Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 14:45
General
-
Target
89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe
-
Size
1.1MB
-
MD5
70af13c890c5081da2091516841af307
-
SHA1
594f38460e233676ee60e09a0e7bc6e0c4dd2428
-
SHA256
89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562
-
SHA512
31104d94f244cb8ad36559f88ce9226733124cfa0db10d286c716c79794695f3e791e9e16622f8741c16c1b3982fd45bd9acf0390ea4cbb6f7f6d062ad73bd8d
-
SSDEEP
24576:CyNsrxUbbGlC5nHLNyoupccfuC7Px0riP+hniTx1Ej/N5bHFIo:pNskbNxyo3jGx0g+64zND
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe"C:\Users\Admin\AppData\Local\Temp\89cc8588fdd283d65796d258d20da78cc3e96dda70483c000ab1ff1232fa5562.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lj6Or14.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lj6Or14.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya0RB62.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya0RB62.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ig9315.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ig9315.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 5925⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rS28GF.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rS28GF.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST5⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3728,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2764 -ip 27641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lj6Or14.exeFilesize
935KB
MD5f3d3fecc283f8e49955e88d854317dac
SHA162fefc860b7d771ed0f4438c154afa023b57c08c
SHA256eb300507c0cb513e33ef94544a3bf1af4f33be74a2ca70db2cfd63e858e75f46
SHA51272cd7f7e263123c28804f4c18ab03e0927a571bc1466f2b1b20e222c04d29e3af7d8edb113e0da2f3cac0f892ff09bf09edfbcb9ed2f56b1742f58f9ea204e5f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ya0RB62.exeFilesize
811KB
MD56acaccecbbe4ea4b2c84bf37b06175bc
SHA1b1108780fde8d55c8c716917f472d4726f609b28
SHA2565a6c444580d38a5947dcd7fdb7a8242bdd49c5dd54977d7058aa9a156d5abc83
SHA512e004cb7ba2b7331f0c9d40e33099c2425390edd75a8232828f311f3093fa298776a73fec98c512bcb07efcd0c046f00f0a1b510aa97ddfa4e5bffa722958df22
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ig9315.exeFilesize
432KB
MD5dc5470255181f2d8c3988607e68e2838
SHA1428a5c0b4cbacce664843c8b8dc853bcdaa42978
SHA2568a6a397ce0ce2f6dffb085e47055049758d8fd637f4f4fd7a5d23d377ad35639
SHA512660cbdc6d8679d2114ce589cde2e9625ac357c6c1546bd2ec6795efc88b5fcb41bad839b84204d142ea1ef38c001b0f77c6cb23567593a38be7c53588d9c6b7d
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rS28GF.exeFilesize
1.3MB
MD534563154d1a2a2b7599086eac6ee3913
SHA121283fbd85cf0372834cd90b29caa4d7d56a7717
SHA2566a9fbce30079f4c2c23ff213b1b7971ae41fa35db94a12db4e11cdaf53d24629
SHA512e785daab62b4b057e83555373ddafb54ef708299ae618c3307ba02536e40897354b042e5214a965daf8500419e684a518606a0eb14215c0aa5a7b607cd066318
-
memory/1452-24-0x00000000049D0000-0x00000000049DA000-memory.dmpFilesize
40KB
-
memory/1452-23-0x0000000007400000-0x0000000007492000-memory.dmpFilesize
584KB
-
memory/1452-22-0x0000000007910000-0x0000000007EB4000-memory.dmpFilesize
5.6MB
-
memory/1452-21-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1452-34-0x00000000084E0000-0x0000000008AF8000-memory.dmpFilesize
6.1MB
-
memory/1452-35-0x0000000007740000-0x000000000784A000-memory.dmpFilesize
1.0MB
-
memory/1452-36-0x00000000075D0000-0x00000000075E2000-memory.dmpFilesize
72KB
-
memory/1452-38-0x0000000007670000-0x00000000076AC000-memory.dmpFilesize
240KB
-
memory/1452-39-0x00000000076B0000-0x00000000076FC000-memory.dmpFilesize
304KB