memory of 4772 2132 12GG299.exe 93 PID 2132 wrote to memory of 4772 2132 12GG299.exe 93 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe"C:\Users\Admin\AppData\Local\Temp\3f46d3d7657c6346c4e31286e01f58c36e91b7b83d90bab05ce13d06bee5d4bf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11kT9627.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11kT9627.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12GG299.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12GG299.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:4772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5242a70c0c3dd2517105474e3847eaa41
SHA16aa4cadbea1d20343bbe5098442259c4fa5b0183
SHA2563076e8c8112dc433f56d855a74fd0e0a580919ceb18483d487572f1a5a82ce8a
SHA5128a4e7f5ae407c89f2cbf4a3c2b5098c42062cdff4a8609de37d9297aa75ac84af0947a7250e705db4d841666f90596271f5bfaf64386c3425a6bfdc70576ad04
-
Filesize
1.1MB
MD5242a70c0c3dd2517105474e3847eaa41
SHA16aa4cadbea1d20343bbe5098442259c4fa5b0183
SHA2563076e8c8112dc433f56d855a74fd0e0a580919ceb18483d487572f1a5a82ce8a
SHA5128a4e7f5ae407c89f2cbf4a3c2b5098c42062cdff4a8609de37d9297aa75ac84af0947a7250e705db4d841666f90596271f5bfaf64386c3425a6bfdc70576ad04
-
Filesize
2.4MB
MD597cae72c322ece1665723d35726c61b7
SHA133fa26314a155951e0a6235bce1e30ac8bd39bda
SHA2560e2b28cd6e46f898e0a8ae9cb38d970c26a6fd4c7147ed3eb93206daade5a46c
SHA512ccc6290ed89ee117ae9de11bbc8a18e6a06448d6a8a57738730e31c432a2c032f430c47acd5f36c3dbcbd5e976e96ecd4dbd6b09218c99161ebb8462cd8916c1
-
Filesize
2.4MB
MD597cae72c322ece1665723d35726c61b7
SHA133fa26314a155951e0a6235bce1e30ac8bd39bda
SHA2560e2b28cd6e46f898e0a8ae9cb38d970c26a6fd4c7147ed3eb93206daade5a46c
SHA512ccc6290ed89ee117ae9de11bbc8a18e6a06448d6a8a57738730e31c432a2c032f430c47acd5f36c3dbcbd5e976e96ecd4dbd6b09218c99161ebb8462cd8916c1
-
Filesize
3KB
MD5ee3add0d19b08ab7e5d920010c87de0e
SHA1fd5284226248764195d36cd5015ea7247474a4ff
SHA2565dfcdc15223f39309b66060c524aaec6278c707fb528da6c86ca1919b1848933
SHA512d8d7496eee26499770f2614422276f01c6b6c3b91754ce4aef4a28126b3cdc9163dc5cd433ac81f38c9dacb57ba8397735fbcca514b1d961c459c67016cb12bf