Overview

overview

10

Static

static

3

0eb0accf09...b2.exe

windows10-2004-x64

10

24941336d0...72.exe

windows10-2004-x64

10

26a2cda7a1...98.exe

windows10-2004-x64

10

29d3a95944...db.exe

windows10-2004-x64

10

2d75908c07...9b.exe

windows10-2004-x64

7

33aed805e1...e6.exe

windows10-2004-x64

10

40d8e0aa1d...18.exe

windows10-2004-x64

7

48cb6f7d0b...c9.exe

windows10-2004-x64

10

542eb4afaa...9a.exe

windows10-2004-x64

7

6f328c3e1d...2a.exe

windows10-2004-x64

10

74692ca9aa...ea.exe

windows10-2004-x64

10

759eb38c21...de.exe

windows10-2004-x64

10

858cb57de5...0c.exe

windows10-2004-x64

10

9bd29cf05e...27.exe

windows10-2004-x64

10

b0555f3c53...33.exe

windows10-2004-x64

7

bde148bc51...21.exe

windows10-2004-x64

10

c7e81c0377...b0.exe

windows7-x64

10

c7e81c0377...b0.exe

windows10-2004-x64

10

d0c5f5c327...0e.exe

windows10-2004-x64

10

d165dd7703...70.exe

windows7-x64

10

d165dd7703...70.exe

windows10-2004-x64

10

d9645ca9ce...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f328c3e1d2f3ad40a09cd133e1964bbc4fc21dcbb7af8520e97006992426b2a.exe

  • Size

    936KB

  • MD5

    384142bba3fe5feebabb59a1013abf4e

  • SHA1

    63005b7752afd90117e435958a088af26189f279

  • SHA256

    6f328c3e1d2f3ad40a09cd133e1964bbc4fc21dcbb7af8520e97006992426b2a

  • SHA512

    ef57a899e63b4311e98810cc9e998d8c3571699a959bb0b381905dc8313364c93ed7c051511078d4aa65d800ae5fc5ef0f81861adc423ecf889521979d097f4d

  • SSDEEP

    24576:ky/TRNN+q1jO/oCxkTtJepAZU/4eWGgkQAdT0:z/F6ql/6kT7epAZUQwQ

Score
10/10
privateloaderredlineriseprohordainfostealerloaderpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

risepro

C2

194.49.94.152

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f328c3e1d2f3ad40a09cd133e1964bbc4fc21dcbb7af8520e97006992426b2a.exe
    "C:\Users\Admin\AppData\Local\Temp\6f328c3e1d2f3ad40a09cd133e1964bbc4fc21dcbb7af8520e97006992426b2a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vb8gF87.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vb8gF87.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Vw8985.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Vw8985.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3800
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 140
            4⤵
            • Program crash
            PID:536
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Po53uq.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Po53uq.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3304
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:1852
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:4268
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3240,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
      1⤵
        PID:4132
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2276 -ip 2276
        1⤵
          PID:4336

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vb8gF87.exe
          Filesize

          812KB

          MD5

          7657c88eae4d0432ed71184a0669b9b7

          SHA1

          4cbdbeb161797261e75b382d1b94868df170044d

          SHA256

          76a6ad4f431353be132b7c4d03a364e1647fb475176098af59fa92d11c32cff2

          SHA512

          5d5abc7a9f859a1e850af78185d54fdb1b3b61ce41f43ae1dc6311bdc1c3192eb5746c6e6aadbe530be35113ad3af41e3eaeef12c9896ba14a7df0665b002f95

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Vw8985.exe
          Filesize

          432KB

          MD5

          a9a6971dd545d36b0eb1b139cd49f2ca

          SHA1

          bcd249c8f1993e8a015ff9a62d874424cdb8fe2e

          SHA256

          a051e6a0aa2923bb10264d1769fc635193597f6104b0d653892c7f37e89a5af7

          SHA512

          1422647c45ff3c4ed2b60d88f9f03cdf0b82f52c4057ce4dfd6e78d499475638518d5f5d826b6c4d533e60d068b4d23653885076f3ed0f8f33fd3ed08ef105db

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Po53uq.exe
          Filesize

          1.3MB

          MD5

          36678dd4c57a0b051ae2d8d3e59b6084

          SHA1

          53f90dc0855c4a1f7a06251521beb29c0f31a1c3

          SHA256

          3967b1109aa40ae878befa7d99d59364c67bef2ae53716ac71c7bf8327a7074a

          SHA512

          95c393e273f64f066d0b5dc3c87248e14df0b1dd55e3c12298f8fe4226ab9e2d366f20e9e7f62f79007f2d38afb8f37fa3f9d5799388dbac1e5b289b38569425

          Download Submit

        • memory/3800-18-0x0000000003390000-0x000000000339A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3800-16-0x00000000082C0000-0x0000000008864000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3800-17-0x0000000007DF0000-0x0000000007E82000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3800-15-0x000000007413E000-0x000000007413F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3800-14-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3800-24-0x0000000008E90000-0x00000000094A8000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3800-29-0x0000000008870000-0x000000000897A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3800-30-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3800-31-0x0000000008000000-0x000000000803C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3800-33-0x0000000008060000-0x00000000080AC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3800-34-0x000000007413E000-0x000000007413F000-memory.dmp

          Filesize

          4KB

          Download