Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 18:47
General
-
Target
16688c383c392aa6325c78d89165cf92d6a9aa6243e19fe6c19d73fb522546d0.exe
-
Size
1.4MB
-
MD5
c2b04fbeb2611c15bdb5a55b47bb6675
-
SHA1
2c21a5848c237d1fd171cd788e5c4a0bf9b990fc
-
SHA256
16688c383c392aa6325c78d89165cf92d6a9aa6243e19fe6c19d73fb522546d0
-
SHA512
1769369ad7a8d445ba23da9c1aadb065101bca1656329eb454f64414eab873be895df470fd571e8777fc5836a3e4cc82a0e7798f85321efe8de2a003243d1e26
-
SSDEEP
24576:XyJ+jSTeTLVcPbco+tQAx69bZfkYzP89dkQHnCAys50R8IH:iJ+jSTeTL+PbUnExU3CAsR8
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\16688c383c392aa6325c78d89165cf92d6a9aa6243e19fe6c19d73fb522546d0.exe"C:\Users\Admin\AppData\Local\Temp\16688c383c392aa6325c78d89165cf92d6a9aa6243e19fe6c19d73fb522546d0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hq2OZ35.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hq2OZ35.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sx8Ym41.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sx8Ym41.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2gy7268.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2gy7268.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3RJ81vb.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3RJ81vb.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hq2OZ35.exeFilesize
1.2MB
MD52d0c662657f8e4e86cda4ffebac880e2
SHA1030ea4f01ca68d3757ba218e37f982ef76d09ebf
SHA2566387fb65c79f680dd09397ad45b4d9fc54e6c09ae8aea107c3d9425716eb7fba
SHA512fbbb6086022fccaa144190b750b3188fd943c6b000961eed72b9dce25b06ac8dbd7828e969ecbf9852fe5bbf68ffda80069dc4742c2abe188807986dfe96d6c1
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sx8Ym41.exeFilesize
1.1MB
MD51d27bd571049766515c6475c2ca57fb4
SHA1830b8cf6ab988cc1f965a9240fc1baf93186129b
SHA25615b01fe0740b07587b34c40b152e381dc29f5eedf4e7cb9b0307fda2177f87b0
SHA512abf0d6788940080d880116bf7f211e8b0140b3386fcd011b31a7e47378e1b43dc491eddd0291330b4039174b00031b09706b9d3012c339f78ed13fc9c16a507a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2gy7268.exeFilesize
1.9MB
MD5cb2fc4892530b25677483b972cccd2b6
SHA1ee981f7c87e3a4123fc1797194d39f2a82adf8e8
SHA256da434dfcb3b21fd5fd49eccf066013e9732d7ca9aba22eaf611b01f98c053a6a
SHA5128dbf73c9e1337b15acf6d9fc916221d25db161db812430d9a424a36743f6535a547625113aa42000211865548c1c7fee70a70703f2593e26471f9efd9966fe02
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3RJ81vb.exeFilesize
1.3MB
MD57bab316954f445b2018f3bc00afd8fe0
SHA13a32272024261cbe0c1a091204bcf0248fb370d8
SHA2562524b087f03d3de46ae1350d9edf881af5c8c2f92bffa1ed709b72e86bdde1d8
SHA512b09ff12bc2bc00c5672b919221865113d285c5d4b586c798c9697f0d7fd358e897bd684eaf7b39a7cae091761598d0b1ced6d8dec37ccffa39881b27e3945953
-
memory/1468-32-0x0000000007630000-0x00000000076C2000-memory.dmpFilesize
584KB
-
memory/1468-31-0x0000000007B40000-0x00000000080E4000-memory.dmpFilesize
5.6MB
-
memory/1468-21-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1468-34-0x0000000002B50000-0x0000000002B5A000-memory.dmpFilesize
40KB
-
memory/1468-35-0x0000000008710000-0x0000000008D28000-memory.dmpFilesize
6.1MB
-
memory/1468-36-0x00000000079A0000-0x0000000007AAA000-memory.dmpFilesize
1.0MB
-
memory/1468-37-0x00000000076F0000-0x0000000007702000-memory.dmpFilesize
72KB
-
memory/1468-38-0x0000000007750000-0x000000000778C000-memory.dmpFilesize
240KB
-
memory/1468-39-0x0000000007890000-0x00000000078DC000-memory.dmpFilesize
304KB