Overview
overview
10Static
static
3006388190d...bb.exe
windows10-2004-x64
100254882920...b5.exe
windows10-2004-x64
10059acceaf9...4e.exe
windows10-2004-x64
1023e52eabfc...16.exe
windows10-2004-x64
10346c48a087...17.exe
windows10-2004-x64
103a559db9fb...76.exe
windows10-2004-x64
103bd30de35b...fb.exe
windows10-2004-x64
104563b46d64...3c.exe
windows10-2004-x64
1045ab0e1069...0f.exe
windows10-2004-x64
10545f251975...f8.exe
windows10-2004-x64
105bd9b291d7...ab.exe
windows10-2004-x64
105e70f35516...00.exe
windows10-2004-x64
107348ee4e4e...6d.exe
windows10-2004-x64
108b460dc8cc...29.exe
windows10-2004-x64
10928c96df1b...ca.exe
windows10-2004-x64
10972fcfe587...1d.exe
windows10-2004-x64
10a025c0e619...2e.exe
windows10-2004-x64
10bc0667bb8d...75.exe
windows10-2004-x64
10cf82c35e0a...89.exe
windows10-2004-x64
10fbe2b19c30...62.exe
windows10-2004-x64
10Analysis
-
max time kernel
137s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:20
Static task
static1
Behavioral task
behavioral1
Sample
006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0254882920b8d79aa87aa48e3861241d6f50bc1856fc52906e5a574397e08db5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
3bd30de35b2caa677c1a1d8eeb9a0878d3c396425a4501d3fc280590146a7efb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
4563b46d64120bf9833b2c3a8c333cb31977f9c75d32f836c04620dc0ce6623c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
5e70f35516878f784c795b9bc0d243a75bde82267717162cdb1838a7e102b600.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
a025c0e61987ac5dff969885b12ced5a1064ab0b0ae71e3751eb0331b3e6332e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
cf82c35e0a5a0683a1f51d3806ea0eb39a59d81fd4fc110c9762ff99d4e3f389.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exe
Resource
win10v2004-20240508-en
General
-
Target
23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe
-
Size
1.1MB
-
MD5
75d611b9fdd12ae96644de5080557ebd
-
SHA1
dada87e4a3a6c66fdf05bf523ec00f78e9aaa389
-
SHA256
23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616
-
SHA512
df51455190cf4b9406cc3181277aff2342cbcfc9946e2ccba145de5adcd908db4af944e1d3182cdfc154f50f6c5bd34d6010359168090d5cbb941ff09f1edb00
-
SSDEEP
12288:gMrTy90Wp2ABf9NNsOYroRyNVdB31qvOJfAPgLslvr7BCuxxJMU0vLmuxLeMNmrn:jy1pRxsOYUqBQgLOVCYB0inrqjfwq7G
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral4/memory/1968-7-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 1568 11nv7377.exe 4956 12Cb362.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1568 set thread context of 1968 1568 11nv7377.exe 92 PID 4956 set thread context of 4812 4956 12Cb362.exe 95 -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3908 wrote to memory of 1568 3908 23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe 90 PID 3908 wrote to memory of 1568 3908 23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe 90 PID 3908 wrote to memory of 1568 3908 23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe 90 PID 1568 wrote to memory of 1968 1568 11nv7377.exe 92 PID 1568 wrote to memory of 1968 1568 11nv7377.exe 92 PID 1568 wrote to memory of 1968 1568 11nv7377.exe 92 PID 1568 wrote to memory of 1968 1568 11nv7377.exe 92 PID 1568 wrote to memory of 1968 1568 11nv7377.exe 92 PID 1568 wrote to memory of 1968 1568 11nv7377.exe 92 PID 1568 wrote to memory of 1968 1568 11nv7377.exe 92 PID 1568 wrote to memory of 1968 1568 11nv7377.exe 92 PID 3908 wrote to memory of 4956 3908 23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe 93 PID 3908 wrote to memory of 4956 3908 23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe 93 PID 3908 wrote to memory of 4956 3908 23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe 93 PID 4956 wrote to memory of 4812 4956 12Cb362.exe 95 PID 4956 wrote to memory of 4812 4956 12Cb362.exe 95 PID 4956 wrote to memory of 4812 4956 12Cb362.exe 95 PID 4956 wrote to memory of 4812 4956 12Cb362.exe 95 PID 4956 wrote to memory of 4812 4956 12Cb362.exe 95 PID 4956 wrote to memory of 4812 4956 12Cb362.exe 95 PID 4956 wrote to memory of 4812 4956 12Cb362.exe 95 PID 4956 wrote to memory of 4812 4956 12Cb362.exe 95 PID 4956 wrote to memory of 4812 4956 12Cb362.exe 95 PID 4956 wrote to memory of 4812 4956 12Cb362.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe"C:\Users\Admin\AppData\Local\Temp\23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11nv7377.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11nv7377.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:1968
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Cb362.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12Cb362.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:4812
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3148,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:81⤵PID:4240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD57f6fdf9a57f86e5d97e09819c54f6ba5
SHA16630157c09222becffd31b2d4dce1cf85ac9ad27
SHA256e05a919c536c57fa2df8322bb933dbee8be944948037f2c1ad0c33a578360db5
SHA5128b7dff8afeb200b0f2750a1a1846049ad6adbffd31881f9c1971218b53c8136d9eddaaca7d779a22ca3b130880146b3122499c40e330aa53eb0ecc8572a393a2
-
Filesize
2.4MB
MD565414c15777b4924b10e5bbbb39bdb5c
SHA1f7a09d9281e6437d5fde7035a18a65725ca3c7d9
SHA256173587e99ac1b5878321cfbf73bb9db6122f4db0fb9e03ae488269abdba4b8f1
SHA512f0f205c08c68b35a899b205dac03a759e98769340ea96ac8263148125b824f5d778a1d2473a80e23a1ca6f451b1accee6c77fbe28efef25d3bf28a5e93a20e7d