Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2024, 10:50 UTC

General

  • Target

    09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe

  • Size

    1.1MB

  • MD5

    a27c8f92315fff917e750c7b89355067

  • SHA1

    f65c7a885fddf4bf583dbab9bc512e789aaba54b

  • SHA256

    09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1

  • SHA512

    e73ce1b88e20897d61bb259b0ca7110684c734add5ca22f7ed919a9d1fe711dd42a2b58b4a8c359463e29720770ae2ec12d9853d6be390d2f0eafff828219364

  • SSDEEP

    24576:eyHOpuii4QQInraJDD2qk1cFF7K6AFjv6ojMmDo9kQaYo:tHUi4QTraDD2qk1a0fzBVWx

Malware Config

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe
    "C:\Users\Admin\AppData\Local\Temp\09d331a688384c2805b4ec4c498f7514d5a4bc6b953eff0ac62ec7820785b5e1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy9Wu12.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy9Wu12.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\up9UQ42.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\up9UQ42.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ax0352.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ax0352.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3496
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:3368
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3sL90Yq.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3sL90Yq.exe
            4⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1568
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
              5⤵
              • Creates scheduled task(s)
              PID:4836
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
              5⤵
              • Creates scheduled task(s)
              PID:2172
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4572,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
      1⤵
        PID:4612

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        133.211.185.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.211.185.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        249.197.17.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        249.197.17.2.in-addr.arpa
        IN PTR
        Response
        249.197.17.2.in-addr.arpa
        IN PTR
        a2-17-197-249deploystaticakamaitechnologiescom
      • flag-us
        DNS
        138.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        138.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-nl
        GET
        https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        Remote address:
        23.62.61.72:443
        Request
        GET /th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
        host: www.bing.com
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-type: image/png
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        content-length: 999
        date: Fri, 24 May 2024 10:55:06 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.443d3e17.1716548106.59f52e6
      • flag-us
        DNS
        26.35.223.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        26.35.223.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        72.61.62.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        72.61.62.23.in-addr.arpa
        IN PTR
        Response
        72.61.62.23.in-addr.arpa
        IN PTR
        a23-62-61-72deploystaticakamaitechnologiescom
      • flag-us
        DNS
        149.220.183.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        149.220.183.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        183.59.114.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.59.114.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        21.236.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        21.236.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        240.197.17.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.197.17.2.in-addr.arpa
        IN PTR
        Response
        240.197.17.2.in-addr.arpa
        IN PTR
        a2-17-197-240deploystaticakamaitechnologiescom
      • flag-us
        DNS
        57.169.31.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        57.169.31.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        88.16.208.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        88.16.208.104.in-addr.arpa
        IN PTR
        Response
      • 23.62.61.72:443
        https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        tls, http2
        1.4kB
        6.2kB
        16
        11

        HTTP Request

        GET https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

        HTTP Response

        200
      • 194.49.94.152:50500
        3sL90Yq.exe
        260 B
        5
      • 194.49.94.152:19053
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:50500
        3sL90Yq.exe
        260 B
        5
      • 194.49.94.152:19053
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:50500
        3sL90Yq.exe
        260 B
        5
      • 194.49.94.152:19053
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:50500
        3sL90Yq.exe
        260 B
        5
      • 194.49.94.152:19053
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:50500
        3sL90Yq.exe
        260 B
        5
      • 194.49.94.152:19053
        AppLaunch.exe
        260 B
        5
      • 194.49.94.152:50500
        3sL90Yq.exe
        260 B
        5
      • 194.49.94.152:50500
        3sL90Yq.exe
        156 B
        3
      • 194.49.94.152:19053
        AppLaunch.exe
        104 B
        2
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
        90 B
        1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        133.211.185.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        133.211.185.52.in-addr.arpa

      • 8.8.8.8:53
        249.197.17.2.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        249.197.17.2.in-addr.arpa

      • 8.8.8.8:53
        138.32.126.40.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        138.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        26.35.223.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        26.35.223.20.in-addr.arpa

