Overview
overview
10Static
static
304a0e65087...2d.exe
windows10-2004-x64
100b23052e1d...05.exe
windows10-2004-x64
101319d83702...15.exe
windows10-2004-x64
1015bb5ac797...dd.exe
windows10-2004-x64
1019eb5c3dd8...ec.exe
windows10-2004-x64
102864919e9f...b7.exe
windows10-2004-x64
102f05412e59...2c.exe
windows10-2004-x64
103fd9e44b8d...84.exe
windows10-2004-x64
104920924329...b6.exe
windows10-2004-x64
106d6ab7a20c...33.exe
windows10-2004-x64
106e839edc16...b0.exe
windows10-2004-x64
106ff00efb56...f0.exe
windows10-2004-x64
107018985aa0...8e.exe
windows10-2004-x64
107b28b5b2ff...4e.exe
windows10-2004-x64
1093bee57b71...41.exe
windows10-2004-x64
10a22d19b8f1...9a.exe
windows10-2004-x64
10af3432152c...8d.exe
windows10-2004-x64
10bf27d39d4b...d1.exe
windows10-2004-x64
10db87d25edb...b5.exe
windows10-2004-x64
10f935568ec0...6c.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0b23052e1def21c0e818780565a7776ae96e61597a9cf4ab1fc690daa4a85105.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1319d8370208b00e5260cfc0b8f145575c62bd43ab6f76605a992afeb6737f15.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
2864919e9fd253aa62ab37d5b02410fa89dd3ead4618da0b908d3b41e73167b7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
4920924329af964d29e90b0bd3763c20450919411ad6b6ddabfd88061a7555b6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe
Resource
win10v2004-20240226-en
General
-
Target
93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe
-
Size
1.1MB
-
MD5
58fbe2631b6d26d8eb1373d1b0f26a38
-
SHA1
aa924759ffbcd271588b7377a27cea3fe79f66f3
-
SHA256
93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741
-
SHA512
a0d72c2adae3f592268316d1ef117dd3f3d17ddfa616f2fb1a313a8c71683adc9ad7cf92f4b3ab0a370f0d9a15730a190443506220b23bc13877d901761fe373
-
SSDEEP
24576:myMppGdEcszyiSpAlNAj7m21oy0+F4+Z3P6d:1hdQGiSC8j79oy/P
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral15/memory/3964-21-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3kY76da.exe -
Executes dropped EXE 4 IoCs
pid Process 1392 HY2Tw95.exe 3200 PS4LJ88.exe 1656 2Qn2920.exe 3628 3kY76da.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" HY2Tw95.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" PS4LJ88.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" 3kY76da.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1656 set thread context of 3964 1656 2Qn2920.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3020 1656 WerFault.exe 84 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4848 schtasks.exe 2528 schtasks.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3788 wrote to memory of 1392 3788 93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe 82 PID 3788 wrote to memory of 1392 3788 93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe 82 PID 3788 wrote to memory of 1392 3788 93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe 82 PID 1392 wrote to memory of 3200 1392 HY2Tw95.exe 83 PID 1392 wrote to memory of 3200 1392 HY2Tw95.exe 83 PID 1392 wrote to memory of 3200 1392 HY2Tw95.exe 83 PID 3200 wrote to memory of 1656 3200 PS4LJ88.exe 84 PID 3200 wrote to memory of 1656 3200 PS4LJ88.exe 84 PID 3200 wrote to memory of 1656 3200 PS4LJ88.exe 84 PID 1656 wrote to memory of 3964 1656 2Qn2920.exe 96 PID 1656 wrote to memory of 3964 1656 2Qn2920.exe 96 PID 1656 wrote to memory of 3964 1656 2Qn2920.exe 96 PID 1656 wrote to memory of 3964 1656 2Qn2920.exe 96 PID 1656 wrote to memory of 3964 1656 2Qn2920.exe 96 PID 1656 wrote to memory of 3964 1656 2Qn2920.exe 96 PID 1656 wrote to memory of 3964 1656 2Qn2920.exe 96 PID 1656 wrote to memory of 3964 1656 2Qn2920.exe 96 PID 3200 wrote to memory of 3628 3200 PS4LJ88.exe 100 PID 3200 wrote to memory of 3628 3200 PS4LJ88.exe 100 PID 3200 wrote to memory of 3628 3200 PS4LJ88.exe 100 PID 3628 wrote to memory of 4848 3628 3kY76da.exe 101 PID 3628 wrote to memory of 4848 3628 3kY76da.exe 101 PID 3628 wrote to memory of 4848 3628 3kY76da.exe 101 PID 3628 wrote to memory of 2528 3628 3kY76da.exe 103 PID 3628 wrote to memory of 2528 3628 3kY76da.exe 103 PID 3628 wrote to memory of 2528 3628 3kY76da.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe"C:\Users\Admin\AppData\Local\Temp\93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HY2Tw95.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HY2Tw95.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PS4LJ88.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PS4LJ88.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qn2920.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qn2920.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:3964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1525⤵
- Program crash
PID:3020
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3kY76da.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3kY76da.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST5⤵
- Creates scheduled task(s)
PID:4848
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST5⤵
- Creates scheduled task(s)
PID:2528
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1656 -ip 16561⤵PID:4144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
935KB
MD5715af9e0fa391a3d89c64a8c17441ca7
SHA1fa139edca516b272b219dd23ff501ad075a29350
SHA256fd64949d9133bba652eb8e11de0b5f198d4a7b6c9951de795e989e18d3c017a4
SHA5121a7847882fb7bb6ce1db4366615fb1640f6831febfd1e8afded03ee84b7de84b6baafe5ab46db44050aa8907dacb7bebc7a58d2dbbf65f375f8708577c1e7eb5
-
Filesize
810KB
MD5b24d7df0e0bfa791f3a99e4528e9467b
SHA19bae7881e957679c6a9c17852178194007a75ce0
SHA256a1b17fae66eb378bd1944cc86d1bcf13e33d2c15b691e2ea16b5c912abdcd96a
SHA51278923c94012bde1f301cd35ff9d0e95c71a63c72b1a3eb0b0b39497d7b1d6782836fe9253535211c211028ec549c9115cc8cec9a39370be1a639a3a45711f10a
-
Filesize
432KB
MD5d4de764755bafc9310eb13c86a3d40ec
SHA170123c5f93e6a533719e8478e266eff88dd0eb38
SHA256680bf8b502fb1d3ede6ee0870483e78f91a3809900b338cb870a8ea1cfc32584
SHA512193eaf85f79a0758098ecbc7af861ebd35619b4004febebce23c7dd0563b0a43f51e3da7336f6c485dc3289648d05c9022bb3573c73d86522f720f5aa993c953
-
Filesize
1.3MB
MD5f87f58e9f64b7cee2d55c18059f49eef
SHA1b6fd66c89608f2a357cc026040e721c2ef6bfa5d
SHA2567dcb0469d44b2e01bffdd0da57ad2cba3dcd144d7317cfd38c5b0d14ee39d059
SHA512b208251d5424c5bac8d92b62de539ce3a9ff90b624372402d36b85c10f92a4a0e5c4e8291f5bdb3c363350b1ce362f1d97493d9de63968ce5dd2c45e61d2288b