Overview
overview
10Static
static
30314c3cf58...62.exe
windows10-2004-x64
10142ed11f80...59.exe
windows10-2004-x64
101f54336cee...4f.exe
windows10-2004-x64
102470f02746...37.exe
windows10-2004-x64
10357dca1dd0...e2.exe
windows7-x64
10357dca1dd0...e2.exe
windows10-2004-x64
10367729c840...03.exe
windows10-2004-x64
103ae8cc733e...e3.exe
windows10-2004-x64
103ff87c5bd0...30.exe
windows10-2004-x64
104157cda315...a6.exe
windows10-2004-x64
105f318080c6...ea.exe
windows10-2004-x64
10620f9ee1b4...8f.exe
windows10-2004-x64
106817354347...3a.exe
windows10-2004-x64
10753cdc12b9...91.exe
windows10-2004-x64
10a4215d26b6...74.exe
windows10-2004-x64
10a4375e040f...82.exe
windows10-2004-x64
10a619ae77d5...2e.exe
windows10-2004-x64
10aaab139650...12.exe
windows10-2004-x64
10aefec08eba...49.exe
windows10-2004-x64
10d12f5fa25c...70.exe
windows10-2004-x64
7e5b42981fd...65.exe
windows10-2004-x64
10Analysis
-
max time kernel
136s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 09:02
Static task
static1
Behavioral task
behavioral1
Sample
0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
2470f02746e0ace28b3f21135e43ca5574a20964c1ebe76b4d37e025bc74cf37.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
357dca1dd0b140db9468cb0bea91da2504a032397de5a581bd04f96d59e430e2.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
357dca1dd0b140db9468cb0bea91da2504a032397de5a581bd04f96d59e430e2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
4157cda3159c7d2c99d18138d2e023dd1d821d09ae77e78901a80b26492981a6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
5f318080c6c0aef583c575f49bd61e9b4e8b6784f4c52b512e9c07090e4cedea.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
68173543479d737f5e883a0bf3bd569d09813666a895a805fd53a18f3a96df3a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
a4375e040f13128a4dc747d845dd82b7204008c71beb526483b369eea30d2582.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
a619ae77d542717361e631ceb6fe3fab295af4ccef45ae4774b92a9355b6bb2e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
aefec08ebaf1c6b975dbf83df5257e52d7efcbaf569ea4b633cec392af828049.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe
Resource
win10v2004-20240426-en
General
-
Target
a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe
-
Size
954KB
-
MD5
2007fd745de85725bd3c50bc100af3dc
-
SHA1
be0942dfed4466f4181936016cc020ed72918fb6
-
SHA256
a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74
-
SHA512
ca2e84396e623838f7900a2c73f28d5a5675c179a462878232c618234c7f68f1f3e4eb6003f9c9fdacc0bcb7849d2385e63422aa640d6fe3244db49481cc9973
-
SSDEEP
24576:Ky0CNEQDcgkWfaKBfZh59btIafN7V9joSiS5nYI:RSqjflZttIaV7V9ESR1
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral15/memory/3984-14-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3PV31YF.exe -
Executes dropped EXE 3 IoCs
pid Process 2840 Sp4ZI53.exe 4804 2VQ2365.exe 4156 3PV31YF.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" 3PV31YF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Sp4ZI53.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4804 set thread context of 3984 4804 2VQ2365.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4492 schtasks.exe 4632 schtasks.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 632 wrote to memory of 2840 632 a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe 92 PID 632 wrote to memory of 2840 632 a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe 92 PID 632 wrote to memory of 2840 632 a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe 92 PID 2840 wrote to memory of 4804 2840 Sp4ZI53.exe 93 PID 2840 wrote to memory of 4804 2840 Sp4ZI53.exe 93 PID 2840 wrote to memory of 4804 2840 Sp4ZI53.exe 93 PID 4804 wrote to memory of 3984 4804 2VQ2365.exe 104 PID 4804 wrote to memory of 3984 4804 2VQ2365.exe 104 PID 4804 wrote to memory of 3984 4804 2VQ2365.exe 104 PID 4804 wrote to memory of 3984 4804 2VQ2365.exe 104 PID 4804 wrote to memory of 3984 4804 2VQ2365.exe 104 PID 4804 wrote to memory of 3984 4804 2VQ2365.exe 104 PID 4804 wrote to memory of 3984 4804 2VQ2365.exe 104 PID 4804 wrote to memory of 3984 4804 2VQ2365.exe 104 PID 2840 wrote to memory of 4156 2840 Sp4ZI53.exe 105 PID 2840 wrote to memory of 4156 2840 Sp4ZI53.exe 105 PID 2840 wrote to memory of 4156 2840 Sp4ZI53.exe 105 PID 4156 wrote to memory of 4492 4156 3PV31YF.exe 106 PID 4156 wrote to memory of 4492 4156 3PV31YF.exe 106 PID 4156 wrote to memory of 4492 4156 3PV31YF.exe 106 PID 4156 wrote to memory of 4632 4156 3PV31YF.exe 108 PID 4156 wrote to memory of 4632 4156 3PV31YF.exe 108 PID 4156 wrote to memory of 4632 4156 3PV31YF.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe"C:\Users\Admin\AppData\Local\Temp\a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sp4ZI53.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sp4ZI53.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2VQ2365.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2VQ2365.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3984
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PV31YF.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PV31YF.exe3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
PID:4492
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
PID:4632
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
830KB
MD558d5924c8c0acef45b18bf42a994da8b
SHA1bba62e10bf6adae3505d3b763a7b813d9a667716
SHA2568537fc97d931d0e62896e54756e1cdd774b1b68e20fd7281a207198467c01e4a
SHA5122ae7e900f50253e72f8bcd190ad7c106fbae4cc18d23607ffb4dd05115409ebf3faca2a5f433ada5431145457f396d1f254017a6aab22052ccd29d36cbf8d92d
-
Filesize
493KB
MD57d79538bfe9cdb9fe4e443d8bf18a9c7
SHA12a61a55ad50a0d72a5b3d46ea67635dc1baf1c6f
SHA25656b84e843fbce4f42e562ecc2b617e416847a61fa63c9f6a4263a9af04e457a5
SHA5129fe34f033c306188a7c3ffe8b3e549722ac09ae31de7ecfe37e9ca24713e07450980821d9bd0136a450b201fa77d9238885dfa1841b940c05ef6f7e8770992a1
-
Filesize
1.3MB
MD5a1e76c4ab37080c7e7c2e14b7e865c58
SHA1d19418b430208cc0a92b3992c0ed7a3840aae9c9
SHA256fb22f95db8d25b023d81ffcd63ea4b9f0f0d3041a0c8007f9be6dd87e564598b
SHA512a8587ba394a212902364ef3ff10354f8cc4397f1066a46481518b4be9c8de5f363d763bbe12c7771037599c8b68923ea8a18d1693054d884e7fe2d0796271609