      • 8.8.8.8:53
        72.61.62.23.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        72.61.62.23.in-addr.arpa

      • 8.8.8.8:53
        149.220.183.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        149.220.183.52.in-addr.arpa

      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        183.59.114.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        183.59.114.20.in-addr.arpa

      • 8.8.8.8:53
        15.164.165.52.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        15.164.165.52.in-addr.arpa

      • 8.8.8.8:53
        21.236.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        21.236.111.52.in-addr.arpa

      • 8.8.8.8:53
        240.197.17.2.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        240.197.17.2.in-addr.arpa

      • 8.8.8.8:53
        57.169.31.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        57.169.31.20.in-addr.arpa

      • 8.8.8.8:53
        88.16.208.104.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        88.16.208.104.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy9Wu12.exe

        Filesize

        951KB

        MD5

        a9240895ad74b577be2ee119b6ce26b3

        SHA1

        08d4ed8edb3e31f28825e1d9569a420c364e82c9

        SHA256

        590781ab10dae129b785a23be4d59a1f2d8f009b5f1e36837b28476888a2cf6d

        SHA512

        575a7f2f3422b4b03729799d29611dcbcededfdba73bf7cf59fc01210d296baeaa4361bb41d0319faa1e74a6e1b139ea5179ab3f1679dda3224ed1250d2cfef9

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\up9UQ42.exe

        Filesize

        828KB

        MD5

        2db43090bdae85d7f7fb362871e06f50

        SHA1

        97337af110d5c0f19bf06ec791289bcb99eb9cef

        SHA256

        58becc941136b16ffc11fbbd32f8c7d974c1e9ba55b20eba908de3993a08f84f

        SHA512

        1e6a44527db294294474c5ef96c1d2781dc22ce7a3f7656da70f680bcac19e3320e8eb01f7fdb2bf3a56856a950549e777946e281e5163815515fd0c245f8a59

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ax0352.exe

        Filesize

        493KB

        MD5

        0c1e38c6de88c2c301d606e22cfddda6

        SHA1

        1027e56b9ec0d1e5ee38b288ad93112bc361ad91

        SHA256

        d3bee4ed07ba1d7e19eb809ff54293f23e15c75cc96a9300d1551d7c81caab7e

        SHA512

        c54a62b387ef4fb454131e7106352a065ed97558097bd342d5974352753285e8d60139ae6ae28bef8010d5abf29e8ed9c361880125a31b092345fc379d33170e

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3sL90Yq.exe

        Filesize

        1.3MB

        MD5

        4a7fbc3312c329d8a1359b467fe3c39c

        SHA1

        6158f71b301bcebdd1149f0f2ea8c7620a45aa16

        SHA256

        89541d92fa8b702286107e3df24bf1397fe5811e55caf90a8127a76f732aff7e

        SHA512

        8ef55599ab59e7f1f2d40cdeee20fec633f79b744e2fda48bf22a34d46279456449899d8cd68c1bedf46a79866ced84c6aaa0b7df0d6d8f5e2169147517a3c14

      • memory/3368-32-0x0000000006E30000-0x0000000006EC2000-memory.dmp

        Filesize

        584KB

      • memory/3368-31-0x0000000007340000-0x00000000078E4000-memory.dmp

        Filesize

        5.6MB

      • memory/3368-21-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

      • memory/3368-34-0x0000000002240000-0x000000000224A000-memory.dmp

        Filesize

        40KB

      • memory/3368-35-0x0000000007F10000-0x0000000008528000-memory.dmp

        Filesize

        6.1MB

      • memory/3368-36-0x00000000078F0000-0x00000000079FA000-memory.dmp

        Filesize

        1.0MB

      • memory/3368-37-0x0000000006F40000-0x0000000006F52000-memory.dmp

        Filesize

        72KB

      • memory/3368-38-0x00000000071C0000-0x00000000071FC000-memory.dmp

        Filesize

        240KB

      • memory/3368-39-0x0000000007200000-0x000000000724C000-memory.dmp

        Filesize

        304KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.