Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
24-05-2024 05:33
General
-
Target
a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe
-
Size
954KB
-
MD5
2007fd745de85725bd3c50bc100af3dc
-
SHA1
be0942dfed4466f4181936016cc020ed72918fb6
-
SHA256
a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74
-
SHA512
ca2e84396e623838f7900a2c73f28d5a5675c179a462878232c618234c7f68f1f3e4eb6003f9c9fdacc0bcb7849d2385e63422aa640d6fe3244db49481cc9973
-
SSDEEP
24576:Ky0CNEQDcgkWfaKBfZh59btIafN7V9joSiS5nYI:RSqjflZttIaV7V9ESR1
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe"C:\Users\Admin\AppData\Local\Temp\a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sp4ZI53.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sp4ZI53.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2VQ2365.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2VQ2365.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PV31YF.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PV31YF.exe3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
830KB
MD558d5924c8c0acef45b18bf42a994da8b
SHA1bba62e10bf6adae3505d3b763a7b813d9a667716
SHA2568537fc97d931d0e62896e54756e1cdd774b1b68e20fd7281a207198467c01e4a
SHA5122ae7e900f50253e72f8bcd190ad7c106fbae4cc18d23607ffb4dd05115409ebf3faca2a5f433ada5431145457f396d1f254017a6aab22052ccd29d36cbf8d92d
-
Filesize
493KB
MD57d79538bfe9cdb9fe4e443d8bf18a9c7
SHA12a61a55ad50a0d72a5b3d46ea67635dc1baf1c6f
SHA25656b84e843fbce4f42e562ecc2b617e416847a61fa63c9f6a4263a9af04e457a5
SHA5129fe34f033c306188a7c3ffe8b3e549722ac09ae31de7ecfe37e9ca24713e07450980821d9bd0136a450b201fa77d9238885dfa1841b940c05ef6f7e8770992a1
-
Filesize
1.3MB
MD5a1e76c4ab37080c7e7c2e14b7e865c58
SHA1d19418b430208cc0a92b3992c0ed7a3840aae9c9
SHA256fb22f95db8d25b023d81ffcd63ea4b9f0f0d3041a0c8007f9be6dd87e564598b
SHA512a8587ba394a212902364ef3ff10354f8cc4397f1066a46481518b4be9c8de5f363d763bbe12c7771037599c8b68923ea8a18d1693054d884e7fe2d0796271609
-
Filesize
240KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB