Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 07:42
General
-
Target
13243e4dd58e70de2748aff5360c6262fe2a6de7562acb1334b8a8adbb876f33.exe
-
Size
829KB
-
MD5
913d70432f75c66b7dcd9eecf8b40cf4
-
SHA1
f8fe21e3f16add7a4e1a53fd4e234fb58c060189
-
SHA256
13243e4dd58e70de2748aff5360c6262fe2a6de7562acb1334b8a8adbb876f33
-
SHA512
f050ddb67a87e1e835c9f84df51b0c0414e69f5c2d1c4ab457d4b10e1d8cd73201b8c3b5d4c999021470a7462b3d24037f1cac7b5841ec0e0076fd40fe163dbc
-
SSDEEP
24576:zy9MQf/lrMhhOGq+jePBjR/y/fYLOR46qzL:Gz/g/qzBj5ycw46qz
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\13243e4dd58e70de2748aff5360c6262fe2a6de7562acb1334b8a8adbb876f33.exe"C:\Users\Admin\AppData\Local\Temp\13243e4dd58e70de2748aff5360c6262fe2a6de7562acb1334b8a8adbb876f33.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qa9086.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qa9086.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Dp36NP.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Dp36NP.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
493KB
MD54e12b27e76eee475c71c97e7605189e1
SHA18ffa9990378c671bb1aa1a383faf3f379be9dc22
SHA256db21740645cd50ba7cb29dd0c12276f93f62ee46a8dedc543a4b7f0707501f72
SHA51225594a635639bc85e29f11b2387c6bd481ae661b9707c73af8eb8afc680c9b22dc3e032886695d3f2c563d60b1bc8438f7e7158640167ebb92b7a55d0e3b5715
-
Filesize
1.3MB
MD5ffffe2b896151e16693766e66bc275c7
SHA1bdb15b4e0f77f0c3de9150d8749495415d9105c8
SHA256dd9cf361116b093d20f2dc89d9507de4b93a93c5e195791a3dc205d0dec54e02
SHA5125505453cd63b80561bf78d1f263a2728ad1d0797135a0f03380649a104a62ddd5ab904ff699d291a792de2c13d06e39a6e2761cb4ed7282ee5b616d2adf56060
-
Filesize
240KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB