Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2023, 23:48
Static task
static1
Behavioral task
behavioral1
Sample
8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe
Resource
win10v2004-20231020-en
General
-
Target
8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe
-
Size
1.3MB
-
MD5
ccdc827488c94ff6961f327f4377ee75
-
SHA1
4a0001b0b79cd845ff620dce8db61c869ff77420
-
SHA256
8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6
-
SHA512
1b07454c8ef0a453b899c8a452de55cf907b42ac4f2e1259a523def0932d6ae7780e66a92fadcf96249a82a0539a89655dedfa69735339a2a5273216dfd662a2
-
SSDEEP
24576:byMGbzVyPAIujWLOlNCr9CB0Rjw3WqSSvJkQc/tOocsQ:OGPAIujWLOlgs/3W3SR5c/t9
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/3360-21-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3252 EQ0St86.exe 4060 GF0GS89.exe 1356 2bL4397.exe 3456 4CU033cE.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" EQ0St86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" GF0GS89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1356 set thread context of 3360 1356 2bL4397.exe 98 -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4132 wrote to memory of 3252 4132 8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe 85 PID 4132 wrote to memory of 3252 4132 8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe 85 PID 4132 wrote to memory of 3252 4132 8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe 85 PID 3252 wrote to memory of 4060 3252 EQ0St86.exe 87 PID 3252 wrote to memory of 4060 3252 EQ0St86.exe 87 PID 3252 wrote to memory of 4060 3252 EQ0St86.exe 87 PID 4060 wrote to memory of 1356 4060 GF0GS89.exe 89 PID 4060 wrote to memory of 1356 4060 GF0GS89.exe 89 PID 4060 wrote to memory of 1356 4060 GF0GS89.exe 89 PID 1356 wrote to memory of 3360 1356 2bL4397.exe 98 PID 1356 wrote to memory of 3360 1356 2bL4397.exe 98 PID 1356 wrote to memory of 3360 1356 2bL4397.exe 98 PID 1356 wrote to memory of 3360 1356 2bL4397.exe 98 PID 1356 wrote to memory of 3360 1356 2bL4397.exe 98 PID 1356 wrote to memory of 3360 1356 2bL4397.exe 98 PID 1356 wrote to memory of 3360 1356 2bL4397.exe 98 PID 1356 wrote to memory of 3360 1356 2bL4397.exe 98 PID 4060 wrote to memory of 3456 4060 GF0GS89.exe 99 PID 4060 wrote to memory of 3456 4060 GF0GS89.exe 99 PID 4060 wrote to memory of 3456 4060 GF0GS89.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe"C:\Users\Admin\AppData\Local\Temp\8d971097448a36d60bcf3114ceb5cb9c057fd1d4b93a1a844bdce8998000fce6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EQ0St86.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EQ0St86.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GF0GS89.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GF0GS89.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2bL4397.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2bL4397.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:3360
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4CU033cE.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4CU033cE.exe4⤵
- Executes dropped EXE
PID:3456
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d33472e0a6908c0b93b80635ed9425f8
SHA1bb5ab060b73dc5afaa472c18a50306d97dc3fe67
SHA256182858c5e215115927dcb8245a3c8e24c3cde42def0ad3ffec6e2573585f90ca
SHA512eaba6575a5834addc698051ed321920017337c6d59bd18a535c0a5b39da3ef793669e0b66985e983d14e7255f1a4adb1bb930f074a22951bdd921d278e401f3b
-
Filesize
1.1MB
MD5d33472e0a6908c0b93b80635ed9425f8
SHA1bb5ab060b73dc5afaa472c18a50306d97dc3fe67
SHA256182858c5e215115927dcb8245a3c8e24c3cde42def0ad3ffec6e2573585f90ca
SHA512eaba6575a5834addc698051ed321920017337c6d59bd18a535c0a5b39da3ef793669e0b66985e983d14e7255f1a4adb1bb930f074a22951bdd921d278e401f3b
-
Filesize
952KB
MD5013a502eb89713074cd727e1ea93debe
SHA1e04eba3563f2381e143315452a2f109c4d879b5e
SHA256e320c6392d3b9d2d12317a4e5950bc3482833bffb2aa2378888ffa09cbec6556
SHA512b840c102231b55a5b09f4b63bf644b975834f90dcfa3ee91af27fe18e8a15bb23a9197b4ccc8a1fdd75d4ecd84a0074ef3bb7f19e304d369da82f6209ad4bc3c
-
Filesize
952KB
MD5013a502eb89713074cd727e1ea93debe
SHA1e04eba3563f2381e143315452a2f109c4d879b5e
SHA256e320c6392d3b9d2d12317a4e5950bc3482833bffb2aa2378888ffa09cbec6556
SHA512b840c102231b55a5b09f4b63bf644b975834f90dcfa3ee91af27fe18e8a15bb23a9197b4ccc8a1fdd75d4ecd84a0074ef3bb7f19e304d369da82f6209ad4bc3c
-
Filesize
1.2MB
MD51338742ad5f057af4f1b54724d8f4900
SHA1911e259b9e48b181beeec3f327f7ad0bdd00fa14
SHA2563c8ac14b3c824163e0b5cc518a441523f4f0047f3e22868c2a02ce74543f680f
SHA5125b73b1792d3089b682f6822e3ad4262078851d5b05fa3d0b100b24005b15e7b9108ce3bc13850112429f3671a61904bc69e9fafb4ab94f0462d62aa2e179e351
-
Filesize
1.2MB
MD51338742ad5f057af4f1b54724d8f4900
SHA1911e259b9e48b181beeec3f327f7ad0bdd00fa14
SHA2563c8ac14b3c824163e0b5cc518a441523f4f0047f3e22868c2a02ce74543f680f
SHA5125b73b1792d3089b682f6822e3ad4262078851d5b05fa3d0b100b24005b15e7b9108ce3bc13850112429f3671a61904bc69e9fafb4ab94f0462d62aa2e179e351
-
Filesize
1.3MB
MD5a3076d7a6f16f63033cc571702c253c9
SHA18eec50423985781a839c984d35cb71df917bc1d1
SHA256d92f80f292ec4d486f238cf5c0e88114c85a281477cb885f8c6b6d4b37f461e8
SHA5122d2c83f1cdc05e52af8b8c012ee679bd688196c513f4ff0d5ab94f23980e432ecaa3dc8c72703c60c0aadf483356fdd79a72263ddc4d8d8075efa7ea80dfa028
-
Filesize
1.3MB
MD5a3076d7a6f16f63033cc571702c253c9
SHA18eec50423985781a839c984d35cb71df917bc1d1
SHA256d92f80f292ec4d486f238cf5c0e88114c85a281477cb885f8c6b6d4b37f461e8
SHA5122d2c83f1cdc05e52af8b8c012ee679bd688196c513f4ff0d5ab94f23980e432ecaa3dc8c72703c60c0aadf483356fdd79a72263ddc4d8d8075efa7ea80dfa028