Overview
overview
10Static
static
300081e34e8...ea.exe
windows10-2004-x64
1003c5b52913...29.exe
windows10-2004-x64
10119de5a5cb...31.exe
windows10-2004-x64
101d1b24f346...2d.exe
windows10-2004-x64
103a50f05cf8...e5.exe
windows10-2004-x64
1047e26a3424...26.exe
windows10-2004-x64
105cb2e3146e...38.exe
windows10-2004-x64
75f31ea5f4e...b6.exe
windows10-2004-x64
10691f866dcf...9a.exe
windows10-2004-x64
1069d4397e3b...21.exe
windows10-2004-x64
10793977371c...71.exe
windows10-2004-x64
10823d46bb20...3e.exe
windows10-2004-x64
1089cc8588fd...62.exe
windows10-2004-x64
1098c86667f1...3f.exe
windows10-2004-x64
109f2ebdaf30...d3.exe
windows10-2004-x64
10ad2c12e934...be.exe
windows10-2004-x64
10c07f7b11ef...de.exe
windows10-2004-x64
10c2b3007441...41.exe
windows10-2004-x64
10c2c2bc25ff...d6.exe
windows7-x64
10c2c2bc25ff...d6.exe
windows10-2004-x64
10c8ec968939...44.exe
windows10-2004-x64
10cfdd198480...c6.exe
windows10-2004-x64
10e74ebb8467...40.exe
windows10-2004-x64
10e7cf07de33...a0.exe
windows10-2004-x64
10e8089d2898...9f.exe
windows10-2004-x64
10f298002951...fc.exe
windows7-x64
10f298002951...fc.exe
windows10-2004-x64
10f9420469aa...4f.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 12:33
Static task
static1
Behavioral task
behavioral1
Sample
00081e34e876bca12f70718201cced140ead03a90881cda32a50f9f68a256cea.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
119de5a5cbeeed307dc04cbf5ded4da088737541cdaebdb15683088ea4151d31.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
1d1b24f346602e2379272d189cb2e6e1b03f832a0f4cef4aa550aeda03407c2d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
3a50f05cf835b0751cd1bf42e4980ad9f9e3c83a3629331a0cdf1ed1240874e5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
5f31ea5f4eff3ab14ef031f762f9d4bbea7989361e08a9f023d0687a4139f8b6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
691f866dcf8672a185591df3654e1023bf55156531bb957ebf2d01b38adccd9a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
69d4397e3b55b04c8e1679751f0367e5ee1956dca9f17aa05804b89140026921.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
793977371c7b2f0c227ab38879d056d2d4121073f5f9a8204a60ac2f3238a471.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
823d46bb2009cf2d0669fdc864873d4184fbb02cc2836de9d352750179eec13e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
98c86667f1ebf054c7f37dbaadbc5346fa4eb658c90ca2b27f18fc9a73e1e23f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
9f2ebdaf308ea075223c735a2bda214b336c9e5b85e7eea51d6f701c535414d3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
ad2c12e934ce4a8c4fdd4abf52a21352a8456bc150312c8642d1528f0b44ebbe.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
c07f7b11efb87573ed231edeeb982fc58c253f72387321ec3736463e6ea4a7de.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
c2b30074415b46d19f46cfb5af14cc647a982661dec4c01c99d01c052a77bc41.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
c2c2bc25ff713469ab99ce4873da4568ff91920dd5f18365b0bccc99f89f52d6.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
c2c2bc25ff713469ab99ce4873da4568ff91920dd5f18365b0bccc99f89f52d6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
c8ec96893956dfddde7afe6387866ad1e9246e552dd28a3b5af097fc3b5ced44.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
cfdd1984803e69136f3df9a29df5f12b0e779369443871fd786a34fa68317ec6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
e74ebb8467d5d586d2a4f3c223c158072e53cabf7285466f9a7ad66a30412d40.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral24
Sample
e7cf07de33635cc163ae13ce8b8adfe9ec1289ef2a77d4635c1b02bd7bd80aa0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
e8089d289872dff0d032ef9544f3019d0bb5fcff11996290619e1de6d78c7c9f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral26
Sample
f298002951f275351953751a44b736ad2cdb679a2cd29bda1f4f65facb4944fc.exe
Resource
win7-20240508-en
Behavioral task
behavioral27
Sample
f298002951f275351953751a44b736ad2cdb679a2cd29bda1f4f65facb4944fc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral28
Sample
f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe
Resource
win10v2004-20240508-en
General
-
Target
89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe
-
Size
1.1MB
-
MD5
70af13c890c5081da2091516841af307
-
SHA1
594f38460e233676ee60e09a0e7bc6e0c4dd2428
-
SHA256
89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562
-
SHA512
31104d94f244cb8ad36559f88ce9226733124cfa0db10d286c716c79794695f3e791e9e16622f8741c16c1b3982fd45bd9acf0390ea4cbb6f7f6d062ad73bd8d
-
SSDEEP
24576:CyNsrxUbbGlC5nHLNyoupccfuC7Px0riP+hniTx1Ej/N5bHFIo:pNskbNxyo3jGx0g+64zND
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral13/memory/1564-21-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Drops startup file 1 IoCs
Processes:
3rS28GF.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 3rS28GF.exe -
Executes dropped EXE 4 IoCs
Processes:
lj6Or14.exeYa0RB62.exe2Ig9315.exe3rS28GF.exepid process 4224 lj6Or14.exe 232 Ya0RB62.exe 3404 2Ig9315.exe 1632 3rS28GF.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exelj6Or14.exeYa0RB62.exe3rS28GF.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" lj6Or14.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Ya0RB62.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" 3rS28GF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2Ig9315.exedescription pid process target process PID 3404 set thread context of 1564 3404 2Ig9315.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5056 3404 WerFault.exe 2Ig9315.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4432 schtasks.exe 5032 schtasks.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exelj6Or14.exeYa0RB62.exe2Ig9315.exe3rS28GF.exedescription pid process target process PID 840 wrote to memory of 4224 840 89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe lj6Or14.exe PID 840 wrote to memory of 4224 840 89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe lj6Or14.exe PID 840 wrote to memory of 4224 840 89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe lj6Or14.exe PID 4224 wrote to memory of 232 4224 lj6Or14.exe Ya0RB62.exe PID 4224 wrote to memory of 232 4224 lj6Or14.exe Ya0RB62.exe PID 4224 wrote to memory of 232 4224 lj6Or14.exe Ya0RB62.exe PID 232 wrote to memory of 3404 232 Ya0RB62.exe 2Ig9315.exe PID 232 wrote to memory of 3404 232 Ya0RB62.exe 2Ig9315.exe PID 232 wrote to memory of 3404 232 Ya0RB62.exe 2Ig9315.exe PID 3404 wrote to memory of 1564 3404 2Ig9315.exe AppLaunch.exe PID 3404 wrote to memory of 1564 3404 2Ig9315.exe AppLaunch.exe PID 3404 wrote to memory of 1564 3404 2Ig9315.exe AppLaunch.exe PID 3404 wrote to memory of 1564 3404 2Ig9315.exe AppLaunch.exe PID 3404 wrote to memory of 1564 3404 2Ig9315.exe AppLaunch.exe PID 3404 wrote to memory of 1564 3404 2Ig9315.exe AppLaunch.exe PID 3404 wrote to memory of 1564 3404 2Ig9315.exe AppLaunch.exe PID 3404 wrote to memory of 1564 3404 2Ig9315.exe AppLaunch.exe PID 232 wrote to memory of 1632 232 Ya0RB62.exe 3rS28GF.exe PID 232 wrote to memory of 1632 232 Ya0RB62.exe 3rS28GF.exe PID 232 wrote to memory of 1632 232 Ya0RB62.exe 3rS28GF.exe PID 1632 wrote to memory of 5032 1632 3rS28GF.exe schtasks.exe PID 1632 wrote to memory of 5032 1632 3rS28GF.exe schtasks.exe PID 1632 wrote to memory of 5032 1632 3rS28GF.exe schtasks.exe PID 1632 wrote to memory of 4432 1632 3rS28GF.exe schtasks.exe PID 1632 wrote to memory of 4432 1632 3rS28GF.exe schtasks.exe PID 1632 wrote to memory of 4432 1632 3rS28GF.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe"C:\Users\Admin\AppData\Local\Temp\89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lj6Or14.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lj6Or14.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya0RB62.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya0RB62.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ig9315.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ig9315.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:1564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 5965⤵
- Program crash
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rS28GF.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rS28GF.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST5⤵
- Creates scheduled task(s)
PID:5032 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST5⤵
- Creates scheduled task(s)
PID:4432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3404 -ip 34041⤵PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
935KB
MD5f3d3fecc283f8e49955e88d854317dac
SHA162fefc860b7d771ed0f4438c154afa023b57c08c
SHA256eb300507c0cb513e33ef94544a3bf1af4f33be74a2ca70db2cfd63e858e75f46
SHA51272cd7f7e263123c28804f4c18ab03e0927a571bc1466f2b1b20e222c04d29e3af7d8edb113e0da2f3cac0f892ff09bf09edfbcb9ed2f56b1742f58f9ea204e5f
-
Filesize
811KB
MD56acaccecbbe4ea4b2c84bf37b06175bc
SHA1b1108780fde8d55c8c716917f472d4726f609b28
SHA2565a6c444580d38a5947dcd7fdb7a8242bdd49c5dd54977d7058aa9a156d5abc83
SHA512e004cb7ba2b7331f0c9d40e33099c2425390edd75a8232828f311f3093fa298776a73fec98c512bcb07efcd0c046f00f0a1b510aa97ddfa4e5bffa722958df22
-
Filesize
432KB
MD5dc5470255181f2d8c3988607e68e2838
SHA1428a5c0b4cbacce664843c8b8dc853bcdaa42978
SHA2568a6a397ce0ce2f6dffb085e47055049758d8fd637f4f4fd7a5d23d377ad35639
SHA512660cbdc6d8679d2114ce589cde2e9625ac357c6c1546bd2ec6795efc88b5fcb41bad839b84204d142ea1ef38c001b0f77c6cb23567593a38be7c53588d9c6b7d
-
Filesize
1.3MB
MD534563154d1a2a2b7599086eac6ee3913
SHA121283fbd85cf0372834cd90b29caa4d7d56a7717
SHA2566a9fbce30079f4c2c23ff213b1b7971ae41fa35db94a12db4e11cdaf53d24629
SHA512e785daab62b4b057e83555373ddafb54ef708299ae618c3307ba02536e40897354b042e5214a965daf8500419e684a518606a0eb14215c0aa5a7b607cd066